A threat actor utilized a Python-based backdoor to maintain access to compromised endpoints, later deploying RansomHub encryptors across the impacted network. The malware, an updated version of a previously documented backdoor, features obfuscation, deployment via RDP, and unique indicators of compromise. Initial access was linked to SocGholish (FakeUpdate), followed by the installation of Python and the backdoor on multiple systems. The script functions as a reverse proxy, establishing a SOCKS5-like tunnel for lateral movement. The code's polished nature suggests possible AI-assisted creation. The C2 process involves multiple steps, including hardcoded IP addresses and port assignments. This incident highlights ransomware affiliates' continued use of Python backdoors for persistence and evasion, as well as the potential adoption of AI-assisted code in malware development.