Overview
- Securonix, which published its technical report Thursday, described a Python RAT that targets Windows and whose spread and impact remain unknown.
- An obfuscated installer named install_obf.bat disables Defender and logging, extracts an embedded payload called svc.py, and plants multiple persistence hooks in Startup entries, Run keys, scheduled tasks, and optional WMI events.
- The implant routes commands through bore.pub, a legitimate TCP tunneling service, using shifting ports to blend with normal traffic and avoid attacker-owned servers.
- Once active, it enables remote shell access, keylogging, screenshots, webcam and microphone capture, clipboard reads, and theft of browser passwords, SSH keys, and cloud tokens for AWS, Google Cloud, and Azure.
- Anti-analysis defenses include VM and debugger checks, AMSI and ETW patching, ntdll unhooking, SmartScreen bypasses, and log wiping, which complicates cleanup and could let stolen cloud credentials drive wider breaches.