{
	"id": "17bb9bc1-51ae-41f1-a461-f142a302ddac",
	"created_at": "2026-04-06T00:13:39.063448Z",
	"updated_at": "2026-04-10T03:19:59.070955Z",
	"deleted_at": null,
	"sha1_hash": "36a8e5df5ffb85bc4daa659b9b64cc8ffd5bb6da",
	"title": "Serpent – The Backdoor that Hides in Plain Sight",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2943113,
	"plain_text": "Serpent – The Backdoor that Hides in Plain Sight\r\nBy Threat Analysis Unit\r\nPublished: 2022-04-25 · Archived: 2026-04-02 11:41:46 UTC\r\nThis article was written by Darshan Rana.  \r\nOverview: \r\nA new backdoor malware campaign known as ‘Serpent’ is targeting French government agencies and construction firms. To\r\ndistribute the attack chain, the threat actor uses a macro-based Microsoft Word document file. The attack vector is exploiting\r\na third-party Windows package manager to install Serpent. \r\nThe initial document has a macro showing some of the malicious URL that tries to connect and download the payload. Later,\r\nthis payload will attempt to connect to a command-and-control C2 server to steal sensitive data. \r\nBehavioural Summary: \r\nThe figure below shows an overall process chart of serpent activity. \r\n Figure 1: Process Chart of Serpent Backdoor \r\nThe initial email contains a Microsoft Word document with a malicious macro script. When macros are enabled by the user,\r\nthe document starts to execute the malicious VBA macro code. \r\nhttps://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html\r\nPage 1 of 9\n\nFigure 2: GDPR Themed Document \r\nMacro content:  \r\nFigure 3 below indicates the malicious VBA macro details of the document file in which the malicious URLs are found: \r\n“hxxps[://]www[.]fhccu[.]com/images/ship3[.]jpg” \r\nFigure 3: Macro view of Document \r\nhttps://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html\r\nPage 2 of 9\n\nThe above-mentioned URL is used to download a “ship3.jpg” file to the system. The malware is able to detect and extract\r\nsteganographic embedded data from this file containing base64 encoded PowerShell commands, as shown in Figure 4. \r\nFigure 4: Downloaded Steganographic Image \r\nFigure 5: Extract the embedded code from Image File \r\nhttps://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html\r\nPage 3 of 9\n\nThe decoded PowerShell script is shown below in Figure 6. The Chocolatey package is downloaded and installed by using\r\nthis script. The script will also install Python, including the pip package, by using the Chocolatey package. \r\nhxxps[://]www[.]fhccu[.]com/images/7[.]jpg \r\nFigure 6: Base64 decoded PowerShell script \r\nThe above-mentioned URL is used to download a “7.jpg” file to the system. Just like the “ship3.jpg” above, it contains a\r\nbase64 encoded PowerShell script that is embedded by steganography. The Python script, stored within 7.jpg, is saved as\r\n“MicrosoftSecurityUpdate.py”. This python script creates a new bat file and executes it. Then executed bat file brings a new\r\npython script which has a final serpent payload. Shown in Figure 8. \r\nThe exploit chain wraps up by opening a shortened URL that leads to the Microsoft Office help site.\r\nFigure 7: Downloaded Image from payload \r\nFigure 8 below represents a portion of the decoded Python script that indicates it is actual “Serpent Backdoor”. \r\nhttps://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html\r\nPage 4 of 9\n\nFigure 8: Extracted and Base64 decoded Python Script \r\nFor command and control (C2), the threat actor deploys a Tor proxy, for example: \r\ncmd_url_order =\r\n‘hxxp[://]mhocujuh3h6fek7k4efpxo5teyigezqkpixkbvc2mzaaprmusze6icqd[.]onion[.]pet/index[.]html’  \r\nThis Serpent backdoor pings this “cmd_url_order” server, located at a onion[.]pet Tor proxy domain, on a regular basis.\r\nThese pings expect responses for the attacker to perform further command action on infected machine to gain access or steal\r\nthe sensitive data. \r\nFigure 9: Extracted and Base64 decoded Python Script \r\nThe malware connects to termbin[.]com, a website associated with a command-line Pastebin application named Termbin, to\r\ntransmit the results of any specified command. Termbin allows for text to be blindly submitted to a central website and will\r\nreturn a URL to access that data later. The malware will transmit the data and extract this unique URL. \r\nThe malware then sends a request to the “cmd_url_answer” server with the hostname and the TermBin URL included in the\r\nheader. \r\ncmd_url_answer =\r\n‘hxxp[://]ggfwk7yj5hus3ujdls5bjza4apkpfw5bjqbq4j6rixlogylr5x67dmid[.]onion[.]pet/index[.]html’ \r\nhttps://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html\r\nPage 5 of 9\n\nThe attacker could use this “cmd_url_answer” URL to monitor the bin outputs and see what the compromised host’s\r\nresponse. \r\nSerpent Attack Chain: \r\nThe Serpent Backdoor cycle shown below, explains how the attack vector works and how it proceeds. \r\nFigure 10: Serpent Backdoor Attack Chain \r\nMITRE ATT\u0026CK TIDs\r\nTID  Tactic  Description \r\nT1566.001  Initial Access  Phishing: Spear phishing Attachment \r\nT1059.001  Execution  Command and Scripting Interpreter: PowerShell \r\nT1059.005  Execution  Command and Scripting Interpreter: Visual Basic \r\nT1059.006  Execution  Command and Scripting Interpreter: Python \r\nT1041  Exfiltration  Exfiltration Over C2 Channel \r\nT1133  Persistence  External Remote Services \r\nT1027.003  Defense Evasion  Obfuscated Files or Information: Steganography \r\nTable 1: MITRE ATT\u0026CK TIDs \r\nYARA \r\nrule Serpent_Backdoor \r\nhttps://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html\r\nPage 6 of 9\n\n{   \r\n    meta:   \r\n           description = “Serpent Backdoor”   \r\n           author = “VMware Threat Research”   \r\n           exemplar_hashes = “8912f7255b8f091e90083e584709cf0c69a9b55e09587f5927c9ac39447d6a19”   \r\n  strings:   \r\n        $string1 = /www\\.fhccu\\.com\\/images\\/[a-z0-9A-Z]+\\.jpg/ nocase   \r\n        $string2 = /Microsoft_Office_Word_Update-[0-9]+-[a-zA-Z]+\\.bat/ nocase   \r\n        $string3 = “NaHash” wide ascii nocase   \r\n        $string4 = “Une mise a jour de Microsoft Word est necessaire” wide ascii nocase   \r\n        $string5 = /http:\\/\\/([a-zA-Z]+(\\d[a-zA-Z]+)+)\\.onion\\.pet\\/index\\.html/ nocase   \r\n condition:   \r\n        all of them   \r\n} \r\nIndicators of Compromise (IOCs) \r\nIndicator  Type  Context \r\nf6d2becc3531e98e7c6331d3e5b269a54a83c1af8f9605d6daea6531a6d72b99  SHA256 \r\nSerpent\r\nBackdoor  \r\n11c4774cde50030cdd0eb9926debb7d0d6a5323fa5e19cd94dde4d0b2a052348  SHA256 \r\nSerpent\r\nBackdoor  \r\n8912f7255b8f091e90083e584709cf0c69a9b55e09587f5927c9ac39447d6a19  SHA256 \r\nSerpent\r\nBackdoor  \r\nf988e252551fe83b5fc3749e1d844c31fad60be0c25e546c80dbb9923e03eaf2  SHA256 \r\nSerpent\r\nBackdoor  \r\n64d7efad5d25b855cea56d47acc033ad48cf955ec3e16fbe122313eb0b25ba77  SHA256 \r\nSerpent\r\nBackdoor  \r\naab32bd7b6e2a2098eb0d7a2e738d5a26280146de229f22fcbd6a7d717cc53a4  SHA256 \r\nSerpent\r\nBackdoor  \r\n5d1889cc28a2b17f7fa993440a498deeff66042eda42433c265aa1feb831cafb  SHA256 \r\nSerpent\r\nBackdoor  \r\n8f469afa7040aeefd994109b994981d3844f3672  SHA1 \r\nSerpent\r\nBackdoor  \r\nhttps://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html\r\nPage 7 of 9\n\nbfae2bfe69aa1d38e74968d0d7bf63347729b7b0  SHA1 \r\nSerpent\r\nBackdoor  \r\n2d6f1ed1236727b36a92dd44cd987c36d6fb7e35  SHA1 \r\nSerpent\r\nBackdoor  \r\n7061126f43f46b32b9e3b845a27e035b8f04c44b  SHA1 \r\nSerpent\r\nBackdoor  \r\n0293f35f9d2232dea64b51bea00a4756963c74a3  SHA1 \r\nSerpent\r\nBackdoor  \r\nba5b233e352302357dca40b506a50e423413b335  SHA1 \r\nSerpent\r\nBackdoor  \r\n22b9558d009736a59e41c2bcb80d664fc1cd64c3  SHA1 \r\nSerpent\r\nBackdoor  \r\n855147e49bd9320984a9bc642623ef73  MD5 \r\nSerpent\r\nBackdoor  \r\nfe5d7c63cdd96c80f5610a228238edb7  MD5 \r\nSerpent\r\nBackdoor  \r\n321e04294c04db10d5dbf05051e540e2  MD5 \r\nSerpent\r\nBackdoor  \r\n2dc1ee3b6dde3b12085cdcb4da5f4e8a  MD5 \r\nSerpent\r\nBackdoor  \r\n6b2a8a0e3016ab637288cd362f4c7d4e  MD5 \r\nSerpent\r\nBackdoor  \r\na8413c1c31055637a657394eafa025ad  MD5 \r\nSerpent\r\nBackdoor  \r\nf127db6ba149431cb38ca114d07d62d7  MD5 \r\nSerpent\r\nBackdoor  \r\nhxxps[://]www[.]fhccu[.]com/images/ship3[.]jpg  URL \r\nSerpent\r\nBackdoor  \r\nhxxps[://]www[.]fhccu[.]com/images/7[.]jpg  URL \r\nSerpent\r\nBackdoor  \r\nhxxp[://]mhocujuh3h6fek7k4efpxo5teyigezqkpixkbvc2mzaaprmusze6icqd[.]onion[.]pet/index[.]html  URL \r\nSerpent\r\nBackdoor  \r\nhxxp[://]ggfwk7yj5hus3ujdls5bjza4apkpfw5bjqbq4j6rixlogylr5x67dmid[.]onion[.]pet/index[.]html  URL \r\nSerpent\r\nBackdoor  \r\nTable 2: Indicator of Compromise  \r\nhttps://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html\r\nPage 8 of 9\n\nSource: https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html\r\nhttps://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html"
	],
	"report_names": [
		"serpent-the-backdoor-that-hides-in-plain-sight.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434419,
	"ts_updated_at": 1775791199,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/36a8e5df5ffb85bc4daa659b9b64cc8ffd5bb6da.pdf",
		"text": "https://archive.orkl.eu/36a8e5df5ffb85bc4daa659b9b64cc8ffd5bb6da.txt",
		"img": "https://archive.orkl.eu/36a8e5df5ffb85bc4daa659b9b64cc8ffd5bb6da.jpg"
	}
}