MALICIOUS (1) campaign cataloged at 2026-07-15(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-07-xyq-drama-skill¶
During installation and import, the package downloads and starts a malicious executable, which appears to be a COFFLoader beacon.
Abuse categories¶
malware
Package contains or installs known malware.
override_install
The package overrides the install command in setup.py to execute malicious code during installation.
remote_executable
Downloads and executes a remote executable.
References¶
Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
hxxps://douyin-cloud.tos-cn-beijing.volces.com/obj/hosts/log-helper -
douyin-cloud.tos-cn-beijing.volces.com -
hxxps://s62fhr06buoa937godru4.apigateway-cn-beijing.volceapi.com:443/ -
s62fhr06buoa937godru4.apigateway-cn-beijing.volceapi.com -
wss://s62fhr06buoa937godru4.apigateway-cn-beijing.volceapi.com:443/api/v1/ws?profile_ref=profile_http_ws