Executive Summary
In October 2024, security researchers identified a new strain of Python-based remote access trojan (RAT) exhibiting advanced polymorphic capabilities. The malware, distributed as 'nirorat.py' and virtually undetectable by most antivirus engines on VirusTotal at the time of discovery, leverages self-modifying code, dynamic junk code injection, and obfuscation to evade detection. Its feature set includes network scanning, credential testing, data exfiltration, cryptomining, screen and audio recording, and file encryption. The Trojan is designed to mutate its code with each execution, making signature-based security tools largely ineffective and challenging forensic analysis post-compromise.
This incident is emblematic of an ongoing trend: cybercriminals are increasingly using polymorphic programming techniques and open-source scripting languages to bypass detection and propagate malware. Organizations must adapt their defense strategies as attackers innovate to manipulate familiar toolchains, raising the stakes for endpoint and network security teams.
Why This Matters Now
The emergence of highly polymorphic Python RATs underscores the urgent need for advanced behavioral, anomaly-based detection rather than relying on signatures alone. As automated evasion and mutation tactics become commonplace, organizations face heightened risks of stealthy breaches, data loss, and compliance failures—especially as these RATs offer versatile attack capabilities in even non-technically complex deployments.
Attack Path Analysis
The attacker initiated compromise via delivery of a polymorphic Python RAT, which evaded signature-based detection during initial infiltration. Once within the environment, the RAT attempted to gain higher-level permissions to enable further actions. Using built-in functions, the malware scanned the internal network and attempted to propagate laterally to other hosts and services. It then established a command and control (C2) channel back to the operator, using encrypted or obfuscated network traffic to receive instructions and exfiltrate data discreetly. Data such as credentials, system information, and files were exfiltrated through outbound connections. Finally, the attacker executed impactful actions including starting cryptomining, deploying further malware, and potentially encrypting files or disrupting services.
Kill Chain Progression
Initial Compromise
Description
Deployment of a polymorphic Python RAT via a malicious file, leveraging file obfuscation to evade traditional signature-based detection and gain foothold in the environment.
Related CVEs
CVE-2025-22230
CVSS 9.8A vulnerability in VMware products allows remote attackers to execute arbitrary code via crafted network packets.
Affected Products:
VMware ESXi – 7.0.0, 6.7.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Obfuscated Files or Information
Process Injection
Command and Scripting Interpreter: Python
Obfuscated Files or Information: Polyglot Files
Phishing
Ingress Tool Transfer
Application Layer Protocol: Web Protocols
Screen Capture
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Analyze Security Events
Control ID: 10.1.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: Section 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Continuous Monitoring
Control ID: Monitoring and Visibility
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Polymorphic Python RAT threatens encrypted traffic and egress security, enabling data exfiltration from financial systems while evading traditional detection methods through advanced code obfuscation.
Health Care / Life Sciences
Self-modifying malware poses critical risks to patient data protection, compromising HIPAA compliance through lateral movement capabilities and encrypted communication channel exploitation in healthcare networks.
Information Technology/IT
Advanced RAT capabilities including network scanning, payload delivery, and zero trust segmentation bypass directly target IT infrastructure, enabling widespread organizational compromise through technical vector exploitation.
Government Administration
Multi-cloud visibility gaps and east-west traffic vulnerabilities expose government systems to polymorphic threats, risking sensitive data compromise through sophisticated evasion and persistence mechanisms.
Sources
- Polymorphic Python Malware, (Wed, Oct 8th)https://isc.sans.edu/diary/rss/32354Verified
- Polymorphic Python Malware That Repeatedly Mutates Its Appearance at Every Executionhttps://cyberpress.org/polymorphic-python-malware/Verified
- New Python Remote-Access Trojan Disguised as Minecraft App Steals Fileshttps://cyberpress.org/python-remote-access-trojan/Verified
- Famous Chollima deploying Python version of GolangGhost RAThttps://blog.talosintelligence.com/python-version-of-golangghost-rat/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Enforcing Zero Trust segmentation, strong network and egress policies, and continuous threat detection would have substantially limited the attacker's ability to propagate laterally, communicate with C2, and exfiltrate sensitive data—containing the blast radius even against polymorphic, evasive malware.
Control: Threat Detection & Anomaly Response
Mitigation: Real-time anomaly detection flags suspicious, self-modifying code behaviors.
Control: Zero Trust Segmentation
Mitigation: Limits escalation attempts to only authorized identities and scoped segments.
Control: East-West Traffic Security
Mitigation: Lateral scanning and unauthorized inter-service traffic are blocked by segmentation.
Control: Egress Security & Policy Enforcement
Mitigation: Egress FQDN/application filtering blocks unauthorized outbound C2 attempts.
Control: Cloud Firewall (ACF)
Mitigation: Outbound data transfer attempts to non-approved destinations are prevented.
Rapid detection and alerting of malicious process behaviors and unusual resource usage.
Impact at a Glance
Affected Business Functions
- IT Operations
- Data Security
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive customer data due to unauthorized remote access.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce granular Zero Trust segmentation to prevent unauthorized lateral movement and contain polymorphic malware outbreaks.
- • Implement strict egress security controls with application and FQDN filtering to block outbound C2 and exfiltration attempts.
- • Continuously monitor for abnormal process, network, and user behaviors with threat detection and anomaly response tools.
- • Apply microsegmentation and least-privilege policies for workloads, especially across multi-cloud and hybrid environments.
- • Regularly audit and update network and firewall policies, ensuring runtime policy enforcement aligns with Zero Trust principles.
