Python-Based Malware Enables Stealthy Process Injection into Legitimate Windows Binaries

K7 Labs researchers have identified a sophisticated Python-based malware sample employing multi-stage obfuscation and process injection techniques to achieve stealthy persistence on Windows systems.

The malware reconstructs a 65 MB blob, with the bulk consisting of filler content, and only a small, valid, marshalled .pyc segment at the end containing the actual malicious code.

This final payload performs process injection into a legitimate Windows binary while retrieving a .NET component from command-and-control infrastructure for continued stealthy operations.

The infection chain initiates with a PE dropper containing a runtime decryption routine that builds a large buffer on the stack through a fast SIMD copy/transform loop (movups) before writing the reconstructed payload to disk via WriteFile.

This process creates config.bat in C:\Users\Public\ and persists it before execution.

The batch script establishes a directory at C:\DragonAntivirus and downloads a file from remote cloud storage.

Despite having a .png extension, the downloaded file is actually a RAR archive a simple yet effective trick that exploits how users and security filters treat image files as harmless.

The script then uses the built-in tar command to extract the disguised archive, revealing three key components: AsusMouseDriver.sys (a password-protected RAR disguised with a .sys extension), Interput.json (renamed to Install.bat and executed), and Inx (a legitimate WinRAR executable for extracting the password-protected archive) .

The renamed Install.bat script transforms Inx into ex.exe and uses it to extract the password-protected AsusMouseDriver.sys archive with a hardcoded password to C:\Users\Public\WindowsSecurityA\.

This directory contains ntoskrnl.exe, which masquerades as a Windows kernel file but is actually a bundled Python runtime, along with the primary obfuscated Python payload at Lib\image.

The script opens a decoy PDF document to distract users post-infection before launching the Python interpreter with specific command-line arguments (“dcconsbot” “dcaat”) that trigger the layered de-obfuscation process .

De-obfuscation Chain

The Python runtime reads the hidden payload from the image file and reconstructs the malicious code through multiple transformation layers:

1. Base64 Decoding converts text-based encoding into raw bytes.
2. BZ2 Decompression unpacks the first layer of compressed data.
3. Zlib Decompression unwraps a second compression layer.
4. Marshal Loading converts the final byte stream into compiled Python bytecode (.pyc) for execution.

The resulting 60 MB reconstructed blob contains extensive padding and meaningless filler, with only a small portion near the end holding valid marshalled Python bytecode.

This final segment loads via marshal and executes in memory, minimizing the forensic footprint on the system .

Process Injection and C2

Upon execution, the payload immediately performs process injection into cvtres.exe, a legitimate Microsoft utility.

This technique provides two critical advantages: stealth, as security tools often trust signed Microsoft binaries, and persistence, as the injected process remains alive and maintains C2 communication even if the loader terminates.

Memory analysis of the injected cvtres.exe process revealed a downloaded .NET module mapped into its address space.

Static inspection identified code responsible for establishing C2 connections, while network capture analysis confirmed the injected component performing TCP communication over an encrypted channel.

This continuous bidirectional encrypted traffic pattern characterizes a remote-access trojan (RAT) capable of file transfer, command execution, and system reconnaissance .

This multi-stage malware demonstrates advanced evasion techniques through archive masquerading, layered obfuscation, and trusted process injection.

The use of legitimate Windows binaries as injection targets represents a growing trend in threat actor methodologies designed to bypass traditional security controls.

Organizations should implement comprehensive endpoint detection and response solutions capable of monitoring anomalous behavior in trusted system processes.

A trusted security solution like K7 Antivirus provides essential protection against such threats, with K7 Labs continuously delivering detections for these malware families across multiple infection stages to ensure coverage against emerging threats.

Indicators of Compromise (IOCs)

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.