With advanced surveillance and data theft capabilities, a new Python-based remote access trojan has surfaced that targets Linux and Windows systems This article explores identify malware pyinstaller. . Through unencrypted HTTP channels, the malware establishes command-and-control communication, enabling remote command execution, file theft, and screen capture.

It starts fingerprinting the victim's system as soon as it is executed, gathering information like the operating system type, hostname, and current username. After that, the attacker's server receives this data, which allows them to monitor specific victims throughout sessions. During routine investigations on VirusTotal, K7 Security Labs researchers found an ELF binary written entirely in Python, which led them to identify the malware.

PyInstaller version 2.1 was used to package the trojan with Python 2.7, hiding its malicious code inside an executable that looked authentic. Modules imported (Source: K7 Security Labs) After employing specialized tools for extraction, analysts discovered the primary entry point in a file called agent-svc.pyc, which included all of the remote access functionality grouped under a single class called "Agent." Depending on the operating system, the malware accomplishes persistence in different ways.

In order to evade detection, it creates a false autostart entry at ~/.config/autostart/dpkgn.desktop on Linux systems with a name that resembles genuine Debian package tools.

Discover more Software for data security Training in ethical hacking Services for cloud security Control of computer access Consulting services for cybersecurity Taking advantage of Security software for Windows Firewalls Courses for cybersecurity training News alert hacking This file executes automatically when users log in, maintaining the malware’s presence without requiring administrator privileges. Communication with C2 (Source – K7 Security Labs) It ensures automatic execution at startup while adhering to user-level permissions on Windows systems by adding a registry entry under the name "lee" in the current user's Run key. Infrastructure for Command and Control The trojan transmits system data in plain JSON format without encryption to its command server via simple HTTP POST requests sent to designated endpoints.

The traffic is extremely susceptible to network monitoring and detection because of this design.

Attackers can track individual infections even if some system details change because the malware uses a semi-persistent identifier made by combining the victim's username and MAC address. In order to maintain responsiveness to incoming commands, active sessions poll quickly every half second, while idle periods have longer intervals to minimize network visibility. Windows Persistence (K7 Security Labs, Source) Through multipart form-data encoding, the malware facilitates a wide range of file operations, including unrestricted uploads and downloads.

It can use the DEFLATE compression algorithm to create ZIP archives for bulk data exfiltration, change working directories, and enumerate entire directory structures.

Using PIL's ImageGrab module, the screenshot capture feature captures the entire screen and saves images as temporary JPEG files that are then automatically uploaded to the attacker's server. To avoid obstructing the primary communication loop, every operation is carried out in a separate thread, guaranteeing constant availability to accept new commands while carrying out ongoing tasks. Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.