During import, the hidden code downloads and executes the second-stage code. After performing anti-analysis checks, it downloads a malicious executable and ensures its persistence.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-helu

Reasons (based on the campaign):

• obfuscation

• Downloads and executes a remote malicious script.

• The package contains code to detect if it is running in a sandbox environment.

• Downloads and executes a remote executable.

• malware

• persistence

• covering-tracks