-= Per source details. Do not edit below this line.=-
Encrypted code offering massive sending Instagram followers.
1) besides of using some shady services to achieve the goal, it also exfiltrates saved Instagram credentials to a remote server; 2) the project page offers selling an "exploit" for Instagram servers
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-07-imad213tools
Reasons (based on the campaign):
exfiltration-credentials
other
obfuscation
{
"iocs": {
"domains": [
"imad213-py-rsa.ct.ws"
],
"urls": [
"https://imad213-py-rsa.ct.ws/imad.txt",
"https://imad213-py-rsa.ct.ws/fuck.txt"
]
},
"malicious-packages-origins": [
{
"id": "pypi/2025-07-imad213tools/imad213tools",
"modified_time": "2025-07-05T20:30:08Z",
"import_time": "2025-12-02T22:30:55.269456297Z",
"sha256": "c7749e01a147bee07679d7fddb4dc16b34399b6015b8fbc92352352687648751",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "kam193"
},
{
"id": "pypi/2025-07-imad213tools/imad213tools",
"modified_time": "2025-07-05T20:30:08Z",
"import_time": "2025-12-02T23:07:18.293979841Z",
"sha256": "2cddffd96538ab03979aa6404e3c946258e49677220c4820f3a8f0972b31cb17",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "kam193"
},
{
"versions": [
"1.0.0",
"213"
],
"id": "pypi/2025-07-imad213tools/imad213tools",
"modified_time": "2025-07-05T20:30:08Z",
"import_time": "2025-12-10T21:38:57.541799887Z",
"sha256": "3af3593bdc280b177375f0a66709b11dca8f66899289419f6ba368ee5b6579ee",
"source": "kam193"
}
]
}