A Deep Dive into 70 Layers of Obfuscated Info-Stealer Malware

Two malicious Python packages (Pyward and pywarder) contained heavily obfuscated code that unpacks a downloader which fetches and executes a secondary .pyw payload to perform credential theft, system reconnaissance, and data exfiltration. The malware disables Windows Defender, hides and deletes artifacts, harvests browser/Discord/Telegram data, captures screenshots/webcam images, archives stolen data (password: “blank123”), and uploads to file‑sharing services or a Telegram bot. #Hexa-Grabber #Pyward #pywarder #Discord #Telegram

Keypoints

Two PyPI packages (Pyward, pywarder) contained multi-layer obfuscated Python code that unpacks at runtime.
The initial stub downloads a secondary payload from hxxps[:]//rentry[.]co/pvtapi/raw, saves it as a .pyw, and executes it.
The secondary payload checks for admin privileges, attempts UAC bypass, tests internet connectivity, and detects sandboxes to evade analysis.
It disables Windows Defender via an elevated PowerShell script, manipulates the hosts file to block security sites, and enforces blacklists.
Extensive data‑collection capabilities include screenshots/webcam capture, browser and Chromium credential extraction, Discord token harvesting and JS injection, Telegram session theft, and targeted file stealing.
Collected data is archived with the password “blank123” and exfiltrated to gofile.io / anonfiles.com or sent via a Telegram bot API as a fallback.
Analysis found references to a removed GitHub repository “Hexa-Grabber”, linking the code to known grabber tooling.

MITRE Techniques

[T1027] Obfuscated Files or Information – Multiple nested obfuscation layers in package init files and the secondary payload hinder analysis (‘…the malicious code is a jumble of multiple layers of obfuscation…’).
[T1105] Ingress Tool Transfer – Downloader fetches and saves a secondary payload from a remote URL and executes it ( ‘…fetch another malicious payload from the url “hxxps[:]//rentry[.]co/pvtapi/raw”, save it under a random name with the .pyw extension, and execute it.’ ).
[T1548.002] Abuse Elevation Control Mechanism: Bypass UAC – Script checks for administrative privileges and attempts to bypass User Account Control to gain higher privileges (‘…checking for administrative privileges and tries to bypass User Account Control (UAC).’ ).
[T1562.001] Disable or Modify Security Tools – Executes an elevated PowerShell script to disable Windows Defender protections (‘…execute a PowerShell script within an elevated Powershell terminal to disable all security solutions provided by Windows Defender.’ ).
[T1564.001] Hidden Files and Directories – Uses attrib to mark files as hidden/system to reduce visibility to users (‘…uses the attrib command to hide files. by setting the file to be “hidden” and “system”.’ ).
[T1070.004] File Deletion – Implements self‑removal routines (os.remove or ping+del trick) to delete executables and scripts when no longer needed (‘…DeleteSelf function is designed to remove the program’s own executables and scripts… uses a technique involving ping and del to remove itself… os.remove to delete the file.’ ).
[T1113] Screen Capture – Uses a PowerShell script to capture screenshots of all available displays and save them as .png files (‘…captures screenshots of all available screens on the system and saves them as .png files…’ ).
[T1555.003] Credentials from Web Browsers – Extracts and decrypts stored browser data (passwords, cookies, autofill, history) from Chromium-based browsers (‘…methods for extracting and decrypting data from a variety of browsers including passwords, cookies, history, and autofill data.’ ).
[T1552.001] Unsecured Credentials in Files – Locates and copies local session/token files (e.g., Discord/Telegram session files) to steal account tokens and session data (‘…checks whether a setting (Settings.DiscordInjection) is enabled and if it is enabled, it injects JavaScript into Discord.’ and ‘…search and steal Telegram sessions… copies the session data (key_datas files and related files)…’ ).
[T1567.002] Exfiltration to Cloud Storage – Attempts to upload archived stolen data to public file‑sharing services like gofile.io and anonfiles.com (‘…attempted to be uploaded to either of the following file-sharing services: http://gofile.io and anonfiles.com.’ ).
[T1041] Exfiltration Over C2 Channel – Uses Telegram bot API as an alternate exfiltration channel to send data when other uploads fail (‘…the archived data is exfiltrated to telegram via the following telegram bot API URL …’ ).

Indicators of Compromise

[Malicious URL] Payload delivery – hxxps[:]//rentry[.]co/pvtapi/raw (used by initial downloader to fetch secondary .pyw payload)
[Exfiltration URL] Telegram bot API endpoint – hxxps[:]//api[.]telegram[.]org/bot6470601001:AAFb_C7msjRCEh8jwo_Q74aujh1TXUP0CsQ/sendMessage?chatid=1975115969 (fallback exfiltration channel)
[Repository] Project / tooling reference – hxxps[:]//github[.]com/Hexa-c/Hexa-Grabber (referenced in disassembly; repository appears removed)
[Package names] Malicious PyPI packages – Pyward, pywarder (packages that contained the obfuscated __init__.py stubs)
[Archive password] Hardcoded archive password – “blank123” (used to password-protect archived stolen data before exfiltration)

The two discovered PyPI packages contained heavily obfuscated code in their __init__.py stubs that, once deobfuscated, acted as a downloader: it retrieved a secondary payload from hxxps[:]//rentry[.]co/pvtapi/raw, saved it with a randomized .pyw filename, and executed it. The secondary payload was itself deeply obfuscated and implemented staged behavior—administrative checks, UAC bypass attempts, internet connectivity and sandbox detection—before activating collection and evasion routines.

Operational capabilities include disabling Windows Defender via an elevated PowerShell script, editing the hosts file to block security/AV sites, enforcing blacklists, hiding files using attrib, and removing artifacts using OS deletion or ping+del shims. For data collection it captures screenshots and webcam images, extracts and decrypts browser-stored credentials/cookies and Chromium data, harvests Discord tokens and can inject JavaScript into the Discord client, copies Telegram session files, and searches common user directories for keyword‑and‑extension matched files (e.g., ‘password’, ‘wallet’, .docx, .pdf, .png).

All harvested data are consolidated into files, archived with the password “blank123”, and uploaded to public file-sharing services (gofile.io, anonfiles.com). If those uploads fail or the archives are too large, the malware falls back to exfiltrating via a Telegram bot API call. Analysis also found references to the removed “Hexa-Grabber” GitHub repository, linking this code to known grabber toolsets.