Security experts have discovered that cybercriminals are taking advantage of a Python based backdoor to keep ongoing access to infected computers. After they gain this foothold, they release a ransomware known as RansomHub across the victim’s network.

You might be interested in: Microsoft Unveils Patched Security Flaw in macOS SIP

SocGholish Enables Initial Access

According to research by GuidePoint Security, the JavaScript malware SocGholish (also called FakeUpdates) is behind the first point of entry. SocGholish spreads through drive-by downloads that trick users into installing fake browser updates. These attacks often rely on black hat Search Engine Optimization (SEO) methods that steer users from search results to legitimate websites that have been compromised.

When SocGholish runs, it contacts a server controlled by the attackers to download additional malicious files. In many cases, it exploits out-of-date WordPress sites that have older versions of popular SEO plugins like Yoast (CVE-2024-4984) and Rank Math PRO (CVE-2024-3665).

Python Backdoor Emerges

In one case studied by GuidePoint Security, the Python backdoor appeared around 20 minutes after SocGholish first infected the system. After that, the attackers used Remote Desktop Protocol (RDP) sessions to move through the network and install the backdoor on other machines.

This backdoor connects to a fixed IP address and works like a reverse proxy. It sets up a SOCKS5-based tunnel once it completes the initial command-and-control handshake. With this tunnel, the attackers can move around inside the network using the infected system as a gateway.

Researchers point out that this Python script has been around since at least early December 2023. An older version of it was shared by ReliaQuest in February 2024. The latest versions show small changes that make it harder to detect. Experts also noticed that the script looks well-organized and easy to follow, hinting that the developers might be using AI tools or are simply very careful about writing clear, testable Python code.

Additional Tools for Ransomware Deployment

This Python backdoor is not the only sign of an upcoming ransomware attack. A security company called Halcyon reported that the attackers also rely on:

• EDRSilencer and Backstab to turn off Endpoint Detection and Response (EDR) software.
• LaZagne to steal passwords from infected systems.
• MailBruter to guess email account credentials by brute force.
• Sirefef and Mediyes to deliver extra malware and keep a hidden line into the network.

Ransomware Targets Amazon S3 Buckets

Researchers have also noticed that Amazon S3 storage is a new target for ransomware attacks. Criminals are using Server-Side Encryption with Customer Provided Keys (SSE-C) from Amazon Web Services to lock up the victim’s files. One group, known as Codefinger, has been connected to these attacks. They exploit leaked AWS keys that let them read and write data in S3 buckets.

By using Amazon’s own services, attackers make the encryption both secure and impossible to undo without their key. They also use an aggressive tactic by scheduling the files to be deleted within seven days if the victim doesn’t pay up.

Rapid-Fire Phishing Scams

In another development, a company called SlashNext has seen a rise in “rapid-fire” phishing attempts. Attackers send victims over 1,100 fake emails that look like newsletters or payment reminders in a short period of time. Feeling overwhelmed, victims often drop their guard. At that point, the scammers reach out by phone or Microsoft Teams, acting as help desk employees. They try to convince people to install remote desktop tools like TeamViewer or AnyDesk. Once installed, the attackers can quietly slip into the system, spread through the network, or launch malicious software to steal data.