---

-= Per source details. Do not edit below this line.=-

Source: kam193 (0d720315dd49970cfc00c39f4e377485b2746a4fc24f42dec7e79d0749ab9a7d)

During import, the hidden code downloads and executes the second-stage code. After performing anti-analysis checks, it downloads a malicious executable and ensures its persistence.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-helu

Reasons (based on the campaign):

• obfuscation

• Downloads and executes a remote malicious script.

• The package contains code to detect if it is running in a sandbox environment.

• Downloads and executes a remote executable.

• malware

• persistence

• covering-tracks