VIPERTUNNEL Python Backdoor Hidden in Fake DLLs and Obfuscated Loaders
Key Takeaways VIPERTUNNEL, a sophisticated Python-based backdoor, is actively targeting enterprise networks, leveraging fake DLLs and multi-layered obfuscation. The malware establishes a SOCKS5 proxy...
Key Takeaways
- VIPERTUNNEL, a sophisticated Python-based backdoor, is actively targeting enterprise networks, leveraging fake DLLs and multi-layered obfuscation.
- The malware establishes a SOCKS5 proxy tunnel, granting attackers persistent and covert access to compromised systems.
- Initial compromise often involves a scheduled task executing
pythonw.exewithout arguments, a technique designed for stealth. - Associated with threat groups UNC2165 and EvilCorp, VIPERTUNNEL uses a shared obfuscation framework also seen in the ShadowCoil credential stealer.
- Defenders should monitor for unusual Python execution, inspect
sitecustomize.pyfiles, and implement network egress filtering for Python processes.
A potent Python-based backdoor, dubbed VIPERTUNNEL, is currently being deployed against enterprise networks, employing a complex chain of fake DLLs and heavily obfuscated loaders to maintain persistence and evade detection. This advanced threat facilitates stealthy, long-term access for attackers within compromised environments by establishing a SOCKS5 proxy tunnel to remote command-and-control (C2) infrastructure.
Table Of Content
The intricate loader mechanism behind VIPERTUNNEL is specifically engineered to thwart analysis efforts, ensuring the backdoor remains operational long after the initial breach. This multi-layered approach makes forensic investigation and malware eradication significantly more challenging for security professionals.
Initial Infiltration and Stealthy Execution
The infection chain for VIPERTUNNEL typically commences with the creation of a scheduled task on the victim’s machine. This task is configured to discreetly launch a legitimate Python interpreter, pythonw.exe, from the directory C:ProgramDatacp49s without any accompanying command-line arguments. This execution pattern is highly anomalous in standard Windows environments, where Python is rarely invoked in such a manner without a specified script.
Instead of directly pointing to a Python script, the attackers subtly modify a core Python startup file, sitecustomize.py. This file is automatically loaded by the Python interpreter upon every startup. By embedding malicious code within sitecustomize.py, the threat actors ensure silent execution each time the scheduled task triggers, effectively bypassing detection in command-line logs.
Discovery and Analysis by InfoGuard Labs
The VIPERTUNNEL backdoor was first identified by InfoGuard Labs analysts, led by researcher Evgen Blohm, during a ransomware incident response engagement in early 2026. The malware’s presence came to light during a routine persistence audit, which flagged an unusually named scheduled task, 523135538, executing pythonw.exe without arguments.
Further investigation revealed the tampered sitecustomize.py. This modified file leveraged Python’s ctypes library to call the Py_GetArgcArgv API, verifying the absence of command-line input. Subsequently, it silently loaded a file named b5yogiiy3c.dll using Python’s runpy module. A detailed analysis of their findings is available here.
Obfuscated Loader Chain and SOCKS5 Payload
The file b5yogiiy3c.dll is not a true DLL but rather a Python script disguised with a DLL extension, a common tactic to mislead both analysts and automated security scanners. Inside this fake DLL, the actual payload is protected by three layers of sophisticated obfuscation.
This malware employs Base85 encoding, along with AES and ChaCha20 encryption, and control-flow flattening. Control-flow flattening transforms sequential code into complex while True loops driven by state variables, forcing reverse engineers to manually trace each execution path instead of following a linear code flow. Each layer decrypts and passes control to the next in memory, ensuring the final payload never touches the disk. This layered approach is detailed further in a report from InfoGuard Labs.
The ultimate payload is a fully functional SOCKS5 proxy backdoor. It initiates outbound connections over port 443, effectively blending with legitimate HTTPS traffic to evade network-based detection. The recovered payload is a structured Python script comprising three key classes: Wire, Relay, and Commander. The Commander class manages the C2 handshake and spawns Relay threads as needed. Relay handles the core SOCKS5 proxy functionality, facilitating data routing between the C2 server and internal network targets, while Wire manages underlying socket operations.
Outbound traffic consistently uses port 443, and analysis revealed hardcoded default credentials embedded as placeholders within the malware. Infrastructure analysis identified nearly 30 active C2 nodes, all hosted in the United States and running Ubuntu 22.04 LTS.
Attribution and Related Campaigns
The VIPERTUNNEL campaign has been linked to prominent threat groups UNC2165 and EvilCorp. The backdoor primarily functions as a tool for persistent access and network pivoting within compromised environments. Threat hunters at InfoGuard Labs also discovered that the same obfuscation framework utilized by VIPERTUNNEL is employed in the delivery of ShadowCoil, another Python-based credential stealer targeting popular browsers like Chrome, Edge, and Firefox.
Both VIPERTUNNEL and ShadowCoil appear to share a private packer utility. This shared obfuscation pattern is considered a strong indicator of ongoing operations by this particular threat cluster, suggesting a consistent and evolving toolkit.
What You Should Do
- Monitor Python Execution: Implement robust monitoring to detect instances of
pythonw.exebeing executed via scheduled tasks without any command-line arguments. This is a critical indicator of VIPERTUNNEL activity. - Inspect
sitecustomize.pyFiles: Regularly auditsitecustomize.pyfiles, especially those found outside standard Python installation paths (e.g.,C:ProgramDatacp49s), for any unauthorized modifications. - Implement Egress Filtering: Configure network egress filtering to restrict Python processes from initiating unexpected outbound connections on port 443, particularly to unknown or suspicious IP addresses.
- Deploy YARA Rules: Integrate YARA rules targeting the specific class names (
Wire,Relay,Commander) and the error identifier (ConnectionTimeoutOccuredError) associated with VIPERTUNNEL variants into your detection systems. - Educate Users: Reinforce security awareness training to help users identify and avoid phishing attempts or other initial compromise vectors that could lead to VIPERTUNNEL deployment.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.