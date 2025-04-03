Attacks with the novel Python-based Anubis backdoor have been deployed by Russian advanced persistent threat operation FIN7 , also known as Carbanak and Savage Ladybug, to facilitate the total remote takeover of Windows systems, according to Security Affairs

FIN7 has launched malspam campaigns to lure targets into downloading a malicious ZIP package from breached SharePoint sites containing a Python script and various Python executables with varying execution techniques, a report from PRODAFT revealed. Infections commence with the Python script that enables the decryption and execution of the Windows-targeted Anubis backdoor, which not only features IP retrieval, registry modification, Python code execution, and in-memory DLL loading capabilities but also keylogging, file transferring, and continuous command processing skills, said PRODAFT researchers. "Despite its mild obfuscation, [Anubis backdoor] remains fully undetected (FUD) by most antivirus solutions... Variants of the backdoor execute the payload differently, suggesting ongoing refinement by attackers," researchers added.