A US tech company has discovered a criminal hacking system in Iraq. How did it attack its victims?

The report from application security firm Check Marks said the malware was part of an infected package downloaded from PyPI and was used by cybercriminals to extract sensitive user data into Telegram chatbots associated with multiple e-crime operations in Iraq.

Check marks show that the bot’s activity dates back to 2022 and contains more than 90,000 messages, most of which are in Arabic, while researchers say the bot’s operators exploited victims by extracting their data and engaged in other crimes such as financial theft and purchasing Telegram, Instagram and Facebook memberships at discounted prices.

Software developers use PyPI to deploy, discover, and install Python programs as the packages are uploaded by a user with the alias “dsfsdfds”.

The malicious script scans the victim’s device for files and images with specific extensions and sends them to the attacker’s Telegram bot. According to the US tech company, the bot operator has several other bots and is likely based in Iraq.

“What initially appeared to be isolated incidents of malicious packages turned out to be just the tip of the iceberg, revealing a deeply entrenched criminal system in Iraq,” the researchers said.

TechMarks claims that it was able to directly access Telegram bots and monitor their activity, which led to some successful campaigns using malicious Python packages.

Researchers have yet to determine who the hackers targeted, what type of data they obtained or how they exploited it.