Backdoor implant discovered on PyPI posing as debugging utility

May 21, 2025, 8:35 p.m.

Description

A sophisticated malicious package named 'dbgpkg' was detected on PyPI, masquerading as a Python debugging utility. The package implants a backdoor on systems, enabling execution of malicious code and data exfiltration. It uses function wrapping techniques to evade detection and is believed to be part of a larger campaign possibly linked to a hacktivist group known as Phoenix Hyena. The campaign also includes other packages like 'discordpydebug' and 'requestsdev'. The attackers' motivation appears to be geopolitical, potentially related to the Russia-Ukraine conflict. The use of specific backdooring techniques and tools like Global Socket Toolkit indicates a high level of sophistication and an intent to establish long-term presence on compromised systems.

External References

https://www.reversinglabs.com/blog/backdoor-implant-discovered-on-pypi-posing-as-debugging-utility
https://otx.alienvault.com/pulse/68264a9cb2b105513148d978
Tags
backdoor
russia
ukraine
pypi
supply chain attack
hacktivist
2025-05-15
dbgpkg
function wrapping
global socket toolkit
requestsdev
discordpydebug

Date

  • Created: May 15, 2025, 8:12 p.m.
  • Published: May 15, 2025, 8:12 p.m.
  • Modified: May 21, 2025, 8:35 p.m.

Attack Patterns

  • discordpydebug
  • dbgpkg
  • Phoenix Hyena

Additional Informations

  • Ukraine
  • Russian Federation