CyberSecurityBoard
Sponsor Register Login

Researchers Unboxed FIN7's Stealthy Python-based Anubis Backdoor

The Python-based malware, dubbed “Anubis Backdoor,” represents an evolution in the group’s tactics, techniques, and procedures (TTPs) that have historically caused billions in damages globally. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The key component, a script named “conf.py,” had remarkably low detection rates when first submitted to VirusTotal, demonstrating the effectiveness of the group’s obfuscation techniques. According to security researchers, what makes Anubis Backdoor particularly concerning is its minimal footprint and sophisticated anti-forensic capabilities. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. FIN7’s implementation demonstrates their continued evolution from earlier campaigns, using Python to create a backdoor that blends with normal system operations. The analysis revealed a multi-layered attack combining legitimate programming techniques with advanced obfuscation to mask malicious intent. The malware uses a combination of encryption, obfuscation, and temporary file execution that makes detection and analysis significantly more challenging. This sophisticated toolset provides FIN7 with flexible remote access capabilities that blend with legitimate network traffic, making it a formidable threat to organizations worldwide. The malware maintains persistence through Windows Registry, storing its command and control (C2) configuration under “HKEY_CURRENT_USER\Software\FormidableHandlers” or similar randomized key names. G Data researchers identified that initial infection occurs through a seemingly innocent ZIP archive containing multiple Python files, distributed via targeted phishing campaigns. Cybersecurity experts have identified a sophisticated new backdoor tool developed by the notorious financial cybercrime group FIN7. Communication with C2 servers happens over HTTP ports (80/443), with traffic obfuscation using Base64 encoding and custom alphabet substitution. The backdoor’s command set enables complete system control, including file operations, environment reconnaissance, and dynamic C2 updates. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 21 Mar 2025 15:30:19 +0000


Cyber News related to Researchers Unboxed FIN7's Stealthy Python-based Anubis Backdoor

Researchers Unboxed FIN7's Stealthy Python-based Anubis Backdoor - The Python-based malware, dubbed “Anubis Backdoor,” represents an evolution in the group’s tactics, techniques, and procedures (TTPs) that have historically caused billions in damages globally. Cyber Security News is a Dedicated ...
20 hours ago Cybersecuritynews.com FIN7
Python 2 EOL: Coping with Legacy System Challenges - Python 2.7 was the last major version in the 2.x series of this software language, which was launched on July 3, 2010 and was officially maintained and supported until January 1, 2020. At that point, when the Python 2 EOL phase began, the legacy ...
1 year ago Securityboulevard.com
BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
1 year ago Securityboulevard.com CVE-2024-27198 CVE-2023-42793 BianLian
FIN7 hackers launch deepfake nude “generator” sites to spread malware - FIN7's fake deepnude sites serve as honeypots for people interested in generating deepfake nudes of celebrities or other people.  In 2019, threat actors used a similar lure to spread info-stealing malware even before the AI explosion. According ...
5 months ago Bleepingcomputer.com FIN7
FIN7 - FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, ...
1 year ago Attack.mitre.org Carbanak FIN7
New Fully Undetected Anubis Malware Let Hackers Execute Remote Commands - Developed by the notorious threat group Savage Ladybug (also known as FIN7), this malware combines simplicity with effectiveness through mild obfuscation techniques, allowing attackers to maintain persistent access to infected systems without raising ...
1 week ago Cybersecuritynews.com FIN7
Russian Sandworm Group Using Novel Backdoor to Target Ukraine - Russian nation-state group Sandworm is believed to be utilizing a novel backdoor to target organizations in Ukraine and other Eastern and Central European countries, according to WithSecure researchers. The previously unreported backdoor, dubbed ...
11 months ago Infosecurity-magazine.com
Hackers Employ DLL Side-Loading To Deliver Malicious Python Code - DLL side-loading exploits the Windows DLL search order mechanism, where attackers place malicious DLL files in locations where legitimate applications will load them instead of the intended legitimate libraries. The technique enables attackers to ...
3 days ago Cybersecuritynews.com
Hackers use new IceBreaker malware to breach gaming companies - Hackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker. The compromise method relies on tricking customer service agents into opening malicious ...
2 years ago Bleepingcomputer.com
New 'SpectralBlur' macOS Backdoor Linked to North Korea - Security researchers have dived into the inner workings of SpectralBlur, a new macOS backdoor that appears linked to the recently identified North Korean malware family KandyKorn. The observed SpectralBlur sample was initially uploaded to VirusTotal ...
1 year ago Securityweek.com
How Stealthy Python Rat Malware is Targeting Windows Systems - Cybersecurity experts have recently alerted Windows users to a new malware threat: a stealthy python-based RAT malware that is specifically targeting Windows systems. The malware, which has been dubbed “Python Rat” by security researchers, has ...
2 years ago Bleepingcomputer.com
Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor - The latest version of the Kazuar backdoor could be more sophisticated than previously imagined, according to Palo Alto Networks. The Kazuar backdoor was used by the Russian hacking group Turla to target the Ukrainian defense sector in July 2023, the ...
1 year ago Infosecurity-magazine.com Turla
Pro-Hamas Cyberattackers Aim 'Pierogi' Malware at Multiple Mideast Targets - A group of pro-Hamas attackers known as the Gaza Cybergang is using a new variation of the Pierogi++ backdoor malware to launch attacks on Palestinian and Israeli targets. According to research from Sentinel Labs, the backdoor is based on the C++ ...
1 year ago Darkreading.com
February 2024's Most Wanted Malware: WordPress Websites Targeted by Fresh FakeUpdates Campaign - Our latest Global Threat Index for February 2024 saw researchers uncover a fresh FakeUpdates campaign compromising WordPress websites. These sites were infected using hacked wp-admin administrator accounts, with the malware adapting its tactics to ...
1 year ago Blog.checkpoint.com
Researchers extract RSA keys from SSH server signing errors - A team of academic researchers from universities in California and Massachusetts demonstrated that it's possible under certain conditions for passive network attackers to retrieve secret RSA keys from naturally occurring errors leading to failed SSH ...
1 year ago Bleepingcomputer.com
Python in Threat Intelligence: Analyzing and Mitigating Cyber Threats - In the world of emerging cybersecurity threats, understanding the significance of threat intelligence is crucial and can not be ignored. Threat intelligence involves the systematic collection, analysis, and application of data to understand potential ...
1 year ago Hackread.com
January 2024's Most Wanted Malware: Major VexTrio Broker Operation Uncovered and Lockbit3 Tops the Ransomware Threats - LockBit3 topped the list of active ransomware groups and Education was the most impacted industry worldwide. LockBit3 was named the most prevalent ransomware group in a newly introduced ranking in the Index, and Education remained the most impacted ...
1 year ago Blog.checkpoint.com 8base LockBit
Iran's Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector - In its latest campaign, Iranian state-backed hackers, Peach Sandstorm, employs FalseFont backdoor for intelligence gathering on behalf of the Iranian government. Cybersecurity researchers at Microsoft Threat Intelligence Unit have uncovered the ...
1 year ago Hackread.com
Researchers Uncover Simple Technique to Extract ChatGPT Training Data - Can getting ChatGPT to repeat the same word over and over again cause it to regurgitate large amounts of its training data, including personally identifiable information and other data scraped from the Web? The answer is an emphatic yes, according to ...
1 year ago Darkreading.com
November 2023's Most Wanted Malware: New AsyncRAT Campaign Discovered while FakeUpdates Re-Entered the Top Ten after Brief Hiatus - Researchers reported on a new AsyncRAT campaign where malicious HTML files were being used to spread the stealthy malware. Our latest Global Threat Index for November 2023 saw researchers discover a AsyncRAT campaign where malicious HTML files were ...
1 year ago Blog.checkpoint.com
CVE-2021-32807 - The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The ...
2 years ago
RansomHub Affiliate Deploying New Custom Backdoor Dubbed 'Betruger' For Persistence - RansomHub, as a RaaS provider, enables affiliates to leverage sophisticated tools like Betruger, potentially lowering the barrier to entry for conducting complex ransomware attacks. These include adaptive-based protections such as ACM.Ps-RgPst!g1 and ...
1 day ago Cybersecuritynews.com Ransomhub
Stealthy New macOS Backdoor Hides on Chinese Websites - A sneaky macOS backdoor that allows attackers to remotely control infected machines has been hiding in trojanized applications for the platform that are hosted on Chinese websites. Researchers from Jamf Threat Labs discovered the series of poisoned ...
1 year ago Darkreading.com
Cracked macOS apps drain wallets using scripts fetched from DNS records - Hackers are using a stealthy method to deliver to macOS users information-stealing malware through DNS records that hide malicious scripts. The campaign appears directed at users of macOS Ventura and later and relies on cracked applications ...
1 year ago Bleepingcomputer.com
116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
1 year ago Cybersecuritynews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)