a instagram logo with login credential details beside a hacker steal data

A new malware campaign is targeting Instagram users seeking to boost their follower counts. Disguised as a legitimate growth tool called "imad213," the malware steals login credentials and sends them to an attacker's server.

The malware, distributed via a malicious PyPI package, uses sophisticated social engineering tactics, including professional branding and detailed documentation, to trick users into installing it. Victims are instructed to use simple commands like "pip install imad213" and "imad213," making the process seem legitimate.

Once installed, the tool displays a convincing "INSTA-FOLLOWERS" interface, prompting users to enter their real Instagram credentials. Unbeknownst to them, this information is being harvested and sent to the attacker.

Socket.dev analysts have linked this campaign to a threat actor known as "IMAD-213," who uses the email address madmadimado59@gmail.com and operates multiple malicious tools. The malware also includes a remote kill switch, giving the attacker control over all infected instances.

The stolen credentials are then broadcast to ten different Turkish bot services, including takipcimx.net, takipcizen.com, and bigtakip.net. These services, registered around the same time and actively maintained, suggest a well-coordinated and long-term operation.

Compromised accounts face immediate policy violations, potentially leading to suspension or permanent termination. With Instagram's massive user base, this campaign poses a significant threat, exploiting users' desire for social media validation. Users should be extremely cautious when using third-party growth tools and verify their legitimacy before providing any credentials.