Pierluigi Paganini April 02, 2025

FIN7 cybercrime group has been linked to Anubis, a Python-based backdoor that provides remote access to compromised Windows systems.

The threat actor FIN7, also known as Savage Ladybug, has developed a new Python-based malware, named Anubis Backdoor, which allows attackers to gain full remote control over infected Windows systems. It executes shell commands and system operations while using obfuscation to evade detection. Delivered via phishing and hosted on compromised SharePoint sites, it remains undetected by most antivirus solutions, posing a serious security risk.

“The malware is distributed as a ZIP package, which includes a single Python script alongside multiple Python executables. Some variants execute the obfuscated payload immediately after writing it to disk, while others load the payload and call a specific function from it.” reads the report published by cybersecurity firm PRODAFT. “This variability in execution methods demonstrates the malware’s adaptability and the threat actor’s efforts to diversify their delivery mechanisms for different operational scenarios.”

FIN7 is a Russian criminal group (aka Carbanak) that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

The researchers noted that a Python script with ~30 lines serves as the main entry point, decrypting and executing the real payload. The backdoor, targeting Windows, uses AES-CBC encryption with base64 encoding and loads the payload via the exec function. Its obfuscation method, replacing variable names with similar characters, resembles tools like PyObfuscate or Anubis Obfuscator, making analysis harder but not highly complex.

The backdoor communicates via a single TCP socket, switching servers if one fails. Messages, including the groupname, are base64-encoded. Upon execution, it sends the process ID and local IP to the C2 server. To determine the local IP, it creates a UDP socket to 8.8.8.8 on port 80, letting the OS resolve the appropriate address without actual traffic. Each payload contains a groupname and two IPs for communication.

The backdoor supports multiple commands, including retrieving IP, modifying the registry, executing Python code, and loading DLLs into memory. Remote code execution allows the malware to load malicious functionalities dynamically. The malware supports functionalities like keylogging, file transfers, and registry modifications. It continuously processes commands until termination, using subprocess.Popen for shell execution.

“AnubisBackdoor is a stealthy Python-based tool used by Savage Ladybug (FIN7) to maintain access to compromised systems. Despite its mild obfuscation, it remains fully undetected (FUD) by most antivirus solutions. Delivered via malspam campaigns, with compromised SharePoint instances serving the payload, it poses a significant threat to enterprise environments.” concludes the report. “Variants of the backdoor execute the payload differently, suggesting ongoing refinement by attackers.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Anubis backdoor)