VIPERTUNNEL
Back to top
June 30, 2026
Anatomy of an Attack
VIPERTUNNEL
Introduction
In April 2026, InfoGuard Labs published a technical analysis of VIPERTUNNEL, a Python-based backdoor discovered during a DragonForce ransomware incident response engagement. While VIPERTUNNEL isn’t entirely new, first spotted in 2024, the implant has steadily evolved. The latest 2026 findings reveal a coordinated operational deployment, rather than a brand-new malware strain.
In this latest campaign, a stealthy Python execution chain is leveraged to maintain persistent access, move laterally, and proxy malicious traffic. The malware achieves this by abusing a legitimate Python interpreter (pythonw.exe) and a native Python script (sitecustomize.py) to execute a triple obfuscated payload, VIPERTUNNEL.
Threat intelligence links VIPERTUNNEL to UNC2165 (EvilCorp), a sophisticated Russian cybercrime syndicate. In InfoGuard’s analysis, the attackers deployed VIPERTUNNEL prior to the DragonForce ransomware phase, though the definitive relationship between the malware and the subsequent ransomware remains unconfirmed.
For defenders, VIPERTUNNEL is more difficult to detect as it does not operate like traditional malware. It leverages living-off-the-land binary and script (LOLBAS) techniques that file-based endpoint tools can often miss. Detecting VIPERTUNNEL requires analyzing behavioral patterns such as unusual Python runtime activity, unauthorized modifications to sitecustomize.py, scripts masquerading as DLL files, and unexpected outbound SOCKS5 tunnels.
The Attack: VIPERTUNNEL Campaign Phases
VIPERTUNNEL operates primarily as a post-compromise tunneling implant. Attackers place the malware onto a victim’s machine after gaining an initial foothold, using it to secure a persistent, stealthy backdoor to the target network. While not directly observed in the DragonForce engagement, VIPERTUNNEL is often deployed after SocGhoulish/FAKEUPDATES [T1204, T1189] compromises.
Phase 1: Dual Persistence
The attackers create a Windows scheduled task [T1053.005] named ‘523135538’. This task is configured to launch a legitimate Python interpreter (pythonw.exe) [T1059.006] from a non-standard directory (C:\ProgramData\cp49s\pythonw.exe) [T1036] without any command-line arguments.
Additionally, VIPERTUNNEL has a second persistence strategy which places a malicious sitecustomize.py under the embedded Python library path. Because Python automatically runs sitecustomize.py every time the interpreter starts, the malware executes silently in the background. This script uses Python’s built-in runpy module to load a hidden malicious file named b5yogiiy3c.dll.
This process means the scheduled task only needs to run pythonw.exe as the malicious logic is hidden in Python’s startup module, rather than visible in the scheduled task command line.
Phase 2: Payload Masquerading as a DLL
The file b5yogiiy3c.dll is not a standard DLL file, but a heavily obfuscated Python script [T1036.008]. By masquerading as a .dll file, the attackers exploit a common blind spot in automated analysis pipelines and triage workflows, which often deprioritize or misclassify the file as a standard Portable Executable (PE).
Phase 3: Multi-Layer Obfuscate and In-Memory Staging
To evade static analysis, the loader uses three layers of obfuscation [T1027] to hide the final VIPERTUNNEL payload [T1027.009]. For obfuscation, the script employs:
- random variable/function names,
- Base85 decoding [T1140],
- zlib decompression [T1560.002],
- cryptographic primitives such as AES and ChaCha20 [T1027.013], and
- a decoded, decrypted, and immediately executed large high-entropy blob.
The final payload is never placed on the drive. Instead, the loader decrypts the high-entropy code directly into memory and executes it. This leaves virtually no static signature for endpoint tools to scan.
Phase 4: The SOCKS5 Tunnel and C2 Handshake
Once fully loaded into memory, VIPERTUNNEL establishes a SOCKS5 proxy [T1090] and opens an outbound tunnel [T1071] to a hardcoded command-and-control (C2) server over TCP port 443. Even though it utilizes HTTPS port 443 [T1071.001] in attempts to blend into normal HTTPS traffic, available analysis does not indicate that VIPERTUNNEL traffic resembles HTTPS characteristics.
The final payload includes three major classes:
- Commander: Operates as the main control thread, performing the initial C2 handshake, and spawned Relay instances as needed.
- Relay: Implements the SOCKS5 proxy logic between the C2 endpoint and the local network.
- Wire: Provided socket abstraction and tunnel-data encapsulation.
VIPERTUNNEL is the core component in this operational phase, turning the compromised host into an active tunneling endpoint. Once this is complete, attackers can freely route their operational traffic directly through the victim’s environment.
Phase 5: Post-Exploitation Ecosystem
The Infoguard investigation into VIPERTUNNEL’s infrastructure revealed connections to Pyramid, a Python-based post-exploitation C2 framework. Pyramid allows attackers to harvest credentials, run in-memory code, and deliver encrypted modules via ChaCha20 or XOR.
When the VIPERTUNNEL infrastructure was probed, researchers noticed Pyramid-like HTTP 401 responses. A unique HTTP response header was observed using a modified WWW-Authenticate header of Basic realm="Proxy" instead of Pyramid’s default setting (Basic realm="Demo Realm").
While the age of the incident made definitive verification difficult, evidence strongly suggests that the attackers paired VIPERTUNNEL's stealthy communication tunnel with Pyramid's modular post-exploitation toolkit.
VIPERTUNNEL TTPs Mapped to MITRE ATT&CK and ExtraHop Detections
ExtraHop NDR Detection & Capabilities
VIPERTUNNEL creates a detection problem that spans endpoint, identity, and network telemetry. Endpoint artifacts can identify persistence and execution, but the malware’s operational value is realized through network behavior: proxying, tunneling, command-and-control, and traffic relay. Network visibility is therefore essential to detect and scope the activity.
ExtraHop RevealX can help identify VIPERTUNNEL-like behavior by analyzing network communications directly, including traffic patterns that may be difficult to interpret through endpoint telemetry alone. Relevant behaviors include new outbound SOCKS activity, command-and-control beaconing, tunnel-like sessions over TCP 443, and unusual external interactive traffic involving systems that do not normally communicate in that pattern.
For this intrusion pattern, correlation is the highest-value detection approach. A Python process launched from a nonstandard path is suspicious but may not be conclusive. A new outbound connection over TCP 443 may be routine. A scheduled task that launches pythonw.exe without arguments, followed by SOCKS-like proxy behavior to rare external infrastructure, is a much stronger signal. RevealX provides network-derived behavioral context that can help analysts connect those signals and prioritize the activity.
This matters because VIPERTUNNEL uses a common outbound port for an uncommon purpose. Port-based allowlisting and coarse flow telemetry may show only that an internal system communicated externally. Deeper protocol analysis, behavioral baselining, and decrypted visibility where available can help distinguish expected application traffic from tunneling or relay behavior.
In an Agentic SOC model, this context becomes even more important. AI-assisted workflows need structured, reliable information to reason over: which asset communicated, which identity was involved, what protocol behavior was observed, whether the destination is rare, and how the activity compares to baseline. Raw alerts and disconnected logs are not enough. Agents and analysts both need pre-correlated, behaviorally enriched telemetry that can help reconstruct the attack chain and support faster, more defensible triage.
The same network-derived context can support NOC workflows during security incidents that also have operational impact. Unauthorized tunnels, abnormal encrypted traffic, ransomware-linked command-and-control, and AI-driven or automated activity can affect both security and availability. A shared network source of truth gives SOC and NOC teams a consistent view of what changed, what was communicated, which systems may be affected, and whether the issue is isolated to a security event, a performance condition, or both.
This is where a unified NDR and NPM approach becomes useful. The same runtime visibility that helps a SOC identify VIPERTUNNEL-style tunneling can help a NOC understand abnormal traffic paths, unexpected dependencies, application degradation, and the operational blast radius of a compromised system. For organizations moving toward agent-assisted operations, that shared context gives human teams and automated workflows a more reliable basis for investigation and response.
For this intrusion pattern, the strongest analytic value comes from correlation: scheduled-task persistence, unusual Python execution, file-type masquerading, and outbound tunnel-like behavior become materially more meaningful when viewed together rather than as isolated events.
Conclusions and Recommendations
Technical Takeaways
- A Stealthy Relay: VIPERTUNNEL’s primary function is to serve as a persistent, post-compromise network proxy.
- Abusing Native Tools: It avoids detection by running LOLBAS tooling like pythonw.exe binaries and burying its execution logic inside standard sitecustomize.py startup files.
- Network-Centric Risk: The loader's design focuses entirely on evading static file analysis, meaning its network behaviors (tunneling and proxying) are often the most reliable detection points.
Recommended Response
- Audit Scheduled Tasks: Monitor Windows Security Logs for Event ID 4698 (Scheduled Task Created). Look closely at tasks that involve python.exe or pythonw.exe from irregular paths like C:\ProgramData\cp49s\ without command-line arguments. The type of behavior is unusual in Windows environments.
- Inspect Python Paths: Regularly review sitecustomize.py and usercustomize.py scripts across your environment to ensure unauthorized users haven't modified them to auto-run malicious files.
- Detect File Mismatches: Configure endpoint and monitoring policies to flag non-binary text files masquerading under executable extensions (such as Python scripts named as .dll files).
- Baseline Outbound Egress: Monitor and alert on unexpected SOCKS connections and unusual TCP port 443 traffic that does not adhere to standard browser or application protocols.
- Unify Operations via ExtraHop: Leverage the combined NDR and NPM capabilities of ExtraHop RevealX to break down silos between your SOC and NOC, ensuring both teams can detect covert tunneling and assess operational risk simultaneously.
Additional Resources
- Google Cloud Security: Threat Horizons H1 2025 Report
- BushidoToken Threat Intel: Tracking Adversaries: EvilCorp, the RansomHub affiliate
- National Crime Agency Evil Corp: Behind the Screens
- InfoGuard Labs: Slithering Through the Noise - Deep Dive into the VIPERTUNNEL Python Backdoor
- Hackread: Ransomware-Linked ViperTunnel Malware Hits UK and US Businesses
- Cryptika: Hackers Hide VIPERTUNNEL Python Backdoor Inside Fake DLL and Obfuscated Loader Chain
- Trend Micro: Ransomware Spotlight: DragonForce
Discover more









