Researchers at InfoGuard identified a new Python-based backdoor, ViperTunnel, inside UK and US business networks, where it appears to provide persistent access that can later be sold or handed off to ransomware operators including RansomHub. The malware was uncovered during incident response to a DragonForce ransomware attack and is frequently seen after FAKEUPDATES (SocGholish) infections. Reporting also says ViperTunnel is often used alongside the ShadowCoil credential stealer, strengthening its role in broader intrusion chains that move from initial compromise to credential theft and eventual ransomware deployment.
ViperTunnel disguises itself as a DLL but is actually a heavily obfuscated Python script that abuses Python's sitecustomize.py auto-loading mechanism for execution and persistence, including via suspicious Windows scheduled tasks. It establishes a SOCKS5 proxy over port 443 to blend malicious traffic with normal web activity, while layered obfuscation and encryption hinder analysis. InfoGuard said the malware has evolved from error-filled early builds into a more modular framework and assessed it is likely linked to UNC2165, a cluster associated with EvilCorp; researchers also found Linux anti-debugging artifacts, including a TracerPid check, indicating the operators may be preparing a future cross-platform version targeting Linux systems.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Public reporting described ViperTunnel's use of Python's auto-loading sitecustomize.py module, DLL disguise, layered obfuscation, and a SOCKS5 proxy over port 443. InfoGuard also assessed likely ties to UNC2165, a cluster linked to EvilCorp, and noted Linux-focused anti-debugging artifacts suggesting possible future cross-platform targeting.
InfoGuard discovered the Python-based ViperTunnel backdoor while responding to a DragonForce ransomware attack, observing it in UK and US business networks. The malware was used to maintain persistence, often following FAKEUPDATES (SocGholish) infections, and may have been intended for later handoff or sale to ransomware operators.
By late 2025, researchers assessed that ViperTunnel had significantly matured from its earlier builds into a more modular and capable framework used to maintain persistent access in victim environments.
InfoGuard reported that ViperTunnel existed in late 2023 in early forms marked by typo-ridden and less mature code, indicating the malware framework was already in development by that time.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.