During a recent ransomware investigation, analysts uncovered a highly unusual persistence mechanism that stood out from typical threat activity. What initially appeared as a benign scheduled task evolved into a deep dive into layered obfuscation, covert execution, and advanced command-and-control (C2) techniques.
This case highlights how modern threat actors are blending legitimate tools with creative abuse of programming environments—particularly Python—to evade detection and maintain long-term access.
Unusual Persistence via Python Execution
The investigation began with Autoruns data collected across endpoints. A suspicious scheduled task named 523135538 was configured to execute:
C:\ProgramData\cp49s\pythonw.exe
Notably, this execution lacked any command-line arguments—an anomaly in legitimate environments. This led analysts to inspect the directory structure further.
They discovered a file named:
C:\ProgramData\cp49s\Lib\sitecustomize.py
In Python, sitecustomize.py is automatically imported at runtime. This behavior allows attackers to execute malicious code silently whenever the interpreter starts.
The script used Python’s C API (Py_GetArgcArgv) to detect if it was launched without arguments. If so, it dynamically loaded a disguised payload:
b5yogiiy3c.dll
Despite the .dll extension, this file was not a standard library—it was a heavily obfuscated Python script.
Multi-Layered Obfuscation Strategy
The payload employed several layers of obfuscation designed to hinder static and dynamic analysis:
Key Techniques Observed
- Base85 encoding for higher-density obfuscation
- zlib compression to hide payload structure
- Cryptographic primitives including AES and ChaCha20
- Control-flow flattening using state-driven loops
- Dynamic execution via
compile()andexec()
Function names and imports were masked using random variables, making manual analysis difficult. The script relied on decoding routines to reconstruct executable logic from high-entropy blobs.
Interestingly, the malware required three full deobfuscation layers before revealing its final payload—demonstrating a significant investment in stealth.
Final Payload: SOCKS5 Proxy Backdoor
Once deobfuscated, the malware revealed its true purpose: a SOCKS5 proxy backdoor.
Core Capabilities
- Establishes outbound tunnel to a hardcoded C2 server
- Uses port 443 to blend with HTTPS traffic
- Supports dynamic C2 configuration via arguments
- Enables lateral movement and network pivoting
Modular Architecture
The payload is structured into three main classes:
- Commander – Handles C2 communication and session control
- Relay – Implements SOCKS5 proxy functionality
- Wire – Manages socket communication and data transport
This modular design allows multiple concurrent proxy sessions, making it highly scalable for attackers.
Attribution and Threat Overlap
The backdoor shares strong similarities with known threat activity linked to UNC2165 and EvilCorp. Its behavior aligns with documented traits of the VIPERTUNNEL malware family.
Additionally, threat hunting revealed overlap with another malware strain known as ShadowCoil, which targets browser credentials across Chromium-based browsers and Firefox.
Both malware families appear to use:
- A shared obfuscation framework
- Multi-stage loaders
- Modular payload design
This suggests a common development ecosystem or shared tooling among threat actors.
Evolution Through Clustering
By analyzing samples over time, researchers identified four distinct development phases:
| Phase | Timeline | Characteristics |
|---|---|---|
| Early Development | Dec 2023 | No obfuscation, coding errors |
| Public Tool Adoption | Sep 2024 | Minified code, basic obfuscation |
| Refinement & Debugging | 2024–2025 | Logging, partial obfuscation |
| Production Variant | Late 2025 | Clean architecture, stealth focus |
The progression shows a clear shift from experimental code to a mature, stealth-oriented backdoor.
Infrastructure and Detection Insights
The supporting infrastructure revealed consistent patterns:
- Open ports: 22 (SSH) and 443 (HTTPS)
- Occasional use of port 8000 for secondary C2 frameworks
- Unique HTTP 401 responses with modified headers (
Basic realm="Proxy")
Attackers also leveraged a Python-based C2 framework known as Pyramid, which executes code in memory using legitimate binaries.
Notably, detection is complicated by:
- Header spoofing
- Dynamic port usage
- Minimal disk artifacts
These factors make traditional signature-based detection less effective.
Our Opinion on This Case
This case represents a clear evolution in attacker tradecraft, particularly in how Python is weaponized for persistence and stealth. The abuse of sitecustomize.py is especially clever—it leverages a legitimate interpreter feature that most security tools overlook. This reflects a broader trend: attackers are no longer relying solely on exploits but are instead embedding themselves within trusted execution paths.
The layered obfuscation also signals a shift toward defensive evasion as a priority, not just an afterthought. Three stages of decoding, combined with cryptographic protection and in-memory execution, significantly raise the barrier for detection and analysis. This is not commodity malware—it is engineered for resilience.
What stands out most is the modular architecture and reuse across campaigns like ShadowCoil and VIPERTUNNEL. This suggests a shared development pipeline or malware-as-a-service ecosystem, where components are repurposed for different objectives (proxying, credential theft, persistence).
From a defensive standpoint, this case reinforces the importance of behavioral detection over signatures, visibility into interpreter-based execution, and monitoring of unusual parent-child process relationships. Ultimately, this is a reminder that attackers are innovating rapidly—and defenders must adapt just as quickly.
