Surge in Advanced Python-Based Malware and Stealer Campaigns Targeting Multiple Platforms
A wave of sophisticated Python-based malware and stealer campaigns has been observed, leveraging advanced evasion techniques and targeting a wide range of platforms. Notable threats include a Python malware that hides within PNG-disguised RAR files and injects payloads into legitimate executables, as well as the Xillen Stealer v4, which employs polymorphic evasion to target over 100 browsers and 70 cryptocurrency wallets, including DevOps environments. Other campaigns involve the Eternidade Stealer, a Python WhatsApp worm using IMAP email for covert command and control and deploying overlays to target Brazilian banking users, and a multi-layer Python RAT distributed via PyPI typosquatting, which bypasses scanners using XOR encryption.
Additionally, attackers are exploiting messaging platforms such as WhatsApp with sophisticated worms that hijack sessions and deploy banking trojans like Astaroth. Another campaign involves a trojanized VPN installer that delivers the NKNShell backdoor, utilizing P2P blockchain and MQTT protocols for covert C2 communications. These incidents highlight the increasing complexity and diversity of Python-based malware, the use of novel distribution and evasion tactics, and the growing risk to both individual users and enterprise environments across multiple vectors, including messaging apps, software supply chains, and browser extensions.
Timeline
Nov 24, 2025
Researchers report PyPI typosquatting campaign delivering Python RAT
A report described a PyPI typosquatting package used to deliver a multi-layer Python remote access trojan that bypassed scanners with XOR encryption. No distinct earlier event date was given in the source.
Nov 24, 2025
Researchers detail Python malware hidden in PNG-disguised RAR archive
Security Online reported on a stealthy Python malware sample concealed in a RAR archive disguised as a PNG file, with payload injection into cvtres.exe. The article focused on the malware's evasion and execution techniques.
Nov 24, 2025
Researchers identify Eternidade Stealer WhatsApp worm using IMAP for C2
A report described Eternidade Stealer as a new Python-based WhatsApp worm that used IMAP email for covert command-and-control and included Brazilian bank overlay functionality. The reference did not specify an earlier discovery date.
Nov 24, 2025
Researchers uncover Xillen Stealer v4 targeting browsers, wallets, and DevOps data
Security Online reported on Xillen Stealer v4, describing expanded targeting of more than 100 browsers, 70 cryptocurrency wallets, and DevOps-related data, along with polymorphic evasion features. No separate event date was stated beyond the article publication.
Nov 24, 2025
Researchers disclose WhatsApp worm spreading Astaroth banking trojan
A report detailed a WhatsApp-based worm using a fake "View Once" lure to hijack user sessions and deploy the Astaroth banking trojan. The campaign relied on social engineering to spread and facilitate credential theft.
Nov 22, 2025
Researchers report trojanized VPN installer delivering NKNShell backdoor
A Security Online report described a malicious VPN installer used to deploy the NKNShell backdoor, which used peer-to-peer blockchain infrastructure and MQTT for covert command-and-control. No earlier event date was provided in the reference, so the publication date is used as the best estimate.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
1 more from sources like security online info
Related Stories
AI-Enhanced Python Malware Targets Brazilian Financial Institutions via WhatsApp
A threat campaign known as Water Saci has escalated its attacks on Brazilian financial institutions and cryptocurrency exchanges by deploying a new Python-based malware variant. This campaign leverages artificial intelligence (AI) to convert previous PowerShell propagation scripts into Python, resulting in broader browser compatibility, improved error handling, and faster automation of malware delivery through WhatsApp Web. The attackers use a highly layered attack chain involving multiple file formats such as HTA files, ZIP archives, and PDFs to evade detection and complicate analysis, with the ultimate goal of stealing sensitive data and monitoring user activity on compromised machines. The campaign primarily targets enterprise users of WhatsApp in Brazil, exploiting social engineering tactics to deliver malicious payloads through convincing messages from trusted contacts. Researchers warn that the use of AI-driven code conversion and multi-format delivery methods marks a significant evolution in the threat landscape, making these attacks more sophisticated and harder to detect. While the campaign is currently concentrated in Brazil, there is concern it could expand to other Latin American countries as the techniques continue to evolve.
1 months ago
Recent Malware Campaigns Targeting Windows Users via Social Engineering and Fake Installers
Multiple malware campaigns have recently targeted Windows users through a variety of social engineering tactics and deceptive file distribution methods. In Korea, attackers leveraged popular webhard file-sharing services to distribute the xRAT (QuasarRAT) remote access trojan disguised as adult games. Victims were enticed to download compressed files that appeared to be legitimate games, but actually contained sophisticated malware components designed to evade detection and establish persistence on compromised systems. Meanwhile, a separate campaign in Brazil saw the Astaroth banking trojan propagate via WhatsApp, where a worm-like component harvested contact lists and automatically sent malicious ZIP files to spread the infection further. This campaign combined Python-based propagation with traditional credential-stealing modules focused on financial fraud. Other notable campaigns included the use of fake WinRAR installers distributed through Chinese websites, which employed multi-stage payloads to select and deploy the most effective malware for each victim. Additionally, phishing attacks impersonating DocuSign lured users into downloading stealthy malware through access code-protected web pages, using obfuscated PowerShell commands and in-memory payload decryption to bypass security controls. These incidents highlight the increasing sophistication of malware delivery mechanisms, the use of trusted brands and platforms for social engineering, and the global reach of threat actors targeting Windows environments through both email and messaging applications.
1 months ago
Eternidade Stealer Banking Trojan Propagated via WhatsApp Worm in Brazil
Cybersecurity researchers have identified a new campaign targeting Brazilian users in which the Eternidade Stealer, a Delphi-based banking trojan, is distributed through a WhatsApp worm. The attack leverages social engineering and WhatsApp hijacking, with the threat actor deploying a Python script—marking a shift from previous PowerShell-based methods—to hijack WhatsApp Web sessions and spread malicious attachments. The campaign uses an obfuscated Visual Basic Script as the initial infection vector, which then drops a batch script responsible for delivering two payloads, including the Python-based worm. The malware utilizes the Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the attacker to update C2 infrastructure as needed. This activity is part of a broader trend in Brazil, where WhatsApp's ubiquity makes it a favored vector for distributing banking trojans and information stealers. The use of Delphi for malware development remains prevalent in Latin America due to its technical efficiency and regional familiarity. Researchers note that this campaign represents an evolution in tactics, building on previous attacks such as Water Saci, and highlights the increasing sophistication of social engineering and malware propagation techniques in the region's cybercrime ecosystem.
1 months ago