A sophisticated Python-based backdoor, dubbed VIPERTUNNEL, is stealthily breaching enterprise networks by masquerading as a legitimate DLL file and employing advanced obfuscation techniques. This advanced malware establishes a covert SOCKS5 proxy tunnel to command-and-control (C2) servers, granting attackers persistent and undetectable access within compromised systems. The sophistication of VIPERTUNNEL lies in its multi-layered loader chain, designed to evade security analysis and ensure prolonged access after an initial breach.
InfoGuard Labs researchers disclosed the discovery of VIPERTUNNEL, identifying it during a ransomware incident response in early 2026. The threat’s persistence mechanisms were flagged during a routine audit, specifically an unusual scheduled task initiating pythonw.exe without any command-line arguments. This raised immediate suspicion, as the Python interpreter is rarely executed in this manner without a specific script. Further investigation revealed a modified sitecustomize.py file, a Python startup script automatically loaded by the interpreter, which contained the malicious code, enabling silent execution.
Obfuscated Loader Chain and SOCKS5 Payload
The attack chain begins with the creation of a scheduled task on the victim machine. This task is configured to silently execute pythonw.exe, a legitimate Python interpreter, from a non-standard directory: C:ProgramDatacp49s. The absence of command-line arguments is a key indicator of malicious activity, as legitimate Python usage typically involves specifying a script to run. By embedding malicious code within the sitecustomize.py file, attackers ensure that their payload is executed every time the Python interpreter starts via this task, bypassing standard command-line logging mechanisms.
When the compromised sitecustomize.py file is executed, it leverages Python’s ctypes library to call the Py_GetArgcArgv API. This API call verifies the lack of command-line arguments, a crucial step to maintain stealth. Following this check, the script utilizes the runpy module to load a malicious file disguised as a DLL: b5yogiiy3c.dll. However, this file is not a true DLL but rather a Python script deliberately given a .dll extension to mislead security analysts and automated scanning tools. This deceptive naming convention is the first layer in a complex obfuscation strategy.
Inside this fake DLL, the VIPERTUNNEL backdoor employs a multi-stage obfuscation framework to hinder reverse engineering efforts. This framework incorporates Base85 encoding for data, along with AES and ChaCha20 encryption algorithms for the malicious code. Additionally, control-flow flattening is used, which disrupts the logical flow of the code by replacing sequential instructions with a state-driven loop. These techniques collectively make it exceedingly difficult and time-consuming for security professionals to analyze the malware’s inner workings. Each obfuscation layer decrypts the subsequent one and passes execution in memory, ensuring that the final payload never resides directly on the disk in a readable format.
The ultimate objective of this intricate loader chain is to deploy a fully functional SOCKS5 proxy backdoor. This backdoor is designed to communicate with its C2 infrastructure by routing all outbound traffic through port 443, the same port commonly used for HTTPS traffic. This strategic choice allows the malicious traffic to blend seamlessly with legitimate web browsing activity, significantly increasing its chances of evading detection by network security controls.
The threat campaign utilizing VIPERTUNNEL has been associated with known advanced persistent threat (APT) groups, including UNC2165 and EvilCorp, suggesting a high level of sophistication and resource backing. The malware serves as a persistent access and network pivoting tool, enabling these groups to maintain a foothold within targeted organizations for extended periods. Researchers at InfoGuard Labs have also identified the same obfuscation framework being employed to deliver ShadowCoil, another Python-based malware designed to steal credentials from popular web browsers such as Chrome, Edge, and Firefox. The shared obfuscation patterns and private packer utility used by both VIPERTUNNEL and ShadowCoil are considered strong indicators of ongoing operations by this threat cluster.
Within the fake DLL, the loader commences by processing a blob of high-entropy encoded data located at the end of the file. This data then undergoes a custom decryption routine that incorporates control-flow flattening. This technique transforms straightforward sequential code into a complex structure involving a perpetual `while True` loop, controlled by a state variable. This forces analysts to meticulously track each execution transition rather than simply reading the code line by line, thereby significantly increasing the difficulty of analysis.
Three distinct layers of obfuscation must be bypassed before the final payload is revealed. This recovered payload is structured as a Python script built around three core classes: `Wire`, `Relay`, and `Commander`. The `Commander` class is primarily responsible for managing the handshake with the C2 server and initiating `Relay` threads as needed. The `Relay` class handles the SOCKS5 proxy logic, facilitating the routing of data between the C2 server and internal network targets. The `Wire` class, meanwhile, is dedicated to managing socket operations, ensuring the secure and efficient transmission of data.
All outbound communications from the VIPERTUNNEL backdoor utilize port 443. The malware includes hardcoded default credentials that serve as placeholders, suggesting that these may be customized or dynamically generated in more advanced deployments. Infrastructure analysis has revealed a network of nearly 30 active C2 nodes, all located within the United States and running Ubuntu 22.04 LTS, a widely used server operating system.
Security teams are advised to monitor for instances of `pythonw.exe` being executed without arguments via scheduled tasks, as this is a significant indicator of VIPERTUNNEL activity. Additionally, reviewing `sitecustomize.py` files found in unusual locations outside of standard Python installation directories is a crucial detection step. Implementing network policies to block unauthorized outbound connections from Python processes on port 443 can effectively mitigate the risk of tunnel activity. YARA rules specifically targeting the class names `Wire`, `Relay`, and `Commander`, along with the error identifier `ConnectionTimeoutOccuredError`, offer robust detection capabilities across all identified variants of VIPERTUNNEL.
The ongoing evolution of VIPERTUNNEL, with its sophisticated obfuscation and stealthy execution methods, highlights the persistent threat posed by advanced malware to enterprise security. Organizations should prioritize robust endpoint detection and response (EDR) solutions and conduct regular security audits to identify and neutralize such threats before they can establish a significant presence. Continuous monitoring of network traffic for anomalous behavior, particularly on common ports like 443, remains a critical defense strategy.