Cybercriminals Conceal VIPERTUNNEL Python Backdoor Using Fake DLLs and Complex Obfuscation
In a recent cybersecurity development, a sophisticated Python-based backdoor named VIPERTUNNEL has been identified, employing deceptive tactics to infiltrate enterprise networks. This malware masquerades as a legitimate Dynamic Link Library (DLL) file and utilizes multiple layers of code obfuscation to evade detection, establishing a SOCKS5 proxy tunnel to a remote command-and-control (C2) server. This connection grants attackers persistent and covert access to compromised systems.
Initial Infection and Persistence Mechanism
The attack initiates with the creation of a scheduled task on the victim’s machine. This task is configured to execute a seemingly legitimate Python interpreter, `pythonw.exe`, located in `C:\ProgramData\cp49s\`, without any command-line arguments. Such behavior is atypical in standard Windows environments, where Python is rarely invoked without specifying a target script.
Instead of directly pointing to a script, the attackers manipulate a Python startup file named `sitecustomize.py`. This file is automatically loaded every time the Python interpreter starts. By embedding malicious code within `sitecustomize.py`, the attackers ensure silent execution each time the scheduled task runs, leaving minimal traces in command-line logs.
Discovery and Analysis
InfoGuard Labs, led by researcher Evgen Blohm, uncovered VIPERTUNNEL during a ransomware incident response in early 2026. The malware was detected following a persistence audit, which flagged an unusual scheduled task named `523135538` running `pythonw.exe` without arguments. Further investigation revealed the tampered `sitecustomize.py`, which utilized Python’s `ctypes` library to call the `Py_GetArgcArgv` API, confirm the absence of command-line input, and then silently load a file named `b5yogiiy3c.dll` via Python’s `runpy` module.
Notably, `b5yogiiy3c.dll` is not a genuine DLL but a Python script disguised with a DLL extension—a tactic designed to mislead analysts and security scanners. Within this file, three layers of obfuscation protect the actual payload. The malware employs Base85 encoding, AES and ChaCha20 encryption, and control-flow flattening to complicate reverse engineering efforts. Each layer decrypts the subsequent one and transfers execution in memory, ensuring the final payload remains off-disk at all times.
Obfuscated Loader Chain and SOCKS5 Payload
Upon activation by `sitecustomize.py`, the fake DLL processes a high-entropy encoded blob stored at the file’s end. This blob undergoes a custom decryption routine utilizing control-flow flattening, replacing sequential code with a `while True` loop driven by a state variable. This technique forces analysts to manually follow each transition, complicating code analysis. Three full obfuscation layers must be removed before reaching the final payload.
The decrypted payload is a structured Python script comprising three classes: `Wire`, `Relay`, and `Commander`. The `Commander` class manages the C2 handshake and initiates `Relay` threads as needed. The `Relay` class handles SOCKS5 proxy logic, routing data between the C2 server and internal network targets, while the `Wire` class manages socket operations.
Attribution and Related Threats
The VIPERTUNNEL campaign has been linked to UNC2165 and EvilCorp, with the backdoor deployed as a persistent access and network pivot tool. InfoGuard Labs also identified the same obfuscation framework used to deliver ShadowCoil, a Python-based credential stealer targeting Chrome, Edge, and Firefox browsers. Both tools appear to share a private packer utility, and the shared obfuscation pattern serves as a strong indicator of this threat cluster’s ongoing operations.
Implications and Recommendations
The discovery of VIPERTUNNEL underscores the evolving sophistication of cyber threats, particularly those leveraging Python-based malware with advanced obfuscation techniques. Organizations are advised to implement the following measures to mitigate such threats:
1. Regular Audits of Scheduled Tasks and Startup Scripts: Conduct thorough reviews to identify and remove unauthorized or suspicious tasks and scripts.
2. Monitoring for Unusual Process Executions: Utilize endpoint detection and response (EDR) solutions to detect atypical process behaviors, such as Python interpreters running without arguments.
3. Implementing Application Whitelisting: Restrict the execution of unapproved applications and scripts to prevent unauthorized code from running.
4. Enhancing Network Traffic Analysis: Monitor outbound connections, especially over port 443, for anomalies that may indicate C2 communications.
5. Educating Employees on Phishing and Social Engineering: Provide regular training to help staff recognize and avoid tactics used to deliver initial payloads.
By adopting these proactive measures, organizations can strengthen their defenses against sophisticated malware campaigns like VIPERTUNNEL and protect their critical assets from unauthorized access and data exfiltration.
