This campaign uses a polished fake “$TEMU” airdrop webpage that tricks victims into opening a prompt and pasting a malicious command, using the same initial ClickFix social-engineering lure. The returned payload embeds a unique machine identifier and deploys a windowless Python backdoor (pythonw.exe) that checks in, streams Python code to execute in memory, and avoids leaving a stable file signature to hinder traditional detection. #ClickFix #TEMU
Keypoints
- Attackers host a convincing fake “$TEMU Airdrop” site with a fake “I’m not a robot” checkbox and a video demonstrating Win+R, Ctrl+V, and Enter to coax victims into running a malicious command.
- The initial interaction mirrors ClickFix techniques: social engineering to get users to execute a command themselves rather than relying on drive-by exploits.
- The loader profiles the host and the command server returns a payload already containing a unique machine identifier (e.g., $machine_id) so each victim receives a slightly different payload.
- The backdoor is delivered as a bundled, windowless Python runtime (pythonw.exe) that requires no admin rights and can blend with legitimate Python usage.
- Rather than persisting scripts to disk, the backdoor retrieves Python code from the server and executes it directly in memory, enabling per-victim behavior and evading file-hash-based detection.
- Observed attacker capabilities (or likely uses) include stealing browser credentials and cookies, keylogging, taking screenshots, lateral movement, and notifying operators via Telegram; detection guidance points to a Python3133 folder, a temp_settings marker in %TEMP%, and pythonw.exe running from the suspected runtime path.
MITRE Techniques
- [T1204 ] User Execution – The campaign coerces victims into running a command by instructing them to “open a command prompt window using Win+R, then pressing Ctrl+V to paste whatever is waiting on their clipboard and hitting Enter.”
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – The attack uses a “decoded PowerShell stage” that contains variables such as “$machine_id” embedded in the script delivered to the infected system.
- [T1105 ] Ingress Tool Transfer – The payload and subsequent Python runtime are delivered from the command server, described as “the payload returned by the server” and a “bundled Python runtime” deployed to the host.
- [T1218.010 ] Signed Binary Proxy Execution: Python – The backdoor runs as “pythonw.exe” (a windowless Python executable) allowing execution without a console and blending with legitimate Python processes.
- [T1620 ] Reflective Code Loading – The backdoor “retrieves a new piece of Python code and executes it directly in memory rather than storing it as a persistent script on disk.”
- [T1071.001 ] Application Layer Protocol: Web Protocols – The backdoor “checks in with its operators and runs instructions streamed from the internet” using web-based C2 communications.
- [T1027 ] Obfuscated Files or Information – The campaign uses encoded/decoded stages and dynamic payloads, evidenced by references to a “decoded PowerShell stage” and server-generated payloads embedding unique identifiers.
- [T1539 ] Steal Web Session Cookie – Attackers using similar backdoors have been observed “stealing browser credentials and session cookies.”
- [T1056.001 ] Input Capture: Keylogging – Similar campaign activity includes “recording keystrokes” from infected hosts.
- [T1113 ] Screen Capture – Attackers have been observed “taking screenshots” as part of post-compromise activity.
- [T1102.001 ] Web Service: Telegram – The campaign included “infrastructure to notify the attackers via Telegram the moment a new victim checked in.”
Indicators of Compromise
- [Domain ] lure site hosting the fake airdrop – temucoin[.]lat
- [File path ] bundled Python runtime location – %LOCALAPPDATA%ProgramsPythonPython3133 (malware Python runtime)
- [File name ] tracking marker left behind in temporary folder – temp_settings (found in %TEMP%)
- [Process ] windowless Python process used by the backdoor – pythonw.exe running from an AppData or Program FilesPython3133 location