Threat Research

New ‘pymafka’ malicious package drops Cobalt Strike on macOS, Windows, Linux

Securonix

Sonatype researchers detected a malicious Python package named “pymafka” on PyPI that typosquats the popular library PyKafka and delivers a Cobalt Strike beacon across Windows, macOS, and Linux. The package downloads platform-specific payloads from external IPs and was quickly taken down after discovery. #pymafka #CobaltStrike #PyKafka #Windows #macOS #Linux #Vultr #Alibaba #Alisoft

Keypoints

  • The PyPI package “pymafka” appears to typosquat the legitimate PyKafka project, indicating a supply-chain/typosquatting tactic.
  • The setup.py script detects the target platform and downloads a platform-specific malicious trojan, which is described as a Cobalt Strike beacon.
  • On Windows, the drop path is a misnamed and unusual location: C:UsersPubliciexplorer.exe, highlighting a behavior deviation from legitimate processes.
  • The payloads are downloaded from IPs associated with Vultr and Alibaba/Alisoft, showing use of external hosting and C2 infrastructure across OSes (Windows/macOS/Linux).
  • Windows activity includes persistent beacon-like communication, including requests to /updates.rss with encrypted cookie values, consistent with Cobalt Strike beacons.
  • VirusTotal detection was low at submission, and Sonatype reported the findings to PyPI leading to the package takedown before extensive propagation.

MITRE Techniques

  • [T1195] Supply Chain Compromise – The malicious ‘pymafka’ typosquats a legitimate library to introduce a trojan. “The package appears to typosquat a legitimate popular library PyKafka…”
  • [T1036] Masquerading – The package name ‘pymafka’ sounds identical to ‘PyKafka’, aiding masquerade. “The package, ‘pymafka’ may sound identical to the popular PyKafka”
  • [T1059.006] Python – The setup uses Python to detect platform and drive payloads. “The setup.py Python script inside ‘pymafka’ first detects your platform.”
  • [T1105] Ingress Tool Transfer – The malware downloads platform-specific trojans after execution. “an appropriate malicious trojan is downloaded and executed.”
  • [T1071.001] Web Protocols – The C2 communication uses HTTP(S) with updates via /updates.rss. “GET /updates.rss HTTP/1.1”
  • [T1041] Exfiltration Over C2 Channel – The malware sends encrypted cookie values in HTTP requests to C2. “Cookie: mZoD7LYrA/…”

Indicators of Compromise

  • [File Hash] Windows drop: 137edba65b32868fbf557c07469888e7104d44911cd589190f53f6900d1f3dfb – Windows payload (win.exe)
  • [File Hash] MacOS drop: b117f042fe9bac7c7d39eab98891c2465ef45612f5355beea8d3c4ebd0665b45 – MacOS payload
  • [File Hash] PyPI package: 4de4f47b7f30ae31585636afd0d25416918d244fcc9dfe50967a47f68bb79ce1 – pymafka-3.0.tar.gz
  • [IP] 141.164.58.147 – source of downloaded executables, hosted by Vultr
  • [IP] 39.106.227.92 – China-based IP assigned to Alisoft (Alibaba) used for C2 communication
  • [IP] 39.107.154.72 – Linux payload download host (Alibaba-owned)

Read more: https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux