A new Python-based backdoor, named ViperTunnel, has been discovered infiltrating the networks of businesses in the UK and US. This sophisticated malware, reportedly in development since late 2023, is often deployed following FAKEUPDATES (SocGholish) infections, aiming to establish long-term access before being sold to ransomware groups, HackRead reports.InfoGuard researchers identified ViperTunnel during a response to a DragonForce ransomware attack. The backdoor leverages a Python module, sitecustomize.py, to execute code automatically upon interpreter startup. Disguised as a DLL file, the malware’s code is heavily obfuscated using multiple encryption layers including Base85 encoding, zlib compression, and AES/ChaCha20 encryption. It establishes a SOCKS5 proxy on port 443, mimicking legitimate web traffic to conceal data exfiltration. Evidence suggests a link to the UNC2165 group, associated with EvilCorp, and it’s often used with the ShadowCoil credential stealer. The malware has evolved significantly, transitioning from messy code with typos to a professional, modular tool by late 2025.The discovery of a TracerPid check in Linux system files, despite current attacks focusing on Windows, indicates potential future expansion to Linux servers. This could enable ViperTunnel to become a cross-platform framework, posing a significant threat to a wider range of businesses.Source:HackRead
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
