{
	"id": "cf54ebc7-0893-43c6-a028-66da4b6f0f01",
	"created_at": "2026-04-06T00:18:20.560287Z",
	"updated_at": "2026-04-10T13:12:03.09042Z",
	"deleted_at": null,
	"sha1_hash": "8fe50793a044c312dbc634319865b897ef30a732",
	"title": "Malicious 'pymafka' Package Drops Cobalt Strike | Sonatype",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 762840,
	"plain_text": "Malicious 'pymafka' Package Drops Cobalt Strike | Sonatype\r\nBy Ax Sharma\r\nPublished: 2022-05-20 · Archived: 2026-04-05 16:11:00 UTC\r\nThis week, Sonatype's automated malware detection bots have discovered malicious Python package 'pymafka' in\r\nthe PyPI registry.\r\nThe package appears to typosquat a legitimate popular library PyKafka, a programmer-friendly Apache Kafka\r\nclient for Python. The development follows our discovery of another typosquat targeting the Apache Kafka project\r\nfrom earlier this month.\r\nPyKafka includes Python implementations of Kafka producers and consumers, and has been retrieved over\r\n4,240,305 times by user-initiated downloads and mirrors/bots alike. By contrast, malicious 'pymafka' shows a\r\ndownload count of around 300 as Sonatype timely reported the finding to PyPI.\r\nPyMafka Drops Cobalt Strike on Windows, MacOS\r\nOn May 17, 2022, a mysterious 'pymafka' package appeared on the PyPI registry. The package was shortly\r\nflagged by the Sonatype Repository Firewall's automated malware detection capabilities.\r\nThe package, 'pymafka' may sound identical to the popular PyKafka, but its insides reveal a different story.\r\nThe 'setup.py' Python script inside 'pymafka' first detects your platform. Depending on whether you are running\r\nWindows, MacOS, or Linux, an appropriate malicious Trojan is downloaded and executed on the infected system.\r\nhttps://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux\r\nPage 1 of 5\n\nThe Trojan in question is a Cobalt Strike (CS) beacon. Cobalt Strike is a pen-testing software tool typically used\r\nby red teams and ethical hackers for simulating real-world cyberattacks, especially during security assessments.\r\nBut, time and time again attackers, including ransomware groups like LockBit, have abused Cobalt Strike to infect\r\nvictims.\r\nInterestingly, as evident from the code below, on Windows systems, the Python script attempts to drop the Cobalt\r\nStrike beacon at 'C:\\Users\\Public\\iexplorer.exe'. Note, this misspelling stands out as the legitimate Microsoft\r\nInternet Explorer process is typically called \"iexplore.exe\" (no 'r' at the end) and isn't present in the\r\nC:\\Users\\Public directory.\r\nThe malicious executables being downloaded are 'win.exe' [VirusTotal], and 'MacOS' [VirusTotal], with their\r\nnames corresponding to their target operating systems. Both of these are downloaded from the IP address\r\n141.164.58[.]147, commissioned by the cloud hosting provider, Vultr.\r\nThese executables attempt to contact China-based IP 39.106.227[.]92, which is assigned to Alisoft (Alibaba).\r\nLess than a third of antivirus engines detected the samples as malicious at the time of our submission to\r\nVirusTotal, although that's still a better detection rate than zero-detections seen in some of our earlier discoveries.\r\nhttps://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux\r\nPage 2 of 5\n\nOn Windows, we observed the payload also kept persistently surveying the '/updates.rss' endpoint and sending\r\nencrypted cookie values in requests, a behavior consistent with Cobalt Strike beacons.\r\nGET /updates.rss HTTP/1.1\r\nAccept: */*\r\nCookie: mZoD7LYrA/...\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)Host: 39.106.227.92:8445\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nFor Linux systems, the Python script attempts to download and run an \"env\" executable from the IP address\r\n39.107.154[.]72 (also Alibaba-owned), which at the time of analysis was down.\r\nWe reported these findings to the PyPI registry shortly after catching and analyzing the package and the malicious\r\npackage was taken down yesterday, just before reaching ~300 downloads.\r\nFile IOCs:\r\nThe indicators of compromise (IOCs) associated with this campaign are given below.\r\nwin.exe: 137edba65b32868fbf557c07469888e7104d44911cd589190f53f6900d1f3dfb\r\nMacOS: b117f042fe9bac7c7d39eab98891c2465ef45612f5355beea8d3c4ebd0665b45\r\nPython package 'pymafka-3.0.tar.gz': 4de4f47b7f30ae31585636afd0d25416918d244fcc9dfe50967a47f68bb79ce1\r\nSonatype Repository Firewall Users Remain Protected\r\nhttps://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux\r\nPage 3 of 5\n\nIt's been a busy start to the month already.\r\nDue to the heavy influx of malicious packages lately, we have launched This Week in Malware digests, published\r\nevery Friday, and delivered automatically to blog subscribers.\r\nEarlier this month, Sonatype reported attackers typosquatting the popular npm library 'colors', and not for the first\r\ntime either. Last week, we came across even more 'colors' typosquats and a malicious Rust package 'rustdecimal'\r\nthat uses elusive XOR encryption to drop malware.\r\nWe further analyzed a different Apache Kafka typosquat and reported several dependency confusion packages to\r\nboth npm and PyPI registries, thereby keeping the open source community and our customers safe. \r\nAnd as predicted, the attacks on open source registries are continuing to surge as the cybersecurity community\r\nfrom across the world is focused on battling the ongoing international crisis.\r\nBetween March and April, we reported on a sharp uptick in open source attacks after discovering a 'fix-crash' info-stealer and 500+ malicious npm packages. That was on top of the 400+ packages targeting Azure, Airbnb, and\r\nUber developers discovered recently.\r\nUsers of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically\r\nbe blocked from reaching their development builds. \r\nSonatype Repository Firewall instances will automatically quarantine any suspicious components detected by\r\nour automated malware detection bots while a manual review by a researcher is in the works, thereby keeping\r\nyour software supply chain protected from the start.\r\nSonatype's world-class security research data, combined with our automated malware detection technology\r\nsafeguards your developers, customers, and software supply chain from infections.\r\nhttps://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux\r\nPage 4 of 5\n\nTags\r\nvulnerabilities PyPI malware prevention pypi vulnerability DevZone Sonatype Repository Firewall\r\nSource: https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux\r\nhttps://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux"
	],
	"report_names": [
		"new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434700,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8fe50793a044c312dbc634319865b897ef30a732.pdf",
		"text": "https://archive.orkl.eu/8fe50793a044c312dbc634319865b897ef30a732.txt",
		"img": "https://archive.orkl.eu/8fe50793a044c312dbc634319865b897ef30a732.jpg"
	}
}