⚠️ Overview

PyXie is a Python-based remote access trojan (RAT) first documented in December 2019 by Palo Alto Networks Unit 42, believed to be developed and operated by the Chinese-speaking threat group tracked as TA428. It is primarily used for targeted cyber espionage campaigns against government, defense, and technology sectors in Southeast Asia, particularly Myanmar and India.

🔧 Technical Capabilities

PyXie is a fully functional RAT written in Python 2.7, delivered via spear-phishing emails containing weaponized Microsoft Office documents that drop a PowerShell stager. The malware employs encrypted Command & Control (C2) communication over HTTPS using a custom protocol and uses domain generation algorithms (DGA) to cycle through fallback domains. Persistence is achieved through Windows scheduled tasks or registry Run keys. Evasion techniques include code obfuscation, anti-debugging checks, and packing with PyInstaller to hinder static analysis. PyXie can execute arbitrary shell commands, upload/download files, take screenshots, log keystrokes, and enumerate system information. It also supports a plugin system for modular functionality, such as credential theft via Mimikatz integration.

📜 History & Notable Incidents

PyXie was first publicly analyzed in a December 2019 Unit 42 report detailing its use against Myanmar’s military and government entities. In August 2020, the same group deployed PyXie alongside other malware (e.g., Cobalt Strike and China Chopper) in campaigns targeting Indian defense organizations. No CVEs are directly associated with PyXie itself, as it relies on social engineering and existing vulnerabilities in Microsoft Office (e.g., CVE-2017-11882, an Equation Editor flaw) to gain initial access. Law enforcement actions have not been publicly documented against PyXie operators as of 2025.

🔍 Detection Indicators

Known file hashes for PyXie payloads include SHA256: 5b1a4e6c8f2d0a3b7c9e1f4d5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a (example, see Unit 42 report for verified hashes). Behavioral signatures include scheduled task creation named “MicrosoftUpdateTask” or “JavaUpdater”, outbound HTTPS requests to domains with .tk or .ml TLDs, and User-Agent strings like “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1)”. Registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value name “SvchostService” are common persistence indicators.

☠️ Risk & Impact

PyXie poses a high risk for data exfiltration, system compromise, and lateral movement within targeted networks. The malware has been linked to theft of sensitive military documents, diplomatic communications, and intellectual property from government and defense sectors. Financial losses are indirect but significant due to the value of stolen intelligence and remediation costs.

🛡️ Mitigation

Mitigation includes blocking execution of Python-based payloads via AppLocker or Windows Defender Application Control, enabling antiphishing filters, and applying patches for known Office vulnerabilities (CVE-2017-11882). Network defenders should monitor for HTTPS traffic to suspicious domains and deploy YARA rules provided in Unit 42’s analysis for PyXie-specific strings and PE characteristics.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.