Skip to content

MALICIOUS (1) campaign cataloged at 2026-07-14(2).

  1. The campaign has clearly malicious intent, like infostealers.
  2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-07-tennacity

The typosquatted package installs a Mythic/Poseidon C2 framework beacon and ensures persistence. After installation, the beacon communicates with C2 on wegoexchange[.]site for further commands.

Abuse categories

malware

Package contains or installs known malware.

persistence

Campaign uses persistence.

remote_executable

Downloads and executes a remote executable.

sandbox-detection

The package contains code to detect if it is running in a sandbox environment.

typosquatting

The package name is an typosquatting variant of a popular package.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

  • wegoexchange.site

  • easyswapnow.pro

  • hxxps://easyswapnow.pro/downloads/lix_amd.bin

  • hxxps://easyswapnow.pro/downloads/lix_arm.bin

  • hxxps://easyswapnow.pro/downloads/mac_amd.bin

  • hxxps://easyswapnow.pro/downloads/mac_arm.bin

  • hxxps://drive.google.com/uc?export=download&id=1d4zF8lnDaYCgzRrEx3WCyLTFZXVD2QBF&confirm=t

  • hxxp://wegoexchange.site/data

Packages in the campaign

campaign:2026-07-tennacity