GuidePoint Security warns of Python backdoor used in ransomware

January 20, 2025 – Published on SecurityBrief

GuidePoint Security has identified an instance of a threat actor utilising a Python-based backdoor to maintain access to compromised endpoints and deploy RansomHub encryptors across affected networks.

During an incident response in the fourth quarter of 2024, GuidePoint Security found evidence of a threat actor using a Python-based backdoor for persistent access. This was followed by the deployment of RansomHub encryptors on the compromised network. Andrew Nelson, Principal Digital Forensics and Incident Response Consultant at GuidePoint Security, stated that the threat actor used the backdoor to establish a foothold and spread the encryptors.

ReliaQuest first documented the backdoor in question in an earlier version in February 2024, but GuidePoint noted specific updates in the newer version. Notably, these include using obfuscation from PyObfuscate, deployment via Remote Desktop Protocol lateral movement, and unique indicators of compromise such as specific filenames, task names, and command-and-control addresses.

GuidePoint has identified 18 IP addresses that form part of the Python backdoor’s command-and-control infrastructure. These will be shared with DrB_RA on GitHub under “Ransomhub Python C2” within the C2IntelFeeds project.

The initial access was linked to SocGholish (FakeUpdate), which is similar to previous findings by ReliaQuest. The Python backdoor was deployed approximately 20 minutes following the initial infection, and later installations occurred during lateral movements via Remote Desktop Protocol sessions. The threat actor followed a systematic process to entrench the Python installation across all compromised systems, including downloading and setting up Python libraries and creating persistent scripts.

Read More HERE.