VIPERTUNNEL
ViperTunnel is a Python-based backdoor observed in business networks in the UK and US. Reporting states it has been in development since late 2023 and is used to establish long-term access in victim environments, with that access later sold to ransomware groups including RansomHub. It has been reported in incidents involving DragonForce ransomware and is often deployed after FAKEUPDATES/SocGholish infections. Arctic Wolf also reported a secondary VIPERTUNNEL payload being uploaded and scheduled for persistence during a SocGholish intrusion.
On Windows, ViperTunnel has been observed abusing Python's auto-loading sitecustomize.py module for execution, including use of C:\ProgramData\cp49s\Lib\sitecustomize.py, and persistence via a scheduled task. A reported payload, b5yogiiy3c.dll, was not a real DLL but an obfuscated Python script masquerading as a system library. The malware embeds non-standard Python modules under C:\ProgramData\cp49s\ and uses multiple protection layers including Base85 encoding, zlib compression, AES, and ChaCha20 encryption, along with randomized variable names and other anti-analysis measures. Researchers described three obfuscation layers before the final payload is decoded, compiled, and executed.
The recovered functionality is a SOCKS5 backdoor/proxy that establishes an outbound tunnel to a hardcoded command-and-control server over port 443 to blend with normal HTTPS traffic. Some variants accept alternate C2 parameters via command-line arguments. The final payload is organized into Wire, Relay, and Commander classes, with Commander handling the C2 handshake and spawning relay threads, Relay implementing SOCKS5 proxying between the C2 and the local network, and Wire managing socket/tunnel abstractions. Reported default C2 credentials embedded in observed samples are AnyUser and AnyPassword. Port 443 is known for VIPERTUNNEL C2, and probing it reportedly returns a static 00 00 response; high-numbered five-digit ports are believed to be relay ports used after the initial connection.
Researchers linked ViperTunnel activity to infrastructure associated with Pyramid C2, including servers that return HTTP 401 with WWW-Authenticate: Basic realm="Proxy". Most observed C2 servers were reported as hosted in the United States. InfoGuard assessed the malware is likely tied to UNC2165, a cluster associated with EvilCorp. ViperTunnel has also been reported alongside the ShadowCoil credential stealer, which targets Chrome, Firefox, and Edge.
Code evolution analysis described a progression from typo-ridden, unobfuscated early samples in December 2023 to PyOBFUSCATE-protected variants in 2024 and a more modular, stealth-focused production version by late 2025. Current observed attacks are focused on Windows systems, but researchers noted a Linux TracerPid anti-debugging check in the code/tooling, suggesting possible future expansion toward Linux or a broader cross-platform framework.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A new Python-based backdoor, named ViperTunnel, has been discovered infiltrating the networks of businesses in the UK and US.
A new Python-based backdoor, named ViperTunnel, has been discovered infiltrating the networks of businesses in the UK and US.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueViperTunnel ... is often deployed following FAKEUPDATES (SocGholish) infections, aiming to establish long-term access before being sold to ransomware groups.
Execution
3 techniquesResearchers noted a strange scheduled task on Windows machines named 523135538.
The file b5yogiiy3c.dll is an python script... The payload is processed with compile() , using a synthetic filename... and exec mode, then executed immediately... Pyramid ... evades EDR detection by using the LOLBin python.exe to run Python code in memory.
They found that the attackers were using a clever trick involving a file named sitecustomize.py located in C:\ProgramData\cp49s\Lib\ . This is a standard Python module, but because it loads automatically when the interpreter starts, it allows hackers to run their code without any manual input.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
6 techniquesthe malware's code is heavily obfuscated using multiple encryption layers including Base85 encoding, zlib compression, and AES/ChaCha20 encryption.
Disguised as a DLL file, the malware's code is heavily obfuscated using multiple encryption layers...
Both screenshots show imported methods assigned to variables, with zlib.decompress prepared for later to handle compressed payloads. It also uses base64.b85decode... One reverses Base85 encoding, and the other converts integers to strings... A large, high-entropy blob serves as the encoded payload. This blob is fed to WgGsgQuaeeYg7e() , which decodes and decrypts it using helper functions.
They found that the attackers were using a clever trick involving a file named sitecustomize.py located in C:\ProgramData\cp49s\Lib\ . This is a standard Python module, but because it loads automatically when the interpreter starts, it allows hackers to run their code without any manual input.
The payload is processed with compile() , using a synthetic filename ( <jK6xvQeYbpkDD> ) and exec mode, then executed immediately. This keeps the next-stage logic in memory, reducing detection risk.
Discovery
1 techniqueCommand and Control
3 techniquesThe proxy uses port 443 for outbound connections, blending with typical HTTPS traffic to evade detection.
It establishes a SOCKS5 proxy on port 443, mimicking legitimate web traffic to conceal data exfiltration.
it is currently being used to maintain long-term access to systems before selling that entry to major ransomware groups like RansomHub.
Exfiltration
1 techniqueIt establishes a SOCKS5 proxy on port 443, mimicking legitimate web traffic to conceal data exfiltration.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Python-based backdoor used to establish long-term access. It leverages sitecustomize.py for automatic code execution, is disguised as a DLL, uses heavy obfuscation and layered encryption, and establishes a SOCKS5 proxy on port 443 to conceal traffic and support covert access/exfiltration.
Python-based backdoor used to maintain long-term access in victim environments. It disguises itself as a system file, uses layered obfuscation/encryption, and creates a SOCKS5 proxy over port 443 to blend malicious traffic with normal web traffic.
Python backdoor whose code evolution and infrastructure were analyzed in the referenced research.
A Python-based backdoor that creates a SOCKS5 proxy with an outbound tunnel to a hardcoded C2 server. It uses layered obfuscation, executes decrypted payloads in memory, and supports concurrent traffic relay through Wire, Relay, and Commander classes.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.