-= Per source details. Do not edit below this line.=-
Inside the library there is a part running code hidden in the attached image, which then exfiltrate user-provided data, downloads and install next stage code, exfiltrate TXT files and finally installs infostealers - Lumma and a custom one. Arround L110
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2024-10-fake-usreagent
Reasons (based on the campaign):
infostealer
files-exfiltration
clipboard-stealing
obfuscation
clones-real-package
action-hidden-in-lib-usage
{
"iocs": {
"domains": [
"ethscanold.com",
"crypto-api.net"
],
"urls": [
"https://ethscanold.com/ex_ewq1/2e.exe",
"https://ethscanold.com/ex_ewq1/cdr2.exe",
"https://ethscanold.com/r.php"
]
},
"malicious-packages-origins": [
{
"source": "reversing-labs",
"id": "RLMA-2024-11013",
"modified_time": "2024-12-09T06:50:03Z",
"sha256": "c6c8d5ed2fccb8bce245bd40c0956009cdccbea530e9d12a21fb214f4be94b1e",
"versions": [
"1.6.7"
],
"import_time": "2024-12-09T14:38:42.680651425Z"
},
{
"source": "kam193",
"id": "pypi/2024-10-fake-usreagent/crypto-regex-gener",
"modified_time": "2024-10-07T22:16:18Z",
"sha256": "7b87036e2d651df6844b1392a61121fd20a160b9703968a98f2bb77f44ce9145",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"import_time": "2025-12-02T22:30:55.080805679Z"
},
{
"source": "kam193",
"id": "pypi/2024-10-fake-usreagent/crypto-regex-gener",
"modified_time": "2024-10-07T22:16:18Z",
"sha256": "3236b2ded0bd62e3958fa1c6257142248c46b75e64cdd0a90edd82ffba869335",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"import_time": "2025-12-02T23:07:18.090974319Z"
},
{
"source": "kam193",
"id": "pypi/2024-10-fake-usreagent/crypto-regex-gener",
"modified_time": "2024-10-07T22:16:18Z",
"sha256": "29f4454f6af62abab79258aef4ae31846bdb1cd4698c8ba0d64be73de296565c",
"versions": [
"1.6.7"
],
"import_time": "2025-12-10T21:38:57.383815651Z"
},
{
"source": "reversing-labs",
"id": "RLUA-2026-00235",
"modified_time": "2026-03-18T12:12:56Z",
"sha256": "cba07e5db363d72988a90c8b21197d771a3af51b21eb1e03c0e90f929974c55e",
"import_time": "2026-03-19T12:19:37.117595954Z"
}
]
}