VIPERTUNNEL: Python Malware Unmasked Through Fake DLLs & Multi-Stage Obfuscation
Hackers are leveraging a sophisticated Python backdoor called VIPERTUNNEL to establish covert command-and-control channels in victim networks. The attack chain employs a fake DLL file combined with a multi-stage obfuscated loader to tunnel traffic undetected through what appears to be a standard Python executable.
Stealthy Persistence Mechanism
During analysis of a DragonForce ransomware incident, researchers uncovered persistent mechanisms using a special Python module named sitecustomize.py in C:\ProgramData\cp49s\Lib\. This auto-loading script executes silently at interpreter startup without requiring command-line input.
The script employs the ctypes library to call Python’s C API (specifically Py_GetArgcArgv). It detects whether Python was launched with only one argument (just the executable itself – a characteristic of suspicious scheduled tasks).
When triggered, the script constructs a path to a masquerading DLL (b5yogiiy3c.dll) in C:\ProgramData\cp49s\ and executes it using runpy.run_path(). This transforms the supposed “DLL” into a live Python script that bypasses traditional library loading safeguards.
Fake DLL & Layered Deobfuscation
The b5yogiiy3c.dll file is not a native Windows PE library but a heavily obfuscated Python loader repurposed as a DLL. It imports embedded modules from the same directory and relies on cryptographic primitives including BLAKE3, SHA-256, AES, ChaCha20, base64, and zlib. This evidence strongly indicates an encrypted payload requiring staged decryption.
To frustrate static analysis, the malware obfuscates function names and replaces standard operations like zlib.decompress with pre-bound aliases. It also uses Base85 encoding</strong – denser than standard Base64 – to evade simplistic pattern-matching detectors focused on familiar Base64 signatures.

Researchers recovered two core decryption functions: one reversing Base85-encoded blobs and another converting integer arrays back into strings – forming the initial translation layer for hidden code. The primary decryption routine uses control-flow flattening via a while True loop and state variable, creating non-linear logic to confuse analysis tools.
Three distinct obfuscation stages were identified: each decodes a payload, compiles it for execution, and passes control to the next – with all stages remaining active in memory. While a public unpacker exists for similar frameworks (e.g., eSentire’s ShadowCoil), this variant diverged too significantly for the tool to fully decode the chain.
SOCKS5 Tunneling & Infrastructure
The final stage implements a SOCKS5 proxy creating an outbound tunnel to a hardcoded command-and-control server over port 443. This allows the backdoor to blend seamlessly with standard HTTPS traffic. While default C2 credentials are embedded, operators can provide alternate details via command-line parameters.
VIPERTUNNEL’s architecture revolves around three core classes:
- Commander: Manages initial C2 handshake and spawns Relay threads
- Relay: Handles SOCKS5 proxy logic between C2 and internal hosts
- Wire: Abstracts socket operations and encapsulates tunneled data
This design enables multiple concurrent tunnels for lateral movement and data exfiltration.

Threat Attribution & Evolution
Threat-intel mapping links VIPERTUNNEL to UNC2165/EvilCorp activity. It appears as a follow-on payload for FAKEUPDATES (SocGholish) infections, maintaining access and pivoting networks before ransomware deployment by groups like RansomHub.
OpenSSH version variations across infrastructure prevent reliable attribution, though C2 communication patterns and domain registration timestamps reveal active deployment periods. In the DragonForce case, VIPERTUNNEL access preceded ransomware deployment, though concrete proof of affiliate transfers remains inconclusive.
Further telemetry reveals other samples using identical packers to deliver ShadowCoil (COILCAGE/RATTLEGRAB), a Python-based credential stealer targeting Chromium browsers (and increasingly Firefox). While sharing loader designs, ShadowCoil includes Linux-specific anti-debugging checks (e.g., /proc/self/status for TracerPid).

This campaign demonstrates VIPERTUNNEL’s evolution from unobfuscated, typo-ridden variants in late 2023 to a mature, modular backdoor by late 2025. Recent iterations feature refined code, stronger obfuscation, and stealthy infrastructure tightly integrated with the Python loader chain and DLL disguise. The multi-stage obfuscation and SOCKS5 tunneling techniques make detection challenging, underscoring the need for advanced behavioral monitoring and fileless execution analysis.