Malicious Python packages uploaded by “dsfsdfds” to PyPI infiltrated user systems by exfiltrating sensitive data to a Telegram bot likely linked to Iraqi cybercriminals.
Active since 2022 and containing more than 90,000 Arabic messages, it has functioned as both a command-and-control center and an underground marketplace for social media manipulation tools.
It highlights a broader cybercriminal network, emphasizing the need for in-depth investigation and collaboration within cybersecurity communities.
A malicious script scans the victim’s file system, particularly the root directory and DCIM folder, targeting files with extensions like .py, .php, .zip, .png, .jpg, and .jpeg.
Once found, the script transmits both file paths and the actual data (files and photos) to the attacker’s Telegram bot without the user’s awareness. This is achieved through a hardcoded Telegram bot token and chat ID within the script, revealing the attacker’s infrastructure details.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Python Packages Data Exfiltration
Analysis of the exfiltrated data revealed hardcoded credentials for a Telegram bot used by the attackers.
Exploiting these credentials, researchers gained direct access to the bot and observed a significant activity history stretching back to at least 2022.
The messages, primarily in Arabic, provided clues about the bot operator’s location and operations. By analyzing message language and content with tools like GitHub’s TeleTracker, researchers identified the operator as likely being based in Iraq.
The bot’s activity suggested it was part of a network of bots controlled by the same actor.
Initially, the bot functioned as an underground marketplace, offering various illicit services, which included purchasing social media engagement metrics like views and followers, spam services, and discounted subscriptions to streaming platforms like Netflix.
An investigation into a malicious Python package revealed a hidden Telegram bot, while further analysis of the bot’s message history uncovered evidence of a broader cybercriminal operation.
The messages hinted at financial theft and appeared to originate from compromised systems, suggesting the packages were a successful initial attack vector and highlighting the need for a deep investigation into cybersecurity.
In reality, the malicious packages that appeared to be isolated did in fact serve as the entry point to a more complex criminal network that was based on Telegram.
Researchers at Checkmarx uncovered malicious Python packages on PyPI that exfiltrated user data to a Telegram bot. This exposed a larger Iraqi cybercriminal network and highlighted the dangers of a compromised developer machine.
In an enterprise setting, such a breach could provide attackers with an initial foothold to launch further attacks within the organization’s network.
Avoid these four Python packages: testbrojct2, proxyfullscraper, proxyalhttp, and proxyfullscrapers, as they are identified as malicious by exploiting the PyPI repository to install them on unsuspecting systems.
Once installed, they scrape the files, including potentially sensitive ones like Python scripts, images, and compressed archives, and the stolen data is then sent to a Telegram bot controlled by cybercriminals, which exposes the system to a variety of threats, depending on the criminals’ goals, which could include financial fraud or further system compromise.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo