#threatreport #MediumCompleteness Analyzing Iranian Tradecraft: Leveraging Loader Scripts and Telegram for C2 | 04-05-2026 Source: blog.pulsedive.com/analyzing… Key details below ↓ 💀Threats: Bloat_technique, 🎯Victims: Users 🏭Industry: E-commerce 🌐Geo: Iran, Iranian 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 7 🧨IOCs: - File: 8 - Url: 2 - Path: 2 - Hash: 5 💽Software: Telegram, Microsoft Defender 🔢Algorithms: md5, zip, base64, sha256, sha1 📜Programming Languages: visual_basic, python, powershell #threatreport: Recent analyses reveal that Iranian cyber threat actors, particularly those aligned with the Ministry of Intelligence and Security (MOIS), have been employing loader scripts as part of their cyber operations. These scripts, often basic in nature, primarily aim to facilitate the download of secondary payloads hosted on Vultr Object Storage. In particular, a PowerShell-based loader script utilizes base64 encoding to conceal its payload, which leads to the downloading of a zip archive containing the executable RuntimeSSH.exe. This executable, noted in an FBI FLASH report, is implicated in the exfiltration of sensitive data from infected devices. Telegram has emerged as a crucial tool for these threat actors, functioning as a command-and-control (C2) platform. Its usage capitalizes on the platform’s ability to blend in with legitimate network traffic and the relative ease of creating bots. Telegram serves a dual purpose, allowing actors not only to manage command-and-control operations but also to act as a marketplace for cybercriminal services and malware. This has notably included groups like Handela Hack, which actively utilize Telegram for operational communications. Intrusions typically initiate through social engineering tactics, where malicious actors pose as support personnel or prominent figures to trick victims into executing malware. The threat actors leveraged popular applications to disguise their malware, which is deployed via PowerShell scripts and is capable of modifying Windows registry keys to maintain persistence. Once installed, the malware exhibits functionality such as screen and audio capture along with data retrieval from local caches. Exfiltration of this collected data has been reported to occur through Telegram channels. Two specific PowerShell scripts, identified as ps.ps1 and cmd.ps1, are among the loader samples discovered. Both scripts execute base64-encoded commands with hidden PowerShell windows, differing slightly in their command specifications. Another notable script, a VBScript, queries the disk size and may execute the PowerShell commands if the disk exceeds a certain threshold. This alongside a larger set of scripts indicates a sophisticated method of evading detection while ensuring execution of malicious tasks. Additionally, the payload referenced in the FBI report—smqdservice.exe—contains more elaborate tactics. This executable seeks to evade Microsoft Defender's detection by creating exclusions in its configuration. Upon executing smqdservice.exe, various Python modules, including python311.dll, are loaded to enhance the malware’s functionality. Extracted details from the malware reveal specific Telegram bot configurations providing insights into their operational architecture.

Python's abuse for DLL sideloading reached its "pinnacle" in Nitrogen's use of Python 3.11 in its 2024 malvertising campaigns. Rapid7 has a really good writeup about it here: rapid7.com/blog/post/2024/05… If you're into DLL sideloading/hijacking, the security community's chief export for research and detection of these seems to be hijacklibs.net/ Important nuance: this isn't really a Python vulnerability. The legitimate `python311.dll` is signed, and `Python.exe` isn't spidering around odd places to look for this DLL. (It follows standard DLL search order convention.) The issue is adversaries dropping their own Python runtimes alongside malicious DLLs. It's a low-friction execution container that tends to blend in if you're not explicitly looking for it. Same same for ADNotificationManager.exe, DLPUserAgent.exe, or WerFault.exe, unfortunately. Where we once may have looked at unsigned binaries executing, we now need to look at signed binaries loading unsigned modules or running from unusual locations as a more effective methodology.

えっ python でも DLL Side-loading できるんですね。。。😱 > Fscanの実行には正規のpython.exeが悪用されています。DLLサイドローディングで悪意のあるpython311.dllをロード

appdata/local python/python311 3.6gb

scoop install python311

VENV環境　llama.cpp→OK 、llama-cpp-python→X conda環境 llama.cpp→OK 、llama-cpp-python→OK CUDAライブラリのパスは定石通り VENV環境でllama-cpp-python構築時lib/python311/sate_packkge/にllama_cppディレクトリ作成される、CUDA=ONで構築時llama_cpp_cudaディレクトリが作成されない。

the time has come $ doas pkgin rm python27 but not to worry $ pkgin ls|egrep -o '^python[^\ ] ' python37-3.7.15 python310-3.10.9 python311-3.11.8

Qemu上のNetBSD 10RC4でもperiodic-table-cli動いた 解像度とフォントと256色必要 pkgin install py311-pip pkgin install py311-virtualenv python311 -m venv venv/ source env/bin/activate pip install periodic-table-cli startx periodic-table-cli --mode=chart -s

The Yara rule for the malicious side-loaded python311.dll file: github.com/RussianPanda95/Ma…

python311でpip install atcoderができない

python311用ta-libのwhl発見。 本当にありがとう。 github.com/cgohlke/talib-bui…

Pythonで $ pip install pycryptodome しているのに、 from Crypto.Cipher import AES 等で ModuleNotFoundError: No module named 'Crypto' が出るので延々悩んでしまった… C:\Python311\Lib\site-packages\crypto に入っていた件(crypto→Cryptoにリネームすると直った…）

If you want to wrap impacket stuff to an exe file via pyinstaller, make sure to: - Work on a Windows box - Install via: pip install impacket - Use --path to point to the impacket dir: pyinstaller ntlmrelayx.py --onefile --path C:\Python311\Lib\site-packages\impacket

なんでPython311はAURにしか無いんだよ。ってかバイナリないんすかねこれ

Starting to plan the changes for the next Tribblix release, for starters: * openssl3 * Xfce 4.18 * MATE 1.26 * PHP 8.2 * postgres15 default * python311 default #tribblix #illumos

How to Install Python 3.11 on Amazon Linux 2 dlvr.it/ShSDmZ #Python #Installpython #Python3 #Python311

How To Install Python 3.11 on CentOS 9/8 & Fedora dlvr.it/ShQS01 #Python #Installpython #Python3 #Python311

How To Install Python 3.11 on Ubuntu, Debian and LinuxMint dlvr.it/ShMYDc #GeneralArticles #Make #Python #Python3 #Python311

I don't know how it's remembering that I did in fact USED TO have a "python311" folder. I had to uninstall that because apparently only 3.10 works with what i'm trying to install.

Help, Python people! I'm trying to install stable diffusion, but it's looking for "python311" folder, but I now only have a "python310" folder. I manually added "C:\Users\taran\AppData\Local\Programs\Python\Python310" to the environment variable list, but it's still not working!