GoKawiilA campaign active since last November has been targeting Python developers building Telegram bots with trojanized Pyrogram forks that allow attackers to read arbitrary files on compromised servers.
At least eight packages have been published on the Python Package Index (PyPI) with a hidden backdoor that is activated by helper modules when importing Pyrogram or when the bot starts.
Although the Pyrogram project is no longer maintained, it remains popular, with nearly 350,000 monthly downloads on PyPI (last updated in April 2023) and more than 1,400 forks on GitHub (last updated in December 2024).
Pyrogram is described as "elegant, modern and asynchronous Telegram MTProto API framework in Python for users and bots." In simpler terms, it allows developers to create automated bots or usersbots.
According to researchers at application security company Checkmarx, who dubbed the campaign 'Operation Navy Ghost', the threat actor published on PyPI between November 2025 and June 2026 the following malicious Pyrogram forks:
VLifeGram (nine versions counting 4,150 downloads)
VLife-Gram (five versions with 1,030 downloads)
pyrogram-navy (six versions with 2,530 downloads)
pyrogram-styled (more than 16 versions with 15,370 versions)
pyrogram-zeeb (one version counting 432 downloads)
... continue reading