Surge in Advanced Python-Based Malware and Stealer Campaigns Targeting Multiple Platforms
A wave of sophisticated Python-based malware and stealer campaigns has been observed, leveraging advanced evasion techniques and targeting a wide range of platforms. Notable threats include a Python malware that hides within PNG-disguised RAR files and injects payloads into legitimate executables, as well as the Xillen Stealer v4, which employs polymorphic evasion to target over 100 browsers and 70 cryptocurrency wallets, including DevOps environments. Other campaigns involve the Eternidade Stealer, a Python WhatsApp worm using IMAP email for covert command and control and deploying overlays to target Brazilian banking users, and a multi-layer Python RAT distributed via PyPI typosquatting, which bypasses scanners using XOR encryption.
Additionally, attackers are exploiting messaging platforms such as WhatsApp with sophisticated worms that hijack sessions and deploy banking trojans like Astaroth. Another campaign involves a trojanized VPN installer that delivers the NKNShell backdoor, utilizing P2P blockchain and MQTT protocols for covert C2 communications. These incidents highlight the increasing complexity and diversity of Python-based malware, the use of novel distribution and evasion tactics, and the growing risk to both individual users and enterprise environments across multiple vectors, including messaging apps, software supply chains, and browser extensions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researchers report PyPI typosquatting campaign delivering Python RAT
A report described a PyPI typosquatting package used to deliver a multi-layer Python remote access trojan that bypassed scanners with XOR encryption. No distinct earlier event date was given in the source.
Researchers detail Python malware hidden in PNG-disguised RAR archive
Security Online reported on a stealthy Python malware sample concealed in a RAR archive disguised as a PNG file, with payload injection into cvtres.exe. The article focused on the malware's evasion and execution techniques.
Researchers identify Eternidade Stealer WhatsApp worm using IMAP for C2
A report described Eternidade Stealer as a new Python-based WhatsApp worm that used IMAP email for covert command-and-control and included Brazilian bank overlay functionality. The reference did not specify an earlier discovery date.
Researchers uncover Xillen Stealer v4 targeting browsers, wallets, and DevOps data
Security Online reported on Xillen Stealer v4, describing expanded targeting of more than 100 browsers, 70 cryptocurrency wallets, and DevOps-related data, along with polymorphic evasion features. No separate event date was stated beyond the article publication.
Researchers disclose WhatsApp worm spreading Astaroth banking trojan
A report detailed a WhatsApp-based worm using a fake "View Once" lure to hijack user sessions and deploy the Astaroth banking trojan. The campaign relied on social engineering to spread and facilitate credential theft.
Researchers report trojanized VPN installer delivering NKNShell backdoor
A Security Online report described a malicious VPN installer used to deploy the NKNShell backdoor, which used peer-to-peer blockchain infrastructure and MQTT for covert command-and-control. No earlier event date was provided in the reference, so the publication date is used as the best estimate.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Extreme Stealth: Python Malware Hides Inside PNG-Disguised RAR, Injects Payload into cvtres.exe
securityonline.info
Open sourceNext-Gen Threat: Xillen Stealer v4 Targets 100+ Browsers/70+ Wallets with Polymorphic Evasion and DevOps Theft
securityonline.info
Open sourceEternidade Stealer: New Python WhatsApp Worm Uses IMAP Email for Covert C2 and Brazilian Bank Overlays
securityonline.info
Open sourcePyPI Typosquat Delivers Multi-Layer Python RAT, Bypassing Scanners with XOR Encryption
securityonline.info
Open sourceSophisticated WhatsApp Worm Uses Fake “View Once” Lure to Hijack Sessions and Deploy Astaroth Banking Trojan
securityonline.info
Open sourceTrojanized VPN Installer Deploys NKNShell Backdoor, Using P2P Blockchain and MQTT Protocols for Covert C2
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI-Enhanced Python Malware Targets Brazilian Financial Institutions via WhatsApp
A threat campaign known as Water Saci has escalated its attacks on Brazilian financial institutions and cryptocurrency exchanges by deploying a new Python-based malware variant. This campaign leverages artificial intelligence (AI) to convert previous PowerShell propagation scripts into Python, resulting in broader browser compatibility, improved error handling, and faster automation of malware delivery through WhatsApp Web. The attackers use a highly layered attack chain involving multiple file formats such as HTA files, ZIP archives, and PDFs to evade detection and complicate analysis, with the ultimate goal of stealing sensitive data and monitoring user activity on compromised machines. The campaign primarily targets enterprise users of WhatsApp in Brazil, exploiting social engineering tactics to deliver malicious payloads through convincing messages from trusted contacts. Researchers warn that the use of AI-driven code conversion and multi-format delivery methods marks a significant evolution in the threat landscape, making these attacks more sophisticated and harder to detect. While the campaign is currently concentrated in Brazil, there is concern it could expand to other Latin American countries as the techniques continue to evolve.
Mar 21, 2026
Recent Malware Campaigns Targeting Windows Users via Social Engineering and Fake Installers
Multiple malware campaigns have recently targeted Windows users through a variety of social engineering tactics and deceptive file distribution methods. In Korea, attackers leveraged popular webhard file-sharing services to distribute the xRAT (QuasarRAT) remote access trojan disguised as adult games. Victims were enticed to download compressed files that appeared to be legitimate games, but actually contained sophisticated malware components designed to evade detection and establish persistence on compromised systems. Meanwhile, a separate campaign in Brazil saw the Astaroth banking trojan propagate via WhatsApp, where a worm-like component harvested contact lists and automatically sent malicious ZIP files to spread the infection further. This campaign combined Python-based propagation with traditional credential-stealing modules focused on financial fraud. Other notable campaigns included the use of fake WinRAR installers distributed through Chinese websites, which employed multi-stage payloads to select and deploy the most effective malware for each victim. Additionally, phishing attacks impersonating DocuSign lured users into downloading stealthy malware through access code-protected web pages, using obfuscated PowerShell commands and in-memory payload decryption to bypass security controls. These incidents highlight the increasing sophistication of malware delivery mechanisms, the use of trusted brands and platforms for social engineering, and the global reach of threat actors targeting Windows environments through both email and messaging applications.
Mar 21, 2026
Eternidade Stealer Banking Trojan Propagated via WhatsApp Worm in Brazil
Cybersecurity researchers have identified a new campaign targeting Brazilian users in which the Eternidade Stealer, a Delphi-based banking trojan, is distributed through a WhatsApp worm. The attack leverages social engineering and WhatsApp hijacking, with the threat actor deploying a Python script—marking a shift from previous PowerShell-based methods—to hijack WhatsApp Web sessions and spread malicious attachments. The campaign uses an obfuscated Visual Basic Script as the initial infection vector, which then drops a batch script responsible for delivering two payloads, including the Python-based worm. The malware utilizes the Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the attacker to update C2 infrastructure as needed. This activity is part of a broader trend in Brazil, where WhatsApp's ubiquity makes it a favored vector for distributing banking trojans and information stealers. The use of Delphi for malware development remains prevalent in Latin America due to its technical efficiency and regional familiarity. Researchers note that this campaign represents an evolution in tactics, building on previous attacks such as Water Saci, and highlights the increasing sophistication of social engineering and malware propagation techniques in the region's cybercrime ecosystem.
Mar 21, 2026