{
  "name": "Backdoor implant discovered on PyPI posing as debugging utility",
  "slug": "backdoor-implant-discovered-on-pypi-posing-as-debugging-utility",
  "description": "A sophisticated malicious package named 'dbgpkg' was detected on PyPI, masquerading as a Python debugging utility. The package implants a backdoor on systems, enabling execution of malicious code and data exfiltration. It uses function wrapping techniques to evade detection and is believed to be part of a larger campaign possibly linked to a hacktivist group known as Phoenix Hyena. The campaign also includes other packages like 'discordpydebug' and 'requestsdev'. The attackers' motivation appears to be geopolitical, potentially related to the Russia-Ukraine conflict. The use of specific backdooring techniques and tools like Global Socket Toolkit indicates a high level of sophistication and an intent to establish long-term presence on compromised systems.",
  "published": "2025-05-15T18:12:12+00:00",
  "created_at": "2025-05-15T18:12:12+00:00",
  "modified_at": "2025-05-21T18:35:06+00:00",
  "created_at_opencti": "2025-05-15T18:12:12+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-15",
    "backdoor",
    "dbgpkg",
    "discordpydebug",
    "function wrapping",
    "global socket toolkit",
    "hacktivist",
    "pypi",
    "requestsdev",
    "russia",
    "supply chain attack",
    "ukraine"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:b74e25ea13911c47",
        "name": "discordpydebug",
        "slug": "discordpydebug"
      },
      {
        "id": "legacy:malware:81637a17098929be",
        "name": "dbgpkg",
        "slug": "dbgpkg"
      }
    ],
    "intrusion_sets": [
      {
        "id": "a6a8c8c2-9e38-4c74-bf08-240330905e06",
        "name": "Phoenix Hyena",
        "slug": "phoenix-hyena"
      }
    ],
    "attack_patterns": [
      {
        "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b",
        "name": "T1059.006"
      },
      {
        "id": "14ea0786-b57c-4a30-8e4e-46944d17eb18",
        "name": "T1036.004"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6aa7866f-9c1f-4159-938a-10a6adf41646",
        "name": "T1553"
      },
      {
        "id": "358e04b8-6f65-48b2-a24b-f101bfc6671a",
        "name": "T1195"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Ukraine"
      },
      {
        "id": "",
        "name": "Russian Federation"
      }
    ]
  },
  "external_refs": [
    "https://www.reversinglabs.com/blog/backdoor-implant-discovered-on-pypi-posing-as-debugging-utility",
    "https://otx.alienvault.com/pulse/68264a9cb2b105513148d978"
  ]
}