Skip to content

SECURITY WARNING - MALWARE DETECTED #2

New issue
New issue
Open
Open
SECURITY WARNING - MALWARE DETECTED#2
@tocacyy

Description

@tocacyy
tocacyy
opened on Sep 9, 2025

⚠️ SECURITY WARNING - MALWARE DETECTED

🚨 DO NOT INSTALL OR RUN THIS PROJECT

This repository contains malware disguised as a PancakeSwap trading bot. The project appears legitimate with a beautiful React frontend, but the backend contains obfuscated malicious code.

🔍 What we discovered:

Malicious Backend Scripts:

  • predictapipro/wapi.py and predictapipro/mapi.py contain obfuscated Python code
  • When deobfuscated, these scripts attempt to:
    • Download additional files from apikey.website
    • Store files in ~/.tmpcode/ directory
    • Execute downloaded bot.py scripts without verification
    • Potentially install additional malware

Deobfuscated Code Analysis:

# The script tries to:
1. Connect to apikey.website/getfiles.php
2. Download files based on Python version
3. Save files to ~/.tmpcode/
4. Execute downloaded bot.py without security checks

🎭 How it works:

  1. Legitimate-looking frontend: Beautiful React/TypeScript interface
  2. Malicious backend: main.py launches obfuscated malware
  3. Social engineering: Appears to be a legitimate trading bot
  4. Payload delivery: Downloads and executes additional malware

🛡️ Security Impact:

  • Remote code execution: Downloads and runs arbitrary code
  • Data theft potential: Can access system files and credentials
  • Backdoor installation: May install persistent malware
  • Network compromise: Can establish unauthorized connections

✅ What we did:

  • Analyzed the obfuscated code
  • Created cleanup scripts
  • Verified no actual trading functionality exists
  • Confirmed this is purely malicious software

🔒 Recommendations:

  1. DO NOT clone or run this repository
  2. If already installed, run antivirus scan immediately
  3. Check for ~/.tmpcode/ directory and remove if found
  4. Monitor network connections to apikey.website
  5. Change passwords if system was compromised

📊 Analysis Tools Used:

  • Python deobfuscation techniques
  • Network traffic analysis
  • File system monitoring
  • Process analysis

Status: CONFIRMED MALWARE
Risk Level: CRITICAL
Recommendation: AVOID COMPLETELY

This analysis was performed on September 9, 2025

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions