Pyramid, an open-source post-exploitation framework in Python, is being used by threat actors for malicious purposes. The tool features a lightweight HTTP/S server for encrypted payload delivery, blending with legitimate Python activity. This analysis examines Pyramid's server, outlines network signatures for detection, and highlights recently identified servers. The infrastructure exhibits distinctive HTTP response patterns, allowing for structured detection queries. Nine IP addresses across different ports were identified matching the criteria. Three of these IPs were previously associated with RansomHub activities. The post emphasizes the importance of proactive detection strategies to counter evolving tactics by adversaries using open-source offensive security tools.