Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
Essential information
- Published
- 13/05/2026 16:41
- Modified
- 14/05/2026 08:41
- Tags
- 2026-05-13 apt37 chinotto compiled python bytecode deepfake impersonation environment variable obfuscation lnk file python backdoor scheduled tasks persistence spear-phishing
- Related entities
- 1 vulnerabilities (cve), 6 observables, 1 intrusion sets (apt), 1 malware, 20 others
Description
A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.