PyPI Typosquat Delivers Multi-Layer Python RAT, Bypassing Scanners with XOR Encryption

HelixGuard researchers have uncovered a malicious Python package uploaded to PyPI that impersonates the widely used “pyspellchecker” library—this time hiding a multi-layer encrypted backdoor designed to give attackers remote execution capabilities. The package, named spellcheckers, has already been downloaded more than 950 times, expanding a threat campaign previously associated with fake-recruiter social-engineering attacks targeting cryptocurrency holders.

The malicious package attempts to blend into the Python ecosystem by copying the name of pyspellchecker, a legitimate package boasting over 18 million downloads. But beneath its seemingly benign functionality lies a stealthy, multi-stage remote access backdoor.

According to the report, “The component masquerades as a spell-checking tool but actually hides a multi-layer encrypted backdoor.”

HelixGuard highlights several traits engineered for evasion:

• Stealthiness: Malicious code hidden inside functional modules
• Base64-encoded index files to bypass static detection
• Custom XOR-encrypted network protocol
• Dual-layer decryption and exception suppression

The infection begins inside ma_IN.index, a Base64-encoded file that is automatically executed upon import.

The analysis details this behavior: “The malicious code first executes via a Base64-encoded hidden index file (ma_IN.index), triggering the initial malicious action.”

When decoded, the payload downloads and executes further commands from the attacker’s C2: “The first-stage payload connects to the attacker-controlled C2 server (dothebest.store) and downloads the second-stage malicious code.”

The decoded Stage-1 code uses Python’s subprocess.Popen() to launch malicious Python instructions in the background—entirely silent to the user.

The second-stage payload is significantly more advanced, featuring:

OS fingerprinting

Computer name harvesting

Custom packet construction

XOR-encrypted C2 communication

Continuous command polling

HelixGuard writes, “The second-stage payload decrypts and executes a remote access trojan (RAT). This RAT can receive remote commands and execute attacker-controlled Python code via exec(), enabling full remote control over the victim’s host.”

A persistent connection is maintained with the C2 endpoints:

• dothebest.store/allow/inform.php
• dothebest.store/refresh.php

The decrypted Python backdoor is capable of receiving a variety of commands, encoded through a custom protocol. When the C2 issues command ID 1001, the malware directly executes the remote Python payload: “If nCMDID == 1001: exec(szCode)” enabling arbitrary command execution.

The malware uses multiple encryption routines:

• XOR with a 16-byte key
• XOR transformation with constant key 123
• Base64 wrapping of command packets
• Unicode-based packet re-encoding

These layers are deliberately designed to bypass static scans and to complicate analysis. As HelixGuard describes, “Uses XOR-encrypted network communication and custom protocol formats to increase stealth.”

The report draws a direct link between this PyPI supply-chain attack and prior social-engineering campaigns.

HelixGuard notes, “The C2 address… matches the address previously used by hackers who impersonated recruiters to conduct social engineering attacks.”

These earlier attacks targeted users’ cryptocurrency accounts by masquerading as recruiters offering high-paying jobs—an increasingly common tactic in 2024–2025.

The new PyPI-based distribution model allows the same threat actor to quietly infect developers and engineers who unknowingly install the malicious library.

Related Posts:

• VSCode Supply Chain Compromise: 12 Malicious Extensions Steal Source Code and Open Remote Shells
• Sophisticated Phishing Campaign Uses Multi-Layered Tactics to Deliver Malware
• Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
• Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit
• The Underground Ransomware Gang Is Back with a Vicious New Global Campaign