Security Experts:

Connect with us

Hi, what are you looking for?



New ‘PyXie’ RAT Used Against Multiple Industries

A new Python-based remote access Trojan (RAT) has been used in campaigns targeting a wide range of industries, BlackBerry Cylance revealed this week.

A new Python-based remote access Trojan (RAT) has been used in campaigns targeting a wide range of industries, BlackBerry Cylance revealed this week.

Dubbed PyXie, the malware has been active since last year, but received little attention, although it has been observed in conjunction with Cobalt Strike beacons and a downloader seemingly linked to the Shifu banking Trojan.

The list of targeted industries includes education, conglomerate, manufacturing, healthcare, technology, IT, government, software, engineering, apparel, retail, facilities management, and recycling, BlackBerry Cylance told SecurityWeek.

The company’s researchers also discovered ransomware on several machines infected with PyXie, and which belong to healthcare and education organizations.

As part of the PyXie attacks, legitimate LogMeIn and Google binaries were used to sideload the first stage DLL, which then locates its encrypted payload. The second stage installs itself, fingerprints the victim machine, achieves persistence, and spawns a new process to inject the third stage.

Mutexes are created to ensure that a single payload instance is running at a time. If it has infected a process that runs with admin privileges, the second stage attempts to escalate its own privileges by creating a temporary service and respawning as a LOCAL SYSTEM process.

The third stage is a downloader named Cobalt Mode, which shares similarities to the Shifu banker. The malware was designed to connect to a command and control (C&C) server, fetch an encrypted payload and decrypt it, map and execute the payload in the address space of the current process, and then spawn a new process for code injection.

Cobalt Mode can check whether it runs in a sandbox or virtual machine (VM), if a smart card reader is attached to the victim machine, and if a man-in-the-middle (MitM) attack is performed to intercept requests.

The final stage of the attack is the full-featured Python RAT called PyXie RAT, which can perform MITM interception, web-injects, keylogging, credential harvesting, network scanning, cookie theft, log clearing, video recording, payload execution, USB drive monitoring and data exfiltration, certificate theft, and software inventorying.

Other features of the malware include a WebDav server, Socks5 proxy, and Virtual Network Connection (VNC), along with the ability to enumerate domains using Sharphound.

The backdoor communicates with its C&C via HTTP/HTTPS, but also via comments left in GitHub gists. Based on received commands, it can download and execute files, update itself, retrieve specific data, perform scans, retrieve screenshots, reboot the system, clear cookies, and uninstall itself.

PyXie RAT was seen being deployed by and in conjunction with Cobalt Strike and a custom loader, which is a trojanized open source Tetris game also abused in ransomware attacks.

Related: Researchers Analyze North Korea-Linked NukeSped RAT

Related: Dridex Operators Use SDBbot RAT in Recent Attacks

Related: Recycled Source Code Used to Create New MobiHok Android RAT

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.