Two malicious PyPI packages, spellcheckerpy and spellcheckpy, were discovered impersonating the legitimate pyspellchecker library. The attacker hid a base64-encoded payload inside a Basque language dictionary file (eu.json.gz), using it as a steganographic carrier. Early versions were dormant; version 1.2.0 activated execution by obfuscating 'exec' as a hex-decoded string to evade static scanners. Once triggered on import, a stage-1 downloader fetches a full-featured Python RAT from updatenet[.]work, running it in a detached process with no files written to disk. The RAT features system fingerprinting, dual-layer XOR-encrypted C2 communications, a custom binary protocol, arbitrary code execution via command ID 1001, and a 5-second beacon loop. The C2 infrastructure is hosted on Cloudzy (RouterHosting LLC), previously documented as a command-and-control provider linked to APT groups and ransomware operators. The campaign shares RAT structure with a November 2025 attack targeting cryptocurrency holders, suggesting the same threat actor.
Table of contents
The payload hiding in plain sightDormant, then deadlyThe RAT: Full remote controlC2 InfrastructureConnection to previous campaignsIndicators of CompromiseSort: