Beware of Instagram Growth Tools Stealing Login Credentials and Sending Them to Attackers

A discovery by Socket’s Threat Research Team has unveiled a malicious Python package named imad213, masquerading as an Instagram growth tool.

Created by a threat actor identified as im_ad__213 with the associated email madmadimado59@gmail[.]com, this malware cunningly tricks users into surrendering their Instagram credentials.

Deceptive Python Package Targets Instagram Users

Promoted with a polished GitHub README and branded as a legitimate follower-boosting service under the guise of “IMAD-213,” the package lures victims through forums and Discord servers with promises of rapid social media growth.

Its detailed installation instructions (pip install imad213) and deceptive safety tips, such as using temporary accounts, create a false sense of security, convincing users to input sensitive data without suspicion.

Upon execution, imad213 initiates a covert check with a remote server hosted on Netlify (https://imad-213-imad21[.]netlify[.]app/pass[.]txt) to verify if it can proceed, showcasing a remote kill switch that provides the attacker full control over the malware’s operation.

If approved, the tool prompts users for their Instagram login details under the pretense of facilitating growth services, even saving them locally in plaintext to a file named credentials.txt as a social engineering tactic to appear convenient and trustworthy.

Credential Harvesting

However, the true danger lies in its next move: the malware broadcasts these credentials to a network of ten interconnected Turkish bot services, including takipcimx[.]net and takipcizen[.]com, which pose as legitimate Instagram growth platforms with professional interfaces.

According to Socket Report, these sites, operational for nearly four years and linked through shared WHOIS records and a common registrar, are flagged by security tools like VirusTotal for phishing, revealing a coordinated, long-term credential harvesting operation.

This Credential Laundering Network distributes stolen data across multiple endpoints, obscuring its origin and amplifying the risk of account compromise across platforms, especially given Instagram’s 2 billion active users and the frequent reuse of passwords.

Beyond immediate theft, the attack hints at evolving threats, as the same actor behind imad213 has crafted other malicious tools like taya and poppo213 with consistent branding and coding patterns.

Utilizing legitimate hosting services like Netlify for command and control suggests a trend where future malware may hide within trusted infrastructures, evading traditional detection.

Moreover, the social engineering tactics, such as fake safety advisories, could advance into more deceptive features like bogus two-factor authentication prompts to extract additional security data.

Instagram’s strict policies against artificial growth tools mean users risk account suspension alongside data loss, while the broader implications point to cross-platform targeting, potentially encompassing TikTok or gaming credentials within unified attack frameworks.

Socket’s security solutions, including real-time behavioral analysis and GitHub app integrations, offer a defense by flagging such supply chain threats before they infiltrate systems, underscoring the need for vigilance in an era of sophisticated social media malware.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.