A recent discovery by Checkmarx revealed malicious Python packages on PYPI containing a harmful script in the “Init.py” file. This script was designed to collect and transmit user data to a Telegram bot.
Further investigation uncovered that these malicious packages were part of a broader cybercrime operation aimed at stealing confidential user data and transmitting it to a Telegram bot linked to cybercriminals based in Iraq. This operation has been active since 2022, with the Telegram channel containing over 90,000 messages in Arabic.
The list of malicious packages on PYPI included “testbrojct2,” “proxyfullscraper,” “proxyalhttp,” and “proxyfullscrapers.” The harmful script within these packages scanned the victim’s file system, focusing on the root folder and DCIM folder, searching for specific file extensions to exfiltrate to Telegram without the user’s consent.
By decoding sensitive information like bot tokens and chat identifiers, researchers were able to gain insights into the cybercriminals’ infrastructure and operations. Access to the Telegram bot allowed researchers to monitor its activities and uncover a history dating back to 2022.
Initially functioning as an underground market offering services for increasing views and subscribers on Telegram and Instagram, spam services, and discounted Netflix subscriptions, the bot’s activities evolved to include financial fraud and unauthorized access to victim systems.
The discovery of these harmful packages and subsequent investigation into the Telegram bot exposed a sophisticated cybercrime operation. What initially appeared to be an isolated incident with harmful packages turned out to be just the tip of the iceberg, revealing a larger criminal ecosystem. The Checkmarx research team continues to delve into the attack to gather more information on the attackers’ methods.
It is worth noting that META and its products are considered extremist, with their activities prohibited within the Russian Federation.