Threat Research

Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices | FortiGuard Labs

Securonix

Three PyPI packages — modularseven-1.0, driftme-1.0, and catme-1.0 — were uploaded by the author “sastra” to deploy a CoinMiner on Linux devices, using remote-hosted payloads and staged execution to evade detection. The campaign enhances persistence by adding commands to ~/.bashrc and builds on the earlier “culturestreak” technique with additional obfuscation and a remote stage for better control. #culturestreak #Mine #papiculo #Gitlab

Keypoints

  • Three PyPI packages (modularseven-1.0, driftme-1.0, catme-1.0) were uploaded by the author “sastra” to deploy coin mining on Linux.
  • Attack uses a staged payload delivered from remote URLs, with the initial stage decoding a string that triggers a download via curl.
  • The first stage is in processor.py; decoding the string leads to fetching content from a URL and piping it to Bash for execution.
  • The second stage is the unmi.sh script, which downloads config.json and the CoinMiner executable from remote addresses and configures mining settings.
  • The CoinMiner is run in the background with nohup and commands are appended to ~/.bashrc to ensure persistence across new shell sessions.
  • Compared to culturestreak, the trio introduces an extra stage and remote-hosted components to reduce PyPI code exposure and improve stealth.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The payload is downloaded from a remote URL via curl and piped into Bash for execution. [ “fetches the content from the specified URL using curl.” ]
  • [T1059.004] Unix Shell – The downloaded content is executed by the Bash shell as part of the payload execution. [ “piped into the Bash shell, which executes the following script” ]
  • [T1547.001] Boot or Logon Autostart – Persistence is achieved by appending malicious commands to ~/.bashrc to reactivate on new Bash sessions. [ “appended to the ~/.bashrc file, ensuring the reactivation of this malicious activity whenever the user initiates a new Bash shell session.” ]

Indicators of Compromise

  • [File name] unmi.sh — The first-stage script used in the campaign. unmi.sh, modularseven-1.0/modularseven/processor.py, driftme-1.0/driftme/processor.py, and catme-1.0/catme/processor.py
  • [Hash] 070128a5b4e1aecb61b59f3f8ef2602e63cd1e5357f1314080a7c8a4960b0bee — associated with unmi.sh
  • [Hash] 4b439d8cabc5e4ad593a26065e6d374efdddf41c8d91744b077a69812df170d2 — associated with modularseven-1.0/processor.py
  • [URL] hxxps[:]//papiculo[.]net/unmi[.]sh — remote script hosting
  • [URL] hxxps[:]//gitlab[.]com/ajo9082734/Mine/-/raw/main/X — remote CoinMiner executable
  • [Domain] papiculo.net — domain hosting configuration/initial payload
  • [Domain] gitlab.com — hosting for the CoinMiner binary in a public repository

Read more: https://www.fortinet.com/blog/threat-research/malicious-pypi-packages-deploy-coinminer-on-linux-devices

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint