216.73.217.22

Exposing Attack Operations Utilizing PyPI Against Windows, Linux and macOS Platforms

· Published 08/07/2024 10:50 · Modified 08/07/2024 10:56

Export JSON

Essential information

Published
08/07/2024 10:50
Modified
08/07/2024 10:56
Tags
2024-07-08 apt comebacker cross-platform lazarus malware pypi supply-chain
Related entities
28 observables, 1 intrusion sets (apt), 10 techniques (mitre), 1 malware

Description

The report details the -C-26 () group's recent attack campaign utilizing malicious Python packages hosted on the repository to deliver payloads targeting multiple platforms including Windows, Linux, and macOS. It analyzes the attack flow, delivery methods, and components involved, providing insights into the group's tactics and capabilities spanning various operating systems. The report also attributes the activity to the group based on evidence linking it to their previous attack patterns and infrastructure.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (28)

  • 91.206.178.125
  • http://91.206.178.125:80
  • http://91.206.178.125/upload/upload.asp
  • blog.phylum.io
  • pypi.online
  • jdkgradle.com
  • arcashop.org
  • angeldonationblog.com
  • fasttet.com
  • chaingrown.com
  • blockchain-newtech.com
  • e9d478dca6ce1b642abfdb94af21f0d567594479a14d3780e148400649591fcf
  • b4c8c149005a43ae043038d4d62631dc1a0f57514c7cbf4f7726add7ec67981a
  • 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c
  • 2c8f00824ca2b4ddb4e2e910ee042ba46a570984d1bc094f0014655d883b8519
  • 1a9cea5e43cfe6377b20f09becf8547deba702718d1ee220ef677f53f30e820d
  • 17d3593519f6a016879093bfb7cc63070646951191e28c1dfad52942099f59cc
  • 70c5b64589277ace59db86d19d846a9236214b48aacabbaf880f2b6355ab5260
  • c56c94e21913b2df4be293001da84c3bb20badf823ccf5b6a396f5f49df5efff
  • b4a04b450bb7cae5ea578e79ae9d0f203711c18c3f3a6de9900d2bdfaa4e7f67
  • 956d2ed558e3c6e447e3d4424d6b14e81f74b63762238e84069f9a7610aa2531
  • 8fb6d8a5013bd3a36c605031e86fd1f6bb7c3fdba722e58ee2f4769a820b86b0
  • 6bba8f488c23a0e0f753ac21cd83ddeac5c4d14b70d4426d7cdeebdf813a1094
  • 3ab6e6fc888e4df602eff1c5bc24f3e976215d1e4a58f963834e5b225a3821f5
  • 60c080a29f58cf861f5e7c7fc5e5bddc7e63dd1db0badc06729d91f65957e9ce
  • 26437bc68133c2ca09bb56bc011dd1b713f8ee40a2acc2488b102dd037641c6e
  • 173e6bc33efc7a03da06bf5f8686a89bbed54b6fc8a4263035b7950ed3886179
  • 01c5836655c6a4212676c78ec96c0ac6b778a411e61a2da1f545eba8f784e980

Intrusion sets (APT) (1)

  • APT-C-26 (Lazarus)
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 00:49 · Modified 21/12/2025 00:49

Techniques (MITRE) (10)

Malware (1)

  • Comebacker
    Family
    Published 10/11/2025 11:12 · Modified 10/11/2025 11:12

External references