Skip to content

Suspected AI-Powered Python Backdoor Tapped for RansomHub Deployment

Posted by: GuidePoint Security

< 1 min read

January 17, 2025 – Published on MSSP Alert

SC Media reports an attack involving a new Python backdoor believed to include artificial intelligence-based code has been launched by an affiliate of the RansomHub ransomware-as-a-service operation last quarter.

The GuidePoint Security Research and Intelligence Team (GRIT) found that the Initial access facilitated by suspected SocGholish malware was followed by the deployment of the backdoor, installation of Python and needed libraries within the targeted “connecteddevicesplatform” folder, establishment of the Python proxy script, and the exploitation of Windows scheduled tasks for persistence.

After using TCP connections to link to hardcoded IP addresses, the backdoor proceeded with lateral movement through a SOCKS5-like tunnel, said GuidePoint Security researchers.

Read More HERE.

Categories: Incident Response & Threat Intelligence
Tags:GRITransomware

GuidePoint Security

RansomHub Affiliate leverages Python-based backdoor
In an incident response in Q4 of 2024, GuidePoint Security identified evidence of a threat actor utilizing a Python-based backdoor […]
View Page

Related Articles

View All

  • News
RansomHub Affiliate leverages Python-based backdoor
Posted by: Andrew Nelson
Read More 5 min read
  • Incident Response & Threat Intelligence
GRIT 2025 Ransomware & Cyber Threat Report
Read More < 1 min read
  • GRIT Blog
To Pay or Not to Pay: The Ransomware Dilemma
Posted by: Jason Baker
Published 11/14/24, 09:00am
Read More 11 min read