Skip to content

Suspected AI-Powered Python Backdoor Tapped for RansomHub Deployment

January 17, 2025 – Published on MSSP Alert

SC Media reports an attack involving a new Python backdoor believed to include artificial intelligence-based code has been launched by an affiliate of the RansomHub ransomware-as-a-service operation last quarter.

The GuidePoint Security Research and Intelligence Team (GRIT) found that the Initial access facilitated by suspected SocGholish malware was followed by the deployment of the backdoor, installation of Python and needed libraries within the targeted “connecteddevicesplatform” folder, establishment of the Python proxy script, and the exploitation of Windows scheduled tasks for persistence.

After using TCP connections to link to hardcoded IP addresses, the backdoor proceeded with lateral movement through a SOCKS5-like tunnel, said GuidePoint Security researchers.

Read More HERE.