⚠️ Overview

PyBack is a Python-based backdoor malware first documented in late 2019 by researchers at PWC and Unit42, attributed to the Chinese state-sponsored threat group TA428 (also known as RedDelta or Mustang Panda). It falls under the category of a remote access trojan (RAT), primarily used for persistent covert access to compromised systems in targeted espionage campaigns.

🔧 Technical Capabilities

PyBack is written in Python and compiled into Windows executables using PyInstaller, employing HTTP-based command and control (C2) communication with encrypted payloads (typically AES-256-CBC). It establishes persistence via Windows Registry Run keys or scheduled tasks, and collects system information, process lists, and file listings before exfiltrating data via HTTP POST requests. The malware supports commands for file upload/download, command execution, and process termination, using a custom User-Agent string (e.g., Mozilla/5.0 (Windows NT 6.1)) to blend with normal traffic. Propagation is manual via spear-phishing attachments or lateral movement using stolen credentials, though PyBack itself does not include worm-like self-replication. Evasion techniques include obfuscation of Python scripts via base64 encoding and reliance on living-off-the-land binaries like PowerShell for secondary execution.

📜 History & Notable Incidents

PyBack was first observed in campaigns targeting government and diplomatic entities in Southeast Asia, notably Myanmar and the Philippines, between 2019 and 2021. A significant incident involved the compromise of a Myanmar government ministry, where PyBack was delivered via malicious Word documents exploiting CVE-2017-0199 (Microsoft Office remote code execution). No law enforcement actions have been publicly attributed to PyBack specifically, but the TA428 group has been sanctioned by the US Treasury in 2021.

🔍 Detection Indicators

Known file hashes include MD5: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 (sample from Unit42 report). Behavioral indicators include the creation of Scheduled Tasks named WindowsUpdateTask or AdobeFlashUpdater, registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun, and outbound HTTP connections to IP ranges such as 45.77.xxx.xxx (ColoCrossing). The User-Agent string is typically Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36.

☠️ Risk & Impact

PyBack enables full remote control of infected endpoints, leading to theft of sensitive government documents, intellectual property, and credential harvesting. The primary impact is espionage and data exfiltration, with affected sectors including government, defense, and telecommunications in Southeast Asia. Financial losses are indirect but significant, including costs of incident response and reputational damage to targeted organizations.

🛡️ Mitigation

Recommended defenses include blocking known C2 IPs and domains via network firewalls, enabling PowerShell logging and script block logging to detect obfuscated Python execution (MITRE ATT&CK T1059.006), and deploying endpoint detection rules that flag PyInstaller-generated executables. Regular patching of Office vulnerabilities (especially CVE-2017-0199) and restricting macro execution are critical preventive measures.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.