Researchers detailed VIPERTUNNEL, a Python-based backdoor delivered as an obfuscated file masquerading as a DLL and loaded through a malicious sitecustomize.py, with persistence established via a scheduled task. After multiple layers of encoding, compression, and decryption are removed, the payload resolves into a SOCKS5 proxy backdoor that connects outbound to a hardcoded command-and-control server over port 443, authenticates with embedded credentials, and relays traffic into the victim's local network through threaded proxy components.
Analysis of samples from late 2023 through late 2025 shows the malware evolving from unstable development builds into a more mature, stealth-focused variant. Investigators linked the infrastructure to Pyramid C2 servers that frequently expose an HTTP 401 response with a distinctive Basic realm="Proxy" header and often use ports 22, 443, and sometimes 8000; the activity has also been associated in reporting with UNC2165/EvilCorp and shares obfuscation traits with the ShadowCoil credential stealer. Defenders were advised to watch for pythonw.exe launched without arguments, suspicious numeric scheduled tasks, unexpected sitecustomize.py files, and unusual outbound proxy traffic patterns.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
The SOC Prime write-up states that the VIPERTUNNEL campaign is linked to UNC2165 and EvilCorp, and notes shared obfuscation techniques with the ShadowCoil credential stealer.
Infrastructure hunting tied the malware to Pyramid C2 instances with a consistent footprint, including HTTP 401 responses with a distinctive Basic realm="Proxy" header, and found evidence that the infrastructure remained active into late 2025.
Across samples spanning through late 2025, VIPERTUNNEL progressed into a more mature Python-based SOCKS5 backdoor/proxy with layered obfuscation, decryption, and outbound tunneling to hardcoded C2 infrastructure over port 443.
InfoGuard Labs reported that observed VIPERTUNNEL samples cluster into developmental variants beginning in late 2023, starting with error-prone and less-obfuscated builds before later maturation.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.