{
  "name": "Python Bot Delivered Through DLL Side-Loading",
  "slug": "python-bot-delivered-through-dll-side-loading",
  "description": "A sophisticated malware campaign employs DLL side-loading to deliver a Python bot. The attack begins with a ZIP archive containing a legitimate PDF reader executable and a hidden malicious DLL. When executed, the malicious DLL is loaded instead of the intended Microsoft one, altering the PDF reader's behavior. The malware then unpacks a Python environment, fetches the bot code from a Bitbucket repository, and establishes persistence through registry modifications. The attacker uses various techniques to bypass security controls, including renaming processes and implementing a Byte Order Mark. The campaign demonstrates advanced evasion tactics and leverages trusted applications to deploy its payload.",
  "published": "2025-03-18T11:42:33+00:00",
  "created_at": "2025-03-18T11:42:33+00:00",
  "modified_at": "2025-03-18T14:58:19+00:00",
  "created_at_opencti": "2025-03-18T11:42:33+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-03-18",
    "bitbucket",
    "code obfuscation",
    "dll side-loading",
    "evasion techniques",
    "pdf reader",
    "persistence",
    "python bot"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:e26c47621cb3ea9e",
        "name": "Python bot",
        "slug": "python-bot"
      }
    ],
    "attack_patterns": [
      {
        "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b",
        "name": "T1059.006"
      },
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ]
  },
  "external_refs": [
    "https://isc.sans.edu/diary/rss/31778",
    "https://otx.alienvault.com/pulse/67d96a39fcd042c6e75ef7da"
  ]
}