{ "name": "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "slug": "python-backdoor-threat-analysis-following-an-ai-deepfake-impersonation-campaign", "description": "A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.", "published": "2026-05-13T14:41:04+00:00", "created_at": "2026-05-13T14:41:04+00:00", "modified_at": "2026-05-14T06:41:44+00:00", "created_at_opencti": "2026-05-13T14:41:04+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-05-13", "apt37", "chinotto", "compiled python bytecode", "deepfake impersonation", "environment variable obfuscation", "lnk file", "python backdoor", "scheduled tasks persistence", "spear-phishing" ], "related_entities": { "observables": [ { "id": "", "name": "220.73.160.23" }, { "id": "", "name": "218.150.78.198" }, { "id": "", "name": "183.111.174.69" }, { "id": "", "name": "211.169.73.104" }, { "id": "", "name": "114.207.246.156" }, { "id": "", "name": "211.239.157.126" } ], "malware": [ { "id": "cd97dea9-faf1-4443-9462-e8ac619a39ed", "name": "Chinotto", "slug": "chinotto" } ], "intrusion_sets": [ { "id": "950aa317-d079-47cd-913e-10433cf55ecc", "name": "APT37", "slug": "apt37" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2018-15982" } ], "others": [ { "id": "", "name": "Government and administrations" }, { "id": "", "name": "Defense" }, { "id": "", "name": "udcontest.com" }, { "id": "", "name": "ezvm.kr" }, { "id": "", "name": "choisy.fr" }, { "id": "", "name": "ableinfo.co.kr" }, { "id": "", "name": "intobiz.kr" }, { "id": "", "name": "fe01.co.kr" }, { "id": "", "name": "ycpatent.co.kr" }, { "id": "", "name": "versonnex74.fr" }, { "id": "", "name": "attiferstudio.com" }, { "id": "", "name": "hanainternational.net" }, { "id": "", "name": "haeundaejugong.com" }, { "id": "", "name": "sunlin.org" }, { "id": "", "name": "kmot.co.kr" }, { "id": "", "name": "settingenv.cat" }, { "id": "", "name": "printory.kr" }, { "id": "", "name": "luminix.kr" }, { "id": "", "name": "kumdo.org" }, { "id": "", "name": "sjem.co.kr" } ] }, "external_refs": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915", "https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568" ] }