Keypoints
- FortiGuard Labs identified packages (e.g., nigpal, figflix, telerer, sGMM, myGens, NewGends, TestLibs111) uploaded by an author using the alias “WS”.
- Malicious code is embedded as base64-encoded PE or Python scripts inside setup.py and is dropped/executed when packages are installed.
- Windows-targeted payloads include PyInstaller-compiled Python executables and encrypted .NET binaries that perform persistence and defense evasion.
- Persistence techniques observed: copying to startup folders, installing to %LOCALAPPDATA% application paths, and creating scheduled tasks that run hourly.
- Defense evasion includes adding itself to Windows Defender exclusion lists via an invisible cmd.exe and PowerShell execution.
- Data-stealing behaviors include clipboard hijacking (cryptocurrency address replacement), key/mouse capture, browser and wallet harvesting, packaging stolen data into encrypted .zip archives, and exfiltration via socket.io to multiple malicious IPs (notably 194[.]36[.]177[.]30).
MITRE Techniques
- [T1105] Ingress Tool Transfer – The packages drop and execute payloads during installation (‘incorporate base64-encoded source code of PE or other Python scripts within their setup.py… the final malicious payload is dropped and executed when these Python packages are installed.’)
- [T1547.001] Boot or Logon Autostart Execution: Startup Folder – Copies itself to the Windows startup folder for autorun (‘copying itself to the Windows startup folder for autorun on startup’).
- [T1053.005] Scheduled Task/Job – Creates a scheduled task to run hourly for persistence (‘creates a scheduled task to run itself every hour once the device is infected’).
- [T1562] Impair Defenses – Modifies Windows Defender exclusions via PowerShell to bypass detection (‘uses “powershell.exe” … to add itself to the Windows Defender’s exclusion list to bypass the built-in security response’).
- [T1115] Clipboard Data – Reads and overwrites clipboard contents to replace cryptocurrency addresses (‘the script retrieves the clipboard contents and compares them against predefined cryptocurrency address patterns… overwrite the clipboard with corresponding addresses’).
- [T1056] Input Capture – Captures mouse and keyboard interactions for data theft (‘the payload not only captures mouse and keyboard interactions but also acquires and transmits wallet and browser data’).
- [T1560] Archive Collected Data – Packages stolen artifacts into an encrypted .zip prior to exfiltration (‘this to be a .zip file shrouded in multiple layers of encryption’).
- [T1071.001] Application Layer Protocol: Web Protocols – Uses socket.io (websocket/HTTP) to maintain C2 connectivity to malicious IPs (‘it establishes a connection to the malicious IP: 194[.]36[.]177[.]30. It uses “socket.io” to connect the server to the client.’)
- [T1041] Exfiltration Over C2 Channel – Exfiltrates harvested data to remote server(s) (‘The author then exfiltrates this sensitive information to the server.’)
Indicators of Compromise
- [File Hash] Setup.py and payload hashes – nigpal-0.1 setup.py: c53d1387864ea3034bc4e19af492b3e67147d3fdc1d8b9752e24600d6919e3af, TestLibs111 payload: 2b617277fc551b7500867ee009a0f80cbe6d5ee729bdfbf9b4f9d52164811082, and 30+ other hashes listed in the report.
- [IP Address] C2 / exfil endpoints – 194[.]36[.]177[.]30, 95[.]140[.]147[.]126[:]8080, and many other IPs/ports used for socket.io connectivity and data upload.
- [Package / File Names] Malicious PyPI packages – nigpal, figflix, telerer, sGMM, myGens, NewGends, TestLibs111 (used as installers that drop payloads).
- [File Path] Persistence paths and scheduled task keys – %LOCALAPPDATA%PackagesMicrosoft.Windows.Accounts.ControlRCP_ruzxpnew4af, HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{070B9798-7C59-4A69-BB25-F353628999B0} (examples showing copy locations and scheduled task registration).
FortiGuard Labs’ technical analysis shows these PyPI packages embed base64-encoded payloads inside setup.py that are decoded and written to disk during installation; depending on the target OS the installer drops either a PyInstaller-built Python PE, an encrypted .NET executable, or standalone Python scripts. The installers include logic to place files in persistent locations (startup folder and %LOCALAPPDATA% application paths), copy themselves to non-removable drives, and create scheduled tasks that run hourly to re-establish execution; they also check running instance counts and exit if multiple instances exist to reduce detection.
Windows-focused payloads perform defense evasion (invoking cmd.exe and PowerShell to add Defender exclusion rules), then establish a persistent C2 connection using socket.io to a set of malicious IPs (notably 194[.]36[.]177[.]30). The malware collects system and user artifacts — including host credentials, browser and wallet data, mouse/keyboard activity, and clipboard contents — replaces cryptocurrency clipboard addresses with attacker-controlled addresses, archives the results into encrypted .zip containers, and exfiltrates them over the established application-layer channels.
Payload-specific notes: sGMM’s PE (PyInstaller) contains a main.pyc and addresses.py used for clipboard replacement; myGens/NewGends deploy an encrypted .NET loader that spawns hidden cmd.exe and leverages PowerShell to modify Defender and schedule tasks; TestLibs111 produces multi-layer-encrypted zip archives whose decrypted headers confirm ZIP contents before exfiltration. Analysts should hunt for the listed package names, hashes, persistence artifacts, and socket.io connections to the IOCs above.