Cybersecurity researchers have uncovered a Python-based backdoor used by threat actors to maintain persistent access and deploy RansomHub ransomware. Initial access was facilitated by SocGholish malware, distributed via drive-by attacks and fake browser updates. SocGholish exploits outdated SEO plugins on WordPress sites for entry, retrieving secondary payloads. The Python script acts as a reverse proxy for lateral movement, using a SOCKS5-based tunnel, with well-written, obfuscated code suggesting skilled authorship or AI assistance. Alongside this, ransomware actors use tools like EDRSilencer, LaZagne, and MailBruter to disable defenses, steal credentials, and brute-force accounts. Codefinger targets Amazon S3 buckets, exploiting AWS keys and SSE-C encryption to prevent recovery. Recent phishing tactics mimic Black Basta’s email flooding, overwhelming users before tricking them into installing remote-access tools like TeamViewer for further exploitation.

‍