Attacker targeting Python developers

A threat actor spent nearly six months uploading dozens of malicious Python packages to the public repository, often giving them names similar to popular legitimate packages to increase downloads. The packages used obfuscated setup.py installers, steganography in PNGs, and secondary payloads (Runtime.exe / s.pyc) to gain persistence, harvest browser and wallet data (including Exodus ‘Local State’), and exfiltrate results to 51.178.25.148 and several Discord webhooks. #Pystob #Pywool

Keypoints

Attacker uploaded dozens of malicious Python packages over ~six months, imitating legitimate package names to trick developers.
Malicious code was embedded in the packages’ setup.py so it executed on installation or referenced other malicious packages.
Installer scripts identified the logged-in user, created a “System64” directory under Start Menu Programs if missing, and deployed VBS/batch files to download and run Runtime.exe.
Runtime.exe is a Python-based payload containing a compiled s.pyc that collects extensive sensitive data from the host, browsers, and applications and specifically scans the Exodus wallet ‘Local State’ file.
Stolen data was saved into files like alls.armageddon, toks.armageddon, etc., then exfiltrated to endpoints on 51.178.25.148 and to Discord webhooks; artifacts were deleted afterwards.
Some packages used steganography to hide executable code in a PNG (saved as “uwu.png”), which was decoded and executed via exec(); notable malicious packages include “pystob” and “pywool”.

MITRE Techniques

[T1195] Compromise Software Supply Chain – Attacker uploaded tainted packages to the public repository to target developers (‘…stealthily uploading dozens of malicious Python packages… mimicking the names of legitimate ones’).
[T1059.006] Command and Scripting Interpreter: Python – Malicious Python code in setup.py executed during installation (‘…the setup.py file within these packages was used to carry the harmful payload, which allowed the malicious code to be executed upon installation’).
[T1027] Obfuscated Files or Information – Attackers used multiple layers of obfuscation across packages to conceal behavior (‘…code was obfuscated under two layers’).
[T1027.005] Steganography – Payload was hidden inside a PNG image and later decoded and executed (‘…hide executable code within a PNG image … saved as “uwu.png”‘).
[T1547.001] Boot or Logon Autostart Execution: Startup Folder – Persistence achieved by placing VBS files and executables into the Windows Startup folder (‘…placing a VBS file in the Windows startup folder’ and ‘placing it in the system’s Startup folder’).
[T1105] Ingress Tool Transfer – Secondary payloads (e.g., Runtime.exe) were downloaded from external endpoints and executed (‘…downloaded and executed a file named “Runtime.exe”‘).
[T1005] Data from Local System – The payload collected files from the host and targeted application data such as the Exodus wallet ‘Local State’ file (‘…scan for the “Local State” file of the Exodus cryptocurrency wallet’).
[T1041] Exfiltration Over C2 Channel – Collected files were uploaded to remote HTTP endpoints on 51.178.25.148 and to Discord webhooks (‘…exfiltrated by being uploaded to the following endpoints: “hxxp[:]//51.178.25.148:8081/uploader” and “hxxp[:]//51.178.25.148:8081/upload”‘).
[T1070.004] Indicator Removal on Host: File Deletion – The scripts removed evidence and deleted harvested files after exfiltration (‘…scripts cleared their tracks by deleting the evidence of their presence’ and ‘all of these files were deleted from the host’).

Indicators of Compromise

[IP/Domain endpoints] exfiltration & payload downloads – hxxp[:]//51.178.25.148:8081/upload, hxxp[:]//51.178.25.148:8081/uploader (and other /dl/* endpoints such as /dl/runtime, /dl/uwu)
[Discord webhooks] data exfiltration destinations – hxxps[:]//canary.discord.com/api/webhooks/1153431050517762059/… , hxxps[:]//canary.discord.com/api/webhooks/1155235432406196334/… (and additional webhook URLs)
[Malicious package names] PyPI artifacts – pystob, pywool (and many other similarly named packages listed in the article)
[File/artifact names] payload & staging files – Runtime.exe, uwu.png (also files used for exfil: alls.armageddon, toks.armageddon, imp.armageddon, etc.)
[Pastebin/raw URL] remote code host – hxxps[:]//pastebin.com/raw/TwHdexDC

A technical rewrite (procedural focus):

Over a period of roughly six months the actor published dozens of malicious Python packages designed to resemble legitimate projects. Each tainted package placed obfuscated Python code within setup.py so it executed at install time; in some cases packages simply referenced other malicious packages to chain into a secondary installer. The installer logic typically identified the current user, checked/created a “System64” directory under the user’s Start Menu Programs path, and dropped VBScript and batch stubs that downloaded a second-stage executable named “Runtime.exe”.

Runtime.exe was a Python-based payload containing a compiled module (s.pyc) that collected host and application data: browser stores, application files, and specific cryptocurrency wallet artifacts (it searched Exodus’ ‘Local State’ file). Harvested data was written into files named like alls.armageddon, toks.armageddon, imp.armageddon, and similar, then uploaded to HTTP endpoints on 51.178.25.148:8081 and to Discord webhooks. After successful exfiltration the deployment removed local evidence and deleted the collected files.

Variants used additional stealth: some packages downloaded a PNG (“uwu.png”) containing a steganographically-embedded Python payload, decoded it and executed via exec(); others were double-obfuscated (notably packages labeled “pystob” and “pywool”) and used domains such as api-hw.com or the attacker-controlled 51.178.25.148 host to stage payloads. Key artifacts and IOCs include the Runtime.exe/uwu.png artifacts, the armageddon output files, the 51.178.25.148 endpoints, pastebin raw payloads, and several Discord webhook URLs used for exfiltration.