{
	"id": "7ea8bcd6-8fce-4d62-a088-0553f95a45b5",
	"created_at": "2026-04-06T00:08:20.986247Z",
	"updated_at": "2026-04-10T13:11:39.733346Z",
	"deleted_at": null,
	"sha1_hash": "858741a00c18e59ff772017c61a717a0ca6e1a9f",
	"title": "Serpent malware campaign abuses Chocolatey Windows package manager",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3133551,
	"plain_text": "Serpent malware campaign abuses Chocolatey Windows package\r\nmanager\r\nBy Bill Toulas\r\nPublished: 2022-03-21 · Archived: 2026-04-05 12:58:30 UTC\r\nThreat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new\r\n'Serpent' backdoor malware on systems of French government agencies and large construction firms.\r\nChocolatey is an open-source package manager for Windows that allows users to install and manage over 9,000 applications\r\nand any dependencies through the command line.\r\nIn a new phishing campaign discovered by Proofpoint, threat actors use an intricate infection chain consisting of macro-laced Microsoft Word documents, the Chocolatey package manager, and steganographic images to infect devices while\r\nbypassing detection.\r\nhttps://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nSteganography + Chocolatey to evade detection\r\nProofpoint researchers discovered a new phishing campaign targeting French organizations in the construction, real estate,\r\nand government industries.\r\nThe multi-step attack starts with a phishing email impersonating the European Union's General Data Protection Regulations\r\nagency (GDPR). This email includes a Word document attachment document containing malicious macro code.\r\nThe GDPR-themed document containing macro code (Proofpoint)\r\nIf opened and content is enabled, the malicious macro fetches an image of Swiper the Fox from the cartoon series Dora the\r\nExplorer.\r\nFox image containing encoded PowerShell (Proofpoint)\r\nHowever, this image is not entirely harmless, as it uses Steganography to hide a PowerShell script that the macros will\r\nexecute. Steganography is used to hide data, in this case, malicious code, to evade detection by users and antivirus tools as it\r\nhttps://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/\r\nPage 3 of 5\n\nappears like a regular image.\r\nThe PowerShell script will first download and install the Chocolatey Windows package manager, which is then used to\r\ninstall the Python programming language and the PIP package installer, as shown below.\r\nPowerShell script hidden within the image\r\nSource: BleepingComputer\r\nChocolatey is also being used to evade detection by security software as it is commonly used in enterprise environments to\r\nmanage software remotely and could be on an allowed list in IT environments.\r\n\"Proofpoint has not previously observed a threat actor use Chocolatey in campaigns,\" Proofpoint researchers explain in their\r\nreport.\r\nEventually, a second steganographic image is downloaded to load the Serpent backdoor, which is Python-based malware,\r\nhence the need for the previously installed packages in the previous steps.\r\nSerpent's infection chain (Proofpoint)\r\nOnce loaded, the Serpent backdoor malware will communicate with the attacker's command and control server to receive\r\ncommands to execute on the infected device.\r\nProofpoint says that the backdoor can execute any command sent by the attacks, allowing the threat actors to download\r\nfurther malware, open reverse shells, and gain complete access to the device.\r\nChocolatey told BleepingComputer that they were not aware that their software was abused in the manner and are looking\r\ninto it.\r\nhttps://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/\r\nPage 4 of 5\n\nLikely a new threat actor\r\nApart from the custom backdoor (Serpent) and the abuse of Chocolatey, which hasn't been previously observed in the\r\ncyberthreat space, Proofpoint also noticed a novel application of signed binary proxy execution using schtrasks.exe,\r\nessentially a new detection bypass technique.\r\nThese elements indicate that the threat actor is a new group, characterized by high sophistication and capabilities, and not\r\nlinked to other known operatives.\r\nProofpoint couldn't detect anything that may be used to attribute the activity to a particular threat actor, which is indicative\r\nof the actor's overall operational security.\r\nWhile the goal of the unknown adversary hasn't been determined yet, it appears that the tactics point towards espionage,\r\nwith data access, host control, and the installation of additional payloads being the main pillars of the attacks.\r\nUpdate 24 March 2022 - Chocolatey has published a blog post on its site to address common questions and ease the\r\nworries of its userbase about the software being vulnerable to exploitation.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/\r\nhttps://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/"
	],
	"report_names": [
		"serpent-malware-campaign-abuses-chocolatey-windows-package-manager"
	],
	"threat_actors": [],
	"ts_created_at": 1775434100,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/858741a00c18e59ff772017c61a717a0ca6e1a9f.pdf",
		"text": "https://archive.orkl.eu/858741a00c18e59ff772017c61a717a0ca6e1a9f.txt",
		"img": "https://archive.orkl.eu/858741a00c18e59ff772017c61a717a0ca6e1a9f.jpg"
	}
}