Kramer is a Python-based malware family observed in a multi-stage cybercrime delivery framework targeting UK and German-speaking victims with invoice- and scanned-document-themed lures. Reported campaigns used Cloudflare Quick Tunnels, WsgiDAV open directories, WebDAV paths, batch and script-based staging, and ZIP/TXT/PNG-hosted payloads. In one documented chain, lure files disguised as PDFs led through WSH/WSF/BAT stages that downloaded ZIP archives and staged Python 3.12 runtime components and payloads under user-profile paths such as %USERPROFILE%\Contacts\MainRingtones\ and related directories, with persistence via BAT files in the Windows Startup folder and hidden directories. The Python payloads were described as obfuscated with a custom framework called Kramer that used runtime exec()/eval() deobfuscation and Python 3.12 compiled bytecode renamed as .py files. Reported payloads included five Python RAT/stealer components, assessed as likely including an AnyDesk-based RAT, an AsyncRAT variant, HVNC functionality, a UK-targeted variant, and a secondary HVNC- or Lazarus-linked payload. Behavioral telemetry from these Python components showed memory injection, shellcode execution, and outbound network activity. VirusTotal detections further classified the artifacts as Python-based trojans under the Kramer malware family. The activity was linked with high confidence by Breakglass Intelligence to the same actor behind Operation Nutten Tunnel based on shared infrastructure, overlapping Cloudflare tunnel usage, identical build artifacts, and similar targeting patterns. Associated infrastructure and artifacts mentioned in reporting include trycloudflare subdomains such as crest-ind-snake-dublin, klein-changes-slim-starter, chubby-resident-airlines-converter, highland-trend-src-distinct, and wet-envelope-beam-laser; lure names such as Scan_0824973350935.pdf.wsh and FSL_DE_INV_24032026_238969_EML.PDF.lnk; BAT stages UKA021.bat and UKA022.bat; and Python payload names including 1Apr02_Annnnnnnnnnnnnnnnn-obf.py, 1Apr02_Asssssssssss-obf.py, 1Apr02_Hvvvvvvvvvvvv-obf.py, 1Apr02_UK-Viooooooo5-obf.py, and 2LazApr02__hvvvvvvvvvvvvv.py.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
11 distinct techniques documented for this family, organized by ATT&CK tactic.
This execution pattern shows a separation of responsibilities: VBS file acts as an obfuscated launcher, PowerShell serves as a fileless delivery mechanism... Combined with batch scripting and PowerShell, this multi-language approach provides resilience against partial detection or containment.
The batch script was encoded in UTF-16LE... Upon execution, it ran in a hidden context and established outbound connections to external URLs hosting additional ZIP, BAT, and TXT-based payloads.
Sandbox detonation of these files confirmed that this delivery chain facilitated the deployment of Python-based payloads in addition to script-based components.
All five use a custom "Kramer" obfuscator that compiles Python source to .pyc bytecode and disguises the compiled files with .py extensions. Static analysis tools that parse Python source code see garbage.
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom Python obfuscator used to protect multiple Python RAT and stealer payloads through runtime exec/eval deobfuscation and disguised .pyc bytecode.
A Python-based trojan family associated with the secondary infection chain, showing behaviors including memory injection, shellcode execution, and outbound network activity.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.