The UNICORN Binance Suite already uses Cython-compiled components, so it is not simply running as plain interpreted Python. UBWA handles WebSocket and private-stream infrastructure. UBDCC provides redundant, scalable local order books with replication and failover.

It depends on what you're referring to! C and Cython support could definitely be added (and config is structured to allow for it). Other things (cfg visibility) are much more complex due our different architecture, but possible with enough effort and funding.

Exactly. The only “fast python” is a cython wrapper that spends as much time outside of the interpreter as possible. Python itself is scripting glue.

Well all the model training libraries are written with cython anyway, but are you talking about training or inference?

➡️ και βέλτιστες πρακτικές προγραμματισμού,να μην είναι ο κώδικας spaghetti τελείως κ κάποια εργονομία στο GUI, Να διαλέξουν όλες οι σχολές μια σύγχρονη γλώσσα all around όπως η Python/Cython καλύτερα και μια νέα για scientific programming όπως η Julia με καλό interoperability➡️

python son of cython ki yaad aa gayi

The InvisibleFerret malware has received a makeover. Void Dokkaebi has recompiled it with a tool called Cython, turning readable Python scripts into binary files that older detection rules can miss. TrendAI™ Research breaks it down: research.trendmicro.com/4uqG…

サイバー攻撃集団「Void Dokkaebi」のCythonコンパイル版マルウェア「InvisibleFerret」の解析 | トレンドマイクロ (JP) trendmicro.com/ja_jp/researc…

pyql: Cython QuantLib wrappers github.com/enthought/pyql

#Malware_analysis 1⃣ Showboat Linux malware lumen.com/blog/en-us/introdu… 2⃣ Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware trendmicro.com/en_us/researc… 3⃣ FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch arcticwolf.com/resources/blo…

TrendAI Research exposes the new Void Dokkaebi Cython malware campaign. Learn how InvisibleFerret uses binary compilation to evade security teams. #Cybersecurity #Malware #VoidDokkaebi #Infosec #CryptoTheft #DevSecOps securityonline.info/void-dok…

【北朝鮮系Void Dokkaebi、InvisibleFerretをCython化】 Trend Microは、北朝鮮関連のVoid Dokkaebi / Famous Chollimaが、InvisibleFerretマルウェアをCythonコンパイル済みバイナリへ移行させていると分析しました。従来のPythonスクリプトより解析を難しくし、Windowsでは`.pyd`、macOSでは`.so`形式で展開される点が特徴です。 このマルウェアは、バックドア、ブラウザ認証情報窃取、クリップボード監視、キーロギング、暗号資産ウォレット標的化を行います。開発者、暗号資産関連企業、CI/CD環境、署名鍵を扱う組織にとってリスクが高い活動です。 防御側は、偽求人、悪性リポジトリ、VS Code配下の不審`.pyd` / `.so`、ウォレット拡張機能へのアクセス、ブラウザ認証情報読み取りを優先的に監視すべきです。 #北朝鮮 #Lazarus #VoidDokkaebi #InvisibleFerret #マルウェア #暗号資産 #サプライチェーン trendmicro.com/en_us/researc…

偽の採用面接で開発者を狙う活動で知られる北朝鮮系グループが、自前のマルウェアをPythonスクリプトからネイティブバイナリへ移行させたと報告されています。「InvisibleFerret」と呼ばれるこのマルウェアは、PythonコードをC/C 経由でネイティブコードにコンパイルする「Cython」で処理され、Windowsでは[.]pyd、macOSでは[.]soというPython拡張モジュールの形で配布。平文のPythonスクリプトを前提にした検知はすり抜けますが、コンパイル後のバイナリにもZlib圧縮された文字列テーブルやPyInit_で始まる初期化関数名が残っており、従来と同じ復号手順でPythonペイロードを取り出せるとの分析です。 一部コンポーネントではCython移行が完了しておらず開発途上にあるとされ、今後さらに洗練される可能性が指摘されています。拡張モジュールと実行スクリプトの両方を対象にした検知が必要との見解です。 【要点の整理】 ・Void Dokkaebi(Famous Chollima)として追跡される北朝鮮系グループによるもの。[.]pydや[.]soは単独実行できないPython拡張モジュールで、初段のJavaScript製モジュールBeaverTailが生成する[.]modスクリプトとPythonインタプリタを介して読み込む構成。 ・モジュールによってはC2サーバーの接続先が実行時に[.]modスクリプトからコマンドライン引数で渡され、バイナリ内の値を上書きしうる構成。バイナリ単体の解析では実際の接続先を特定できない場合がある。 ・JavaScript製のBeaverTailは当初から情報窃取とダウンローダーを兼ねていたが、新たにバックドアやウォレット拡張機能のトロイ化を担うモジュールも加わり、InvisibleFerretと重複する機能を持つ複数バリアントに分化。 ・暗号資産ウォレット拡張機能の標的がMetaMaskのみからCoinbase WalletとPhantomにも拡大。macOSでは現行のChrome拡張機能仕様Manifest V3の制約を回避するため、Chrome自体を旧バージョンにダウングレードする。 詳細は以下を参照: trendmicro.com/en_us/researc…

Trend Micro's Kazuki Fujisawa looks into a recent update by Void Dokkaebi (aka Famous Chollima) to InvisibleFerret, shifting its delivery format from Python scripts to Cython-compiled binaries, distributing it as .pyd files on Windows & .so files on macOS. trendmicro.com/en_us/researc…

North Korea's Void Dokkaebi campaign uses Cython to compile the InvisibleFerret backdoor into binary files, successfully bypassing legacy Python security rules. #VoidDokkaebi #InvisibleFerret #MalwareEvasion #Cybersecurity #ThreatIntel #AppSec #BeaverTail meterpreter.org/void-dokkaeb…

#threatreport #HighCompleteness Analyzing Void Dokkaebi's Cython-Compiled InvisibleFerret Malware | 24-05-2026 Source: trendmicro.com/en_us/researc… Key details below ↓ 🧑‍💻Actors/Campaigns: Famous_chollima (🧠motivation: information_theft) 💀Threats: Invisibleferret, Beavertail, Credential_harvesting_technique, Anydesk_tool, 🎯Victims: Software developers, Cryptocurrency users, Organizations with developer access to wallet credentials signing keys and ci cd pipelines, Cryptocurrency sector, Software development sector, Artificial intelligence sector 🌐Geo: North korea 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 20 🧨IOCs: - File: 6 - IP: 1 - Hash: 23 - Url: 45 💽Software: macOS, Chrome, vscode 📲Wallets: metamask, coinbase 🔢Algorithms: exhibit, base64, xor 🔠Functions: _rum, dnp_m, dnp, PyMemoryView_FromMemory, PyRun_StringFlags 🗂️Win API: decompress 📜Programming Languages: python, javascript, cpython, cython 💻Platforms: cross-platform #threatreport: Void Dokkaebi, a North Korean cyber threat group, has enhanced its information-stealing malware, InvisibleFerret, by transitioning it from Python scripts to Cython-compiled binaries. This strategic shift involves distributing the malware as .pyd files for Windows and .so files for macOS, introducing a new layer of evasion against traditional script-based detection methods. InvisibleFerret maintains its core functionalities, such as backdoor access, credential theft, clipboard monitoring, keylogging, and targeting cryptocurrency wallets, while also broadening its capabilities through BeaverTail, which now serves a multifaceted role that includes credential harvesting and wallet trojanization. The infection process typically targets software developers via fake job opportunities, making the malware particularly relevant for those who manage cryptocurrency credentials and production systems. The adaptation to Cython means that defenders must shift from relying solely on script detection techniques to employing binary-aware detection strategies that can analyze extension modules and embedded artifacts. The evolution of BeaverTail is notable, as it has become a multistage component capable of downloading specific versions of InvisibleFerret and evading detection through complex obfuscation methods. In the Cython obfuscation process, Python code is transformed into native binaries, making them dependent on a Python execution script or interpreter for execution. Notably, these binaries can maintain much of the original programming-related artifacts, such as initialization function names and embedded file paths, which can aid forensic analyses. The deobfuscation process remains similar to previous versions, allowing threat analysts to recover the original payload from the binaries, despite the Cython obfuscation. Additionally, the malware incorporates advanced techniques for network communication, including the use of split-and-swap IP address encoding to further complicate detection efforts. Although the campaign shows signs of ongoing development, such as incomplete functionalities in components, the adoption of Cython indicates a commitment to refining evasion techniques. The malware's targeting of cryptocurrency wallets—including downgrading Chrome on macOS to bypass modern browser security—demonstrates the group's intent to exploit crypto assets more effectively.

Cython has more use as an obfuscation tool so people can’t view scripts. It creates a compiled binary from the script logic, but still makes most of the Python function calls ya use inside the script via the interpreter. It doesn’t compile all the function calls into the binary.

The whole point of Python is you don't have to go through a slow-ass compile cycle to run a little script. Python just wires up native libraries, which is why it is used in HPC despite being slow as hell. Cython is one way to write such libraries.

Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware May 22, 2026 trendmicro.com/en_us/researc…

North Korean 🇰🇵 Void Dokkaebi evolves InvisibleFerret malware from Python scripts to Cython-compiled binaries (.pyd/.so files), targeting cryptocurrency developers with enhanced evasion capabilities while preserving core backdoor, credential theft, and wallet trojanization functions. Technical evolution details: • InvisibleFerret now distributed as mod.pyd (Windows) and mod.so (macOS) rather than readable Python scripts • BeaverTail expanded from downloader to full malware suite with 4 variants: gjs (stealer/downloader), njs (backdoor), zjs (browser theft), cjs (wallet trojan) • Cython compilation preserves forensic artifacts: PyInit_ exports, embedded file paths, Zlib-compressed string tables with XOR-encoded C2 IPs • Chrome browser downgrade attack on macOS to bypass Manifest V3 restrictions for wallet extension tampering • Cross-platform targeting maintains same deobfuscation logic: lambda reversal Base64 decode Zlib decompress DFIR artifacts remain recoverable: • Export table functions reveal module names (PyInit_mod) • Build environment paths: /Users/administrator/Pictures/Work/py_module_work/ • String tables contain XOR-encoded C2s decodable with embedded keys • Python execution scripts (.mod, pad0, brw0) pass runtime arguments including sType identifiers Hunt for .pyd/.so files in developer directories, unsigned Python extension modules with recent timestamps, and Chrome version downgrades on macOS. #DFIR_Radar