Cyber Threat: The Stealthy Python Backdoor VIPERTUNNEL
Recent reports indicate that hackers have been exploiting a sophisticated Python backdoor known as VIPERTUNNEL. This malicious software cleverly disguises itself behind a fake Dynamic Link Library (DLL) file, employing a multi-stage obfuscated loader that allows it to route traffic undetected from compromised networks.
Persistence Mechanisms Under Review
An essential component in the analysis of VIPERTUNNEL is a special file named sitecustomize.py located in C:\ProgramData\cp49s\Lib\. This Python module is noteworthy because it automatically loads upon the interpreter’s startup, enabling it to run code invisibly without the need for any command-line instructions. By utilizing the ctypes library, the script invokes the Python C API (Py_GetArgcArgv) to ascertain whether Python was initiated with only a single argument: the executable itself.
During an incident linked to the notorious DragonForce ransomware group, cybersecurity analysts identified a suspicious scheduled task designated as 523135538. This task executes C:\ProgramData\cp49s\pythonw.exe without any arguments—a peculiar behavior not typical for standard Python operations on Windows systems. It was later determined that this execution path led to a DLL file named b5yogiiy3c.dll, which was executed as a Python script via runpy run_path, defying its designation as a Windows library.
The Obfuscation Tactics
The b5yogiiy3c.dll file is not what it appears; it is, in fact, a heavily obfuscated Python loader masquerading as a genuine DLL. This loader imports various embedded modules from its directory and employs cryptographic methods like BLAKE3, SHA‑256, AES, ChaCha20, Base64, and zlib. These techniques suggest a sophisticated encryption system designed to shield its payload and facilitate a staged decryption process.
To complicate static analysis efforts, the script intentionally substitutes meaningful function and API names with arbitrary variable identifiers. It also pre-binds operations like zlib.decompress and base64.b85decode for later invocation. The employment of Base85 encoding, which offers greater data density than standard Base64, assists the malware in eluding detection mechanisms that rely solely on recognizable Base64 patterns.
Analysis by cybersecurity investigators led to the recovery of two key decoding functions. One function is tasked with reversing Base85-encoded sequences, while the other transforms integer arrays back into strings, serving as the primary translation layer for decoding the concealed code.
Control Flow and Runtime Decryption
The path tracing through the control flow revealed a large, high-entropy blob. This data blob is decrypted and compiled at runtime, utilizing the compile(…, 'some_value', 'exec') function before execution in memory. Notably, the decryption routine incorporates control-flow flattening techniques, including a while True loop coupled with state variables, rendering the logic increasingly non-linear and arduous to follow.
Investigations unveiled three distinctive stages of obfuscation, with each stage dedicated to decoding a payload, compiling it, and executing it, before handing over control to the next stage—all within the system’s memory. Although a public unpacker that can handle similar frameworks exists, the variant utilized in this case diverges sufficiently, rendering that tool ineffective for fully decrypting the entire chain.
The final obfuscation stage establishes a SOCKS5 proxy. This proxy service facilitates an outbound communication tunnel to a hard-coded command-and-control (C2) server through port 443, effectively blending with regular HTTPS traffic. Notably, while a default C2 and credentials are embedded within the malware, operators retain the flexibility to input alternative C2 information via command-line parameters when initiating the backdoor.
Infrastructure and Threat Attribution
The operational architecture of VIPERTUNNEL revolves around three principal classes: Wire, Relay, and Commander. The Commander class, inheriting from threading.Thread, is responsible for handling the initial C2 handshake and spawning Relay threads. The Relay class oversees the SOCKS5 proxy interactions between the C2 server and internal hosts, while the Wire class abstracts socket operations, enabling numerous concurrent tunnels, which serve both lateral movement and data exfiltration purposes.
Threat intelligence analyses suggest a linkage between this Python backdoor and the activities of UNC2165, also referred to as EvilCorp. Additionally, VIPERTUNNEL has been identified as a follow-on payload in infections originating from FAKEUPDATES (SocGholish), often utilized to maintain access and navigate through networks prior to the deployment of ransomware by various groups, including RansomHub.
While the timeline of events in the DragonForce incident indicates that VIPERTUNNEL access was established before the ransomware was deployed, there is currently no definitive evidence suggesting that this access was either sold or transferred to any affiliate.
The evolving landscape of this campaign illustrates a marked progression from earlier versions of VIPERTUNNEL in late 2023, characterized by unrefined code and typographical errors, to a more mature and modular production-grade backdoor by late 2025. This evolution features enhanced code quality, increased obfuscation complexity, and a deftly integrated stealth infrastructure, emphasizing the persistent threat posed by this sophisticated malware family.