Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/Threats/VIPERTUNNEL Python Backdoor Hidden in Fake DLLs and Obfuscated Loaders
Threats

VIPERTUNNEL Python Backdoor Hidden in Fake DLLs and Obfuscated Loaders

Key Takeaways VIPERTUNNEL, a sophisticated Python-based backdoor, is actively targeting enterprise networks, leveraging fake DLLs and multi-layered obfuscation. The malware establishes a SOCKS5 proxy...

Emy Elsamnoudy
Emy Elsamnoudy
April 13, 2026 4 Min Read
25 0

Key Takeaways

  • VIPERTUNNEL, a sophisticated Python-based backdoor, is actively targeting enterprise networks, leveraging fake DLLs and multi-layered obfuscation.
  • The malware establishes a SOCKS5 proxy tunnel, granting attackers persistent and covert access to compromised systems.
  • Initial compromise often involves a scheduled task executing pythonw.exe without arguments, a technique designed for stealth.
  • Associated with threat groups UNC2165 and EvilCorp, VIPERTUNNEL uses a shared obfuscation framework also seen in the ShadowCoil credential stealer.
  • Defenders should monitor for unusual Python execution, inspect sitecustomize.py files, and implement network egress filtering for Python processes.

A potent Python-based backdoor, dubbed VIPERTUNNEL, is currently being deployed against enterprise networks, employing a complex chain of fake DLLs and heavily obfuscated loaders to maintain persistence and evade detection. This advanced threat facilitates stealthy, long-term access for attackers within compromised environments by establishing a SOCKS5 proxy tunnel to remote command-and-control (C2) infrastructure.

Table Of Content

  • Key Takeaways
  • Initial Infiltration and Stealthy Execution
  • Discovery and Analysis by InfoGuard Labs
  • Obfuscated Loader Chain and SOCKS5 Payload
  • Attribution and Related Campaigns
  • What You Should Do

The intricate loader mechanism behind VIPERTUNNEL is specifically engineered to thwart analysis efforts, ensuring the backdoor remains operational long after the initial breach. This multi-layered approach makes forensic investigation and malware eradication significantly more challenging for security professionals.

Initial Infiltration and Stealthy Execution

The infection chain for VIPERTUNNEL typically commences with the creation of a scheduled task on the victim’s machine. This task is configured to discreetly launch a legitimate Python interpreter, pythonw.exe, from the directory C:ProgramDatacp49s without any accompanying command-line arguments. This execution pattern is highly anomalous in standard Windows environments, where Python is rarely invoked in such a manner without a specified script.

Instead of directly pointing to a Python script, the attackers subtly modify a core Python startup file, sitecustomize.py. This file is automatically loaded by the Python interpreter upon every startup. By embedding malicious code within sitecustomize.py, the threat actors ensure silent execution each time the scheduled task triggers, effectively bypassing detection in command-line logs.

Discovery and Analysis by InfoGuard Labs

The VIPERTUNNEL backdoor was first identified by InfoGuard Labs analysts, led by researcher Evgen Blohm, during a ransomware incident response engagement in early 2026. The malware’s presence came to light during a routine persistence audit, which flagged an unusually named scheduled task, 523135538, executing pythonw.exe without arguments.

Further investigation revealed the tampered sitecustomize.py. This modified file leveraged Python’s ctypes library to call the Py_GetArgcArgv API, verifying the absence of command-line input. Subsequently, it silently loaded a file named b5yogiiy3c.dll using Python’s runpy module. A detailed analysis of their findings is available here.

Obfuscated Loader Chain and SOCKS5 Payload

The file b5yogiiy3c.dll is not a true DLL but rather a Python script disguised with a DLL extension, a common tactic to mislead both analysts and automated security scanners. Inside this fake DLL, the actual payload is protected by three layers of sophisticated obfuscation.

This malware employs Base85 encoding, along with AES and ChaCha20 encryption, and control-flow flattening. Control-flow flattening transforms sequential code into complex while True loops driven by state variables, forcing reverse engineers to manually trace each execution path instead of following a linear code flow. Each layer decrypts and passes control to the next in memory, ensuring the final payload never touches the disk. This layered approach is detailed further in a report from InfoGuard Labs.

The ultimate payload is a fully functional SOCKS5 proxy backdoor. It initiates outbound connections over port 443, effectively blending with legitimate HTTPS traffic to evade network-based detection. The recovered payload is a structured Python script comprising three key classes: Wire, Relay, and Commander. The Commander class manages the C2 handshake and spawns Relay threads as needed. Relay handles the core SOCKS5 proxy functionality, facilitating data routing between the C2 server and internal network targets, while Wire manages underlying socket operations.

Outbound traffic consistently uses port 443, and analysis revealed hardcoded default credentials embedded as placeholders within the malware. Infrastructure analysis identified nearly 30 active C2 nodes, all hosted in the United States and running Ubuntu 22.04 LTS.

Attribution and Related Campaigns

The VIPERTUNNEL campaign has been linked to prominent threat groups UNC2165 and EvilCorp. The backdoor primarily functions as a tool for persistent access and network pivoting within compromised environments. Threat hunters at InfoGuard Labs also discovered that the same obfuscation framework utilized by VIPERTUNNEL is employed in the delivery of ShadowCoil, another Python-based credential stealer targeting popular browsers like Chrome, Edge, and Firefox.

Both VIPERTUNNEL and ShadowCoil appear to share a private packer utility. This shared obfuscation pattern is considered a strong indicator of ongoing operations by this particular threat cluster, suggesting a consistent and evolving toolkit.

What You Should Do

  • Monitor Python Execution: Implement robust monitoring to detect instances of pythonw.exe being executed via scheduled tasks without any command-line arguments. This is a critical indicator of VIPERTUNNEL activity.
  • Inspect sitecustomize.py Files: Regularly audit sitecustomize.py files, especially those found outside standard Python installation paths (e.g., C:ProgramDatacp49s), for any unauthorized modifications.
  • Implement Egress Filtering: Configure network egress filtering to restrict Python processes from initiating unexpected outbound connections on port 443, particularly to unknown or suspicious IP addresses.
  • Deploy YARA Rules: Integrate YARA rules targeting the specific class names (Wire, Relay, Commander) and the error identifier (ConnectionTimeoutOccuredError) associated with VIPERTUNNEL variants into your detection systems.
  • Educate Users: Reinforce security awareness training to help users identify and avoid phishing attempts or other initial compromise vectors that could lead to VIPERTUNNEL deployment.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareransomwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Basic-Fit Data Breach Exposes Millions of Users

Next Post

Iran-Linked CyberAv3ngers Exploits Unitronics PLCs in Water Utilities

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us