A newly discovered backdoor, known as ViperTunnel, has been detected infiltrating the networks of businesses in the UK and US, according to a recent investigation by the cybersecurity firm InfoGuard. This Python-based malware is believed to have been in development since late 2023 and is frequently deployed as a secondary payload following FAKEUPDATES (SocGholish) infections. Current reports indicate that the backdoor is being leveraged to establish long-term access to compromised systems, which can then be sold to prominent ransomware groups like RansomHub.
The Fake File Trick
The investigation into ViperTunnel commenced in response to a DragonForce ransomware attack, during which researchers discovered a suspicious scheduled task on Windows machines labeled 523135538. Upon further analysis, they found that the attackers employed an ingenious technique that involved a file named sitecustomize.py located in C:\ProgramData\cp49s\Lib\. This Python module automatically loads when the interpreter starts, enabling attackers to execute their code without requiring user intervention. The backdoor itself masquerades as a system file entitled b5yogiiy3c.dll.
Despite its name, this file is actually a Python script designed to masquerade as a system library. To obfuscate its contents and prevent detection, attackers have encrypted the code using three layers: Base85 encoding, zlib compression, as well as AES and ChaCha20 encryption techniques. Research indicates that the script utilizes ctypes to execute Python C API functions, allowing it to determine whether it is being run independently or as part of a larger task. Once deployed, ViperTunnel creates a SOCKS5 proxy over port 443, which is commonly used for standard web traffic, thus enabling the malware to blend in seamlessly with regular network activity.
From Messy Code to Professional Tool
Evidence suggests that ViperTunnel is associated with the hacking group UNC2165, which is closely linked to the notorious EvilCorp. It is often used in tandem with ShadowCoil, a credential-stealing tool targeting web browsers such as Chrome, Firefox, and Edge. Over time, the malware has undergone significant improvements, moving from early versions in December 2023 that contained various errors, such as misspellings, to a more refined version utilizing PyOBFUSCATE by September 2024. By late 2025, ViperTunnel evolved into a sophisticated tool with a modular architecture comprising three components: Wire, Relay, and Commander.
A particularly alarming discovery is a new check for TracerPid in Linux system files. While current attacks primarily target Windows systems, this finding raises concerns that attackers may be preparing a Linux variant, potentially leading to cross-platform capabilities. Most control servers associated with ViperTunnel are currently hosted in the United States, but the stealthy nature of the code allows it to evade detection for extended periods. As adversaries continue to enhance their toolset, researchers warn that it may soon facilitate attacks on Linux servers employed by large enterprises.
In summary, ViperTunnel represents a significant threat to organizations, highlighting concerns about initial access via malicious updates, persistence through scheduled tasks, and the potential for privilege escalation within compromised environments. Business owners should remain vigilant as the threat landscape evolves, with adversarial tactics continuing to grow more sophisticated and concealed.