Python Malware Deployment with Obfuscation and Credential Theft

First reported

23.02.2026 17:30

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A sophisticated Python-based malware attack was uncovered during a fraud investigation. The attack involved obfuscation, disposable infrastructure, and commercial offensive tools. The victim reported unusual desktop behavior and unauthorized PayPal transfers. The malware used PowerShell commands to download and execute payloads, including XWorm RAT, HTran, and Cobalt Strike Beacon. The attack also involved credential theft from browsers and cryptocurrency wallets.

Timeline

23.02.2026 17:30 1 articles · 4h ago

Sophisticated Python Malware Deployment Uncovered
A fraud investigation revealed a sophisticated Python-based malware attack involving obfuscation, disposable infrastructure, and commercial offensive tools. The victim reported unusual desktop behavior and unauthorized PayPal transfers. The malware used PowerShell commands to download and execute payloads, including XWorm RAT, HTran, and Cobalt Strike Beacon. The attack also involved credential theft from browsers and cryptocurrency wallets.
Show sources

Fraud Investigation Reveals Sophisticated Python Malware — www.infosecurity-magazine.com — 23.02.2026 17:30
Open in new tab

Information Snippets

The victim noticed 'strange black windows' and captured screenshots revealing fragments of a command script.
First reported: 23.02.2026 17:30

1 source, 1 article
Show sources
- Fraud Investigation Reveals Sophisticated Python Malware — www.infosecurity-magazine.com — 23.02.2026 17:30
PowerShell commands were used to download and execute payloads, including 'svchoss.exe' from IP 43.156.63[.]124.
First reported: 23.02.2026 17:30

1 source, 1 article
Show sources
- Fraud Investigation Reveals Sophisticated Python Malware — www.infosecurity-magazine.com — 23.02.2026 17:30
The IP address is associated with Tencent's infrastructure, frequently abused for C2 operations.
First reported: 23.02.2026 17:30

1 source, 1 article
Show sources
- Fraud Investigation Reveals Sophisticated Python Malware — www.infosecurity-magazine.com — 23.02.2026 17:30
Batch and VB scripts were placed in startup folders for persistence.
First reported: 23.02.2026 17:30

1 source, 1 article
Show sources
- Fraud Investigation Reveals Sophisticated Python Malware — www.infosecurity-magazine.com — 23.02.2026 17:30
A concealed Python environment was deployed under %LOCALAPPDATA%\Microsoft\SystemCache25.
First reported: 23.02.2026 17:30

1 source, 1 article
Show sources
- Fraud Investigation Reveals Sophisticated Python Malware — www.infosecurity-magazine.com — 23.02.2026 17:30
Memory analysis revealed references to python.exe, xro.py, and encoded binary files.
First reported: 23.02.2026 17:30

1 source, 1 article
Show sources
- Fraud Investigation Reveals Sophisticated Python Malware — www.infosecurity-magazine.com — 23.02.2026 17:30
Multiple malicious payloads, including XWorm RAT, HTran, and Cobalt Strike Beacon, were hosted on the same server.
First reported: 23.02.2026 17:30

1 source, 1 article
Show sources
- Fraud Investigation Reveals Sophisticated Python Malware — www.infosecurity-magazine.com — 23.02.2026 17:30
The PyInstaller-packed executable 'svchoss.exe' showed heavy obfuscation and credential theft functionality.
First reported: 23.02.2026 17:30

1 source, 1 article
Show sources
- Fraud Investigation Reveals Sophisticated Python Malware — www.infosecurity-magazine.com — 23.02.2026 17:30

Summary

Timeline

Sophisticated Python Malware Deployment Uncovered

Information Snippets