Ransomware-Linked ViperTunnel Malware Hits UK and US Businesses

Summary

ViperTunnel, a Python-based backdoor attributed to UNC2165, has been discovered targeting UK and US businesses. The malware is often deployed following FAKEUPDATES infections and maintains persistent access before selling entry to ransomware groups like RansomHub. Researchers warn the threat is evolving toward Linux support, suggesting expansion to enterprise infrastructure.

Full text

Security Cyber Attacks MalwareRansomware-Linked ViperTunnel Malware Hits UK and US Businesses ViperTunnel is a Python-based backdoor linked to DragonForce ransomware that targets businesses using Windows servers across the US and the UK. byDeeba AhmedApril 14, 20262 minute read A new Python-based backdoor, dubbed ViperTunnel, has been found hiding in the networks of UK and US businesses, according to the latest investigation by leading research firm InfoGuard. The malware has, reportedly, been in development since late 2023, and is often deployed as a follow-up to FAKEUPDATES (SocGholish) infections. However, it is currently being used to maintain long-term access to systems before selling that entry to major ransomware groups like RansomHub. The Fake File Trick The discovery began during a response to a DragonForce ransomware attack. Researchers noted a strange scheduled task on Windows machines named 523135538. Probing further, they found that the attackers were using a clever trick involving a file named sitecustomize.py located in C:\ProgramData\cp49s\Lib\. This is a standard Python module, but because it loads automatically when the interpreter starts, it allows hackers to run their code without any manual input. The backdoor itself was disguised as a system file named b5yogiiy3c.dll. Despite the name, it is actually a Python script appearing as a system library, and to prevent anyone from reading it, hackers have scrambled its code using three encryption layers- Base85 encoding, zlib compression, and AES and ChaCha20 encryption. “The script leverages ctypes to invoke Python C API functions,” researchers noted, explaining how the code identifies if it is being run alone or as part of a larger task. When installed, VIPERTUNNEL first creates a SOCKS5 proxy through port 443- the same port used for standard web browsing. This is done to make the stolen data nearly impossible to spot in regular traffic. Attack flow (Source: InfoGuard) From Messy Code to Professional Tool Evidence suggests ViperTunnel is the work of UNC2165, a group closely linked to the notorious EvilCorp. It is often used alongside ShadowCoil, a credential-stealing tool that targets Chrome, Firefox, and Edge. As per researchers, the malware has improved a lot over time, as in December 2023, it was full of typos like “deamon” and “verifing,” but by September 2024, they were using PyOBFUSCATE to hide their work. By late 2025, it had become a professional tool with a modular design using three parts: Wire, Relay, and Commander. The most concerning find was a new check for TracerPid in Linux system files. Although these current attacks target Windows, this finding has perplexed researchers, as they suspect that hackers could be preparing a version for Linux servers to create a cross-platform framework. Most of the control servers are hosted in the US for now, but the code’s stealthy nature means it may remain undetected in networks for months. As the hackers keep improving their code, researchers warn that this may soon allow them to target Linux servers used by large businesses. Host countries list (Source: InfoGuard) Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts backdoorCyber AttackCybersecurityInfoGuardMalwareViperTunnel Leave a Reply Cancel reply View Comments (0) Related Posts Leaks Security Fashion retailer BrandBQ exposes 1 TB of customers, contractors data The database was hosted on a misconfigured Elasticsearch server. bySudais Asif Read More Security Cyber Attacks News Massive Data Breach Exposes Info of 43 Million French Workers Another day, another massive data breach! byDeeba Ahmed Read More Security Google Workspace Vulnerability Allowed Hackers to Access 3rd-Party Services A Google Workspace vulnerability exposed thousands of accounts after hackers bypassed email verification. Learn how to protect your… byWaqas Security Google News Microsoft Google Discloses Critical Existing Bug in Internet Explorer and Edge It is evident that Google does not like Microsoft, but it is also a fact that Microsoft is lazy… byAgan Uzunovic

Indicators of Compromise

• malware — ViperTunnel
• malware — DragonForce
• malware — FAKEUPDATES (SocGholish)
• malware — ShadowCoil
• malware — RansomHub

Entities