SilentSync RAT delivered via malicious PyPI packages targeting Python developers

First reported

18.09.2025 14:38

Last updated

📰 1 unique sources, 1 articles

Summary

Hide ▲

Two malicious packages, sisaws and secmeasure, were discovered in the Python Package Index (PyPI) repository. These packages deliver the SilentSync remote access trojan (RAT) to Windows systems. The trojan is capable of remote command execution, file exfiltration, screen capturing, and extracting web browser data. The packages were uploaded by a user named CondeTGAPIS and have been removed from PyPI. The sisaws package mimics the legitimate sisa package, while secmeasure masquerades as a security library. The trojan is designed to infect Windows systems but also supports Linux and macOS. It communicates with a command and control (C2) server to receive commands and exfiltrate data. The discovery highlights the risk of supply chain attacks within public software repositories.

Timeline

18.09.2025 14:38 📰 1 articles · ⏱ 1d ago

Malicious PyPI packages sisaws and secmeasure deliver SilentSync RAT
Two malicious packages, sisaws and secmeasure, were discovered in the PyPI repository. These packages deliver the SilentSync RAT to Windows systems, with support for Linux and macOS. The trojan is capable of remote command execution, file exfiltration, screen capturing, and extracting web browser data. The packages were uploaded by a user named CondeTGAPIS and have been removed from PyPI.
Show sources

SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers — thehackernews.com — 18.09.2025 14:38
Open in new tab

Information Snippets

The sisaws package mimics the legitimate sisa package, associated with Argentina's national health information system.
First reported: 18.09.2025 14:38

📰 1 source, 1 article
Show sources
- SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers — thehackernews.com — 18.09.2025 14:38
The sisaws package uses a function called gen_token() to download a secondary Python script from PasteBin.
First reported: 18.09.2025 14:38

📰 1 source, 1 article
Show sources
- SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers — thehackernews.com — 18.09.2025 14:38
The secmeasure package masquerades as a library for cleaning strings and applying security measures.
First reported: 18.09.2025 14:38

📰 1 source, 1 article
Show sources
- SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers — thehackernews.com — 18.09.2025 14:38
SilentSync RAT is capable of remote command execution, file exfiltration, screen capturing, and extracting web browser data.
First reported: 18.09.2025 14:38

📰 1 source, 1 article
Show sources
- SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers — thehackernews.com — 18.09.2025 14:38
The trojan supports Windows, Linux, and macOS, making Registry modifications on Windows, altering the crontab file on Linux, and registering a LaunchAgent on macOS.
First reported: 18.09.2025 14:38

📰 1 source, 1 article
Show sources
- SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers — thehackernews.com — 18.09.2025 14:38
The trojan communicates with a C2 server at 200.58.107[.]25, supporting endpoints for connectivity verification, command execution, status messages, and data exfiltration.
First reported: 18.09.2025 14:38

📰 1 source, 1 article
Show sources
- SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers — thehackernews.com — 18.09.2025 14:38
The trojan deletes artifacts from the host after data exfiltration to avoid detection.
First reported: 18.09.2025 14:38

📰 1 source, 1 article
Show sources
- SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers — thehackernews.com — 18.09.2025 14:38
The packages were uploaded by a user named CondeTGAPIS and have been removed from PyPI.
First reported: 18.09.2025 14:38

📰 1 source, 1 article
Show sources
- SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers — thehackernews.com — 18.09.2025 14:38

Similar Happenings

SystemBC Proxy Botnet Targets Vulnerable VPS Systems

The SystemBC proxy botnet operators are actively targeting vulnerable commercial virtual private servers (VPS) to maintain an average of 1,500 bots daily. These compromised servers, located globally, are used to route malicious traffic and hide command-and-control (C2) activities, making detection more challenging. SystemBC has been operational since at least 2019 and is utilized by various threat actors, including ransomware gangs. The botnet's infrastructure includes over 80 C2 servers and supports multiple criminal proxy networks. The operators do not prioritize stealth, leading to long infection lifetimes and extensive exploitation of unpatched vulnerabilities. The botnet's primary use includes brute-forcing WordPress credentials and providing high-volume, stable traffic for malicious activities. The REM Proxy network is powered by SystemBC, offering about 80% of the botnet to its users. It also markets a pool of 20,000 Mikrotik routers and various open proxies. The botnet targets both Windows and Linux systems, with the Linux variant designed for corporate networks, cloud servers, and IoT devices. Nearly 80% of SystemBC's daily victims are compromised VPS systems from large commercial providers, with close to 40% having extremely long infection lifespans. Each victim has 20 unpatched CVEs and at least one critical CVE on average.

Open in new tab

Global Phishing Campaign Installs Multiple RATs via JavaScript Droppers

A rapidly spreading phishing campaign targets Windows users worldwide, stealing credentials and deploying various remote access trojans (RATs). The campaign uses convincing phishing pages and personalized emails to lure victims into downloading malicious JavaScript files. The attack impacts multiple sectors, including manufacturing, technology, healthcare, construction, and retail/hospitality. The campaign is notable for its complexity and the use of advanced techniques to evade detection. The campaign has been linked to Russian ransomware groups using a new malware loader called CountLoader, which delivers post-exploitation tools and RATs. The attack chain begins with a small, obfuscated script that redirects victims to spoofed sites. The malware delivered includes PureHVNC, DCRat, and Babylon RAT, providing long-term access to the organization's networks. The campaign has shown rapid growth, with detection counts doubling in just two weeks. The phishing campaign targets specific countries, including Austria, Belarus, Canada, Egypt, India, and Pakistan. The attack chain begins with phishing emails using themes related to voicemail messages and purchase orders. The phishing pages display the victim's domain string and logo to reinforce authenticity. The payload is a ZIP archive containing an obfuscated JavaScript file that performs anti-analysis checks. UpCrypter is also distributed as an MSIL loader that performs anti-analysis and anti-virtual machine checks. The attack culminates with the script embedding data from a DLL loader and the payload during execution, minimizing forensic traces. Threat actors are using living-off-trusted-sites (LOTS) techniques, leveraging legitimate services like Microsoft 365 Direct Send and OneNote. Attackers use client-side evasion techniques in phishing pages, including JavaScript-based blocking and Browser-in-the-Browser (BitB) templates.