Threat Actor Continues to Plague the Open-Source Ecosystem with Sophisticated Info-Stealing Malware

PYTA31 has been distributing WhiteSnake (WhiteSnake Stealer) via malicious PyPI packages that execute obfuscated code at install to harvest system and browser/crypto wallet data and exfiltrate it through transfer.sh with Telegram notifications. The campaign includes OS-specific payloads (Linux scripts and Windows executables), persistence via scheduled tasks and SSH port forwarding, and multiple C2/IPs. #PYTA31 #WhiteSnake

Keypoints

PYTA31 distributed WhiteSnake via malicious packages on PyPI between April and mid‑August.
Malicious payload is hidden in setup.py (base64) and executes OS-specific code during installation.
Linux payloads perform obfuscated system info collection, screenshot capture, and targeted file theft based on hard-coded XML rules.
Collected data is compressed/encrypted, uploaded to transfer.sh, and the download URL is sent to a Telegram chat for retrieval.
Windows payloads drop a randomly named executable, create scheduled tasks for persistence, download OpenSSH to establish port forwarding (serveo.net), and upload archives to remote HTTP servers.
Multiple IPs, a Telegram bot API endpoint, and file hashes were observed as IOCs; Checkmarx customers have protection against these packages.

MITRE Techniques

[T1195.001] Supply Chain Compromise – Distribution via malicious PyPI packages. (‘distributing malicious PyPI packages laced with “WhiteSnake Malware.”‘)
[T1059.006] Command and Scripting Interpreter: Python – setup.py contains base64-encoded Python that executes OS-specific actions on install. (‘The nefarious code is cunningly hidden within the setup.py file… It’s base64 encoded and designed to execute OS-specific code upon installation’)
[T1082] System Information Discovery – Collects public IP, ISP, username, hostname, and OS to profile the victim. (‘collecting basic system details like the target’s public IP address, Internet Service Provider (ISP), username, computer name, and operating system’)
[T1113] Screen Capture – Captures a screenshot of the victim’s desktop when possible. (‘the script also takes a screenshot of the current state of the target’s computer’)
[T1005] Data from Local System – Targets browser data, application configurations, and cryptocurrency wallet files via hard-coded XML directives. (‘specify which files or directories to steal. This includes browser data, application configurations, and cryptocurrency wallet files’)
[T1560.001] Archive Collected Data – Compresses and encrypts stolen data before exfiltration. (‘The gathered data is compressed and encrypted before exfiltration’)
[T1041 / T1071.001] Exfiltration Over C2 / Application Layer Protocol – Uploads archives to transfer.sh and notifies operators via the Telegram API with a unique URL. (‘The zip archive is then uploaded to an external server via transfer.sh… a Telegram message is sent… includes a unique URL to the uploaded data’)
[T1053.005] Scheduled Task/Job – On Windows, creates scheduled tasks to execute the dropped executable at intervals. (‘It creates a scheduled task that runs the malicious executable at a fixed time interval’)
[T1090] Proxy (Port Forwarding) – Downloads OpenSSH and uses serveo.net to forward local ports for remote access. (‘downloads an official copy of OPENSSH for port forwarding the compromised host’s local port 80 using “serveo.net”‘)

Indicators of Compromise

[IP Address] C2 / exfil servers – 81[.]24[.]11[.]40, 195[.]201[.]135[.]141, and 5 more IPs observed.
[URL / API] Telegram notification endpoint used by operator – hxxps[:]//api.telegram[.]org/bot6414966437:AAHtThsoeAj36fZY4941ZVfnzRpMQXVXz_Y
[File Hash] Malware/sample hashes – e0ab9cb803607ae567be2c05100b818c90f21161918ea5a55b999f88d0b99e94, 46dfc336088c6f5f725c0909ed32dbb8a5fcb70b045fea43d3c5e685322d492f, and 1 more hash.
[File Name] Example Windows executable dropped in temp – e8d74164335ac04bb4abef4671e98ef.exe
[Package Names] Malicious PyPI packages used for distribution – testepassword-generate, cc-checkerx, and many others listed in the report.

The malicious workflow: attackers publish PyPI packages whose setup.py contains a base64-encoded Python payload that runs on installation and branches by OS. On Linux, the obfuscated script confirms the platform, gathers system metadata (public IP, ISP, username, hostname, OS), performs anti-analysis checks (exits for certain ISPs), optionally captures a screenshot, and reads hard-coded XML directives to locate browser profiles, application configs, and cryptocurrency wallet files for theft.

Collected artifacts are compressed, encrypted, and named using a {username}@{hostname}.wsr pattern; the archive is uploaded to transfer.sh and the resulting download link is sent to a Telegram chat via the operator’s bot API. On Windows, the package creates a random temp directory, drops a long-named executable, registers a scheduled task for persistence, downloads a legitimate OpenSSH binary to establish remote port forwarding through serveo.net, and uploads archives directly to HTTP endpoints (http://{ip}:{port}/{archive_name}.wsr) for retrieval.

Operators use multiple C2 IPs and Telegram notifications to coordinate exfiltration; the combination of obfuscation in setup.py, OS-targeted routines, use of file-sharing services, and SSH-based forwarding enables stealthy data theft of browsing data and crypto wallets from compromised hosts.