VDB
GCVE-110-OSM-2026-6738
GCVE-110-OSM-2026-6738
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, obfuscated code.
ENTRY
pyrogram/__init__.py (module-import: 24)
PERSISTENCE
- Startup Persistence in pyrogram/enums/__init__.py: ".profile"
- Startup Persistence in pyrogram/methods/chats/update_color.py: ".Profile"
- Startup Persistence in pyrogram/types/user_and_chats/chat.py: ".profile"
- Startup Persistence in pyrogram/types/user_and_chats/chat_color.py: ".Profile"
- Startup Persistence in pyrogram/types/user_and_chats/user.py: ".profile"
DESTINATION
- custom-c2: telegramplayground.github.io (primary, plaintext) in pyrogram/client.py
- custom-c2: 11.22.33.44 (plaintext) in pyrogram/client.py
- bitcoinAddresses: 193w5QvbXMKXgFh9LqsYLu33LTaJHJP (exfil, plaintext)
- bitcoinAddresses: 163BDMPNjf3mbNLP3djgBcU9ZuvBNE (exfil, plaintext)
EXFIL
- System Information Collection in pyrogram/client.py: "platform.system()"
OBFUSCATION
- Python Exec with Encoded Content in pyrogram/methods/utilities/app.py: "exec(zlib.decompress"
- IOCs Found in Deobfuscated Code in pyrogram/methods/utilities/app.py
- Unicode Escape Obfuscation in pyrogram/emoji.py: "\u26f9\ufe0f\u200d\u2642\ufe0f"
- recovered 2 bitcoinAddresses from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Download Execute Delete Pattern in pyrogram/storage/sqlite_storage.py: "executor, self.conn.close) self.executor.shutdown() self._executor = None async ..."
PAYLOAD FILES
pyrogram/methods/utilities/app.py
INDICATORS (IOCs)
- ipv4: 2.1.2.9, 149.154.175.10, 149.154.167.40, 149.154.175.117, 149.154.175.53 (+7 more)
- ipv6: 2001:b28:f23d:f001::, 2001:67c:4e8:f002::, 2001:b28:f23d:f003::, 2001:67c:4e8:f004::, 2001:b28:f23f:f005:: (+3 more)
- urls: https://pyrogram.org, https://docs.pyrogram.org, https://docs.pyrogram.org/releases, https://docs.pyrogram.org/topics/mtproto-vs-botapi, https://liberapay.com/delivrance (+4 more)
- domains: pyrogram.org, docs.pyrogram.org, liberapay.com, size.group, flag.group (+9 more)
- emails: do-not-reply@pyrogram.org
- sha256Hashes: C71CAEB9C6B1C9048E6C522F70F13F73980D40238E3E21C14934D037563D930F, 48198A0AA7C14058229493D22530F4DBFA336F6E0AC925139543AED44CCE7C37, 20FD51F69458705AC68CD4FE6B6B13ABDC9746512969328454F18FAF8C595F64, 2477FE96BB2A941D5BCD1D4AC8CC49880708FA9B378E3C4F3A9060BEE67CF9A4, A4A695811051907E162753B56B0F6B410DBA74D8A84B2A14B3144E0EF1284754 (+45 more)
- payloadFileHash: cf1b4cd158614272b0e41e4fa785550545a69ca93200300046557065d7d1f3a6
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | inlifegram | all (affected) | — |
Aliases
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.