Evolution of a Software Supply Chain Attacker

Checkmarx researchers tracked a persistent threat actor they named PYTA27 who distributed multiple malicious Python packages to PyPI and GitHub, evolving from plain-text payloads to obfuscated and multi-stage stealers that target Discord and crypto-wallets. The actor used obfuscators (Pyobfuscate, Hyperion), remote second-stage downloads, registry Run key persistence, and GitHub raw pages as C2, demonstrating ongoing supply-chain abuse. #PYTA27 #W4SP_Stealer

Keypoints

Threat actor tracked as PYTA27 published multiple malicious Python packages to PyPI and GitHub over several months to distribute credential/crypto stealers.
Initial uploads contained clear-text stealer code (zay injection) and later shifted to obfuscation using Pyobfuscate, Hyperion, and other tools to evade detection.
Adversary hid malware by appending malicious code after legitimate code and used double obfuscation to further conceal payloads.
PYTA27 implemented a second-stage download mechanism (hxxps://www.klgrth[.]io/paste/j2yvv/raw) that saves and executes obfuscated stealer code, enforcing Windows-only execution checks.
Persistence was achieved by adding a registry Run key (“SecurityHealthSystray.exe”) to execute the payload at startup; C2 was hosted on changing GitHub raw pages (raw.githubusercontent.com/…/1337.py).
Operator reused multiple usernames and rotated packages/dependencies (e.g., realtek, coincounter, movers) so removed packages are replaced to maintain delivery.
Stealers exfiltrate credentials and wallet data (original W4SP behavior included sending stolen data to a Discord webhook), indicating active data exfiltration channels.

MITRE Techniques

[T1027] Obfuscated Files or Information – Used Pyobfuscate, Hyperion, and other obfuscators to conceal Python stealer code (‘…used the Pyobfuscate obfuscator.’).
[T1195] Supply Chain Compromise – Published malicious packages to package registries and GitHub to distribute malware (‘…attacks on version control systems, mainly GitHub and package registries such as PyPi and NPM.’).
[T1105] Ingress Tool Transfer – Downloader code fetches a second-stage payload from a remote URL, saves it to a random path, and executes it (‘…downloads a second stage code from a remote location (hxxps://www.klgrth[.]io/paste/j2yvv/raw), saves it to a random path with a random name and runs it.’).
[T1547.001] Registry Run Keys / Start Folder – Establishes persistence by creating a Run key entry (“SecurityHealthSystray.exe”) to launch payload at startup (‘…adding a “SecurityHealthSystray.exe” key in the “run” directory in the registry to trigger the payload on startup.’).
[T1071.001] Application Layer Protocol: Web Protocols – Uses raw GitHub pages as a remote C2/source for payloads (fetching from ‘https://raw.githubusercontent.com/IvanDevGames/index.js/main/1337.py’).
[T1041] Exfiltration Over Command and Control Channel – Stealer components send harvested Discord credentials, wallets, and other files to attacker-controlled endpoints such as Discord webhooks (‘…sends them to the attacker via a pre-set Discord webhook address.’).

Indicators of Compromise

[URL] second-stage / C2 – hxxps://www.klgrth[.]io/paste/j2yvv/raw, https://raw.githubusercontent.com/IvanDevGames/index.js/main/1337.py
[Package names] malicious PyPI packages observed – color-vividpy, discord-py-v13, pyselfdiscord, joinerutil, and other renamed packages (realtek, coincounter, movers, wniutil)
[Usernames/accounts] publisher identities – diazz, laurenjackson, ch4zzin, diniz (tracked as PYTA27)
[File names] payload and helper files – SecurityHealthSystray.exe (registry persistence), injection.py, module.bat
[Gist / IOC lists] published artifact lists – https://gist.github.com/TalFo/f98416d87ca761d79caf0fc9c57315e7, https://gist.github.com/TalFo/2649fffd635166336ac7d0291040a23e (IOCs and package lists)

PYTA27 distributed Python-based stealers through PyPI and GitHub, progressively refining delivery and evasion. Early uploads included plaintext stealer code; subsequent releases applied obfuscators (Pyobfuscate, Hyperion, etc.) and appended malicious routines after legitimate code to make casual inspection miss the payload. The actor also used double obfuscation and varied obfuscation tools across packages to complicate automated detection and analysis.

Operationally, packages shifted to a multi-stage model: an initial package downloads an obfuscated second-stage payload from a remote URL (example: klgrth[.]io/paste/…), writes it to a randomized local path, and executes it. The payload enforces Windows-only execution via platform checks, uses Windows-specific libraries (winreg, wmi), and implements persistence by creating a Run key entry (“SecurityHealthSystray.exe”) in the registry. C2 and payload hosting were handled via mutable web resources such as raw GitHub pages (raw.githubusercontent.com/…/1337.py), enabling easy replacement and rotation.

The actor maintained delivery resilience by rotating publisher usernames and changing package dependencies so removed packages would be replaced automatically; repositories (e.g., Leaf $tealer) also listed malicious dependency names (realtek, coincounter, movers) to ensure continued download chains. Stealer functionality focuses on harvesting Discord credentials, crypto wallets, and other local credentials and forwarding them to attacker-controlled endpoints (historically via Discord webhooks), highlighting combined supply-chain abuse, ingress of remote tools, persistence via registry, and exfiltration over web channels.