PyRAT: Python Cross-Platform Remote Access Python-based Capabilities

A new Python-based remote access trojan (RAT) has surfaced, posing a significant threat to both Windows and Linux operating systems. This malware comes equipped with sophisticated capabilities for surveillance and data theft.

The malware operates by establishing command-and-control communication through unencrypted HTTP channels, allowing attackers to execute commands, steal files, and capture screenshots remotely.

When executed, it immediately begins fingerprinting the victim’s system by collecting details such as operating system type, hostname, and current username.

This information is then transmitted to the attacker’s server, enabling them to track individual victims across sessions.

K7 Security Labs researchers identified the malware during routine investigations on VirusTotal, where they discovered an ELF binary written entirely in Python.

The trojan was packaged using PyInstaller version 2.1 with Python 2.7, concealing its malicious code within what appeared to be a legitimate executable.

Upon extraction using specialized tools, analysts uncovered the main entry point in a file named agent-svc.pyc, which contained the complete remote access functionality organized under a single class called “Agent.”

The malware achieves persistence differently depending on the operating system. On Linux systems, it creates a deceptive autostart entry at ~/.config/autostart/dpkgn.desktop, using a name that mimics legitimate Debian package tools to avoid detection.

This file executes automatically when users log in, maintaining the malware’s presence without requiring administrator privileges.

On Windows systems, it adds a registry entry in the current user’s Run key under the name “lee,” ensuring automatic execution at startup while staying within user-level permissions.

Command-and-Control Infrastructure

The trojan communicates with its command server through basic HTTP POST requests directed at specific endpoints, transmitting system data in plain JSON format without encryption.

This design makes the traffic highly vulnerable to network monitoring and detection.

The malware uses a semi-persistent identifier created by combining the victim’s username with their MAC address, allowing attackers to track individual infections even if some system details change.

Communication frequency adapts based on activity state, with idle periods featuring longer intervals to reduce network visibility, while active sessions poll rapidly every half second to maintain responsiveness to incoming commands.

The malware supports extensive file operations including unrestricted uploads and downloads through multipart form-data encoding.

It can enumerate entire directory structures, change working directories, and create ZIP archives for bulk data exfiltration using the DEFLATE compression algorithm.

Screenshot capture functionality records the entire screen through PIL’s ImageGrab module, saving images as temporary JPEG files that are automatically uploaded to the attacker’s server.

All operations run in separate threads to prevent blocking the main communication loop, ensuring continuous availability for receiving new commands while executing existing tasks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.