.webp?w=696&resize=696,0&ssl=1 "Malware Attacks")
Security researchers from Intrinsec have published a comprehensive analysis revealing significant overlaps in infrastructure between multiple ransomware operations and the open-source offensive tool, Eye Pyramid.
Their investigation, which began by examining a Python backdoor used by the RansomHub ransomware group, uncovered a network of interconnected command-and-control (C2) servers, bulletproof hosting providers, and shared toolsets fueling high-profile cybercriminal campaigns.
RansomHub’s Python Backdoor
The analysis roots back to findings published by GuidePoint Security in January 2025, which detailed a Python-based backdoor employed by RansomHub affiliates for persistent post-compromise access.
.png
)
Researchers observed that this access was commonly leveraged to deploy RansomHub ransomware, often in infection chains originating from the SocGholish loader, as corroborated by other cybersecurity teams including Reliaquest, Cyber New Jersey, and Microsoft.
By examining IP addresses linked to the Python backdoor’s C2 infrastructure, Intrinsec analysts identified a total of 26 unique IPs (12 more than those originally reported), all exposing a distinct HTTP banner on common ports.
This banner, easily discoverable via Shodan queries, became a critical fingerprint for expanding the investigation.
Discovery and Analysis of Eye Pyramid C2
The infrastructure pivoting led to the discovery of servers exposing a similar – but not identical – authentication banner.
The key difference was the “realm” field, which read as “Demo Realm” on new addresses, versus “auth” on the original backdoor infrastructure.
VirusTotal community tags and direct code inspection on Eye Pyramid’s official GitHub repository confirmed these “Demo Realm” banners as unique markers of Eye Pyramid C2 servers.
Eye Pyramid, open sourced by developer “naksyn” in 2022 and presented at DefCon, is a Python-based, memory-resident C2 framework designed for stealthy deployment of post-exploitation tools. Its effectiveness stems from its use of the legitimate python.exe binary to evade endpoint detection and response (EDR) solutions.
Since mid-January 2025, an increasing number of IPs with Eye Pyramid signatures have been reported, many of which were found deploying additional malicious payloads such as Cobalt Strike, Sliver, Rhadamanthys, and the Rhysida ransomware.
Overlap With Ransomware Clusters and Bulletproof Hosting
Intrinsec’s research highlighted that many Eye Pyramid C2 servers are hosted on well-known bulletproof hosting providers, such as Limenet, Aeza, and Railnet.
Notably, several servers are linked to “gaming hosting” services, such as AS 215439 (Play2go International Limited), which appear to act as legitimate fronts but are abused for illicit purposes.
The notorious bulletproof provider CrazyRDP, operating under Limenet and its sub-brands (including EKABI and Nybula), was also identified as a key player, recently migrating operations to evade blacklisting.
Aeza International Ltd. (AS 210644), known for hosting C2 infrastructure for prominent cybercrime actors like TA577, was frequently observed in the new clusters.
Technical Links: The JSON File Connection
Researchers uncovered a JSON file acting as a common thread between various C2 infrastructures. Analysis on VirusTotal indicated this file was served by both RansomHub’s Python backdoor servers and Eye Pyramid C2 instances.
Many IPs involved were previously tied to ransomware campaigns, including Rhysida, Vice Society, and BlackCat.
The file content matched default error responses in Eye Pyramid’s server codebase, suggesting not only infrastructure overlap but likely code-sharing or configuration alignment between different ransomware clusters.
Advanced fingerprinting using SSL JARM signatures linked Sliver and Eye Pyramid C2s, unveiling still more IPs associated with malicious campaigns.
The identification of distinct machine names, such as “WIN-4NHED479K4N,” further
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
.webp?w=1200&resize=1200,0&ssl=1&description=Security researchers have uncovered a sophisticated Python-based offensive tool called "Eye Pyramid" being utilized in ransomware operations.){kind=link}