Malware News Malicious 'Pyronut' Package Backdoors Telegram Bots with Remote Code Execution

[Khushal]

Content source

https://www.endorlabs.com/learn/malicious-pyronut-package-backdoors-telegram-bots-with-remote-code-execution

Malicious 'Pyronut' Package Backdoors Telegram Bots with Remote Code Execution | Blog | Endor Labs

The malicious Python package pyronut copies the entire project description and code of the popular pyrogram Telegram framework to pass itself off as the real thing, while silently installing a runtime backdoor that grants the attacker arbitrary Python and shell command execution on every...

www.endorlabs.com

Endor Labs notes that the malicious Python package pyronut disguises itself as the Pyrogram Telegram framework to install a silent runtime backdoor, enabling arbitrary Python and shell command execution on victims’ machines.
https://t.co/MLS3s4J5nC
The malicious Python package pyronut copies the entire project description and code of the popular pyrogram Telegram framework to pass itself off as the real thing, while silently installing a runtime backdoor that grants the attacker arbitrary Python and shell command execution on every victim's machine.

 

[Divergent]

Executive Summary

Confirmed Fact
The malicious Python package 'pyronut' is actively masquerading as the legitimate 'pyrogram' Telegram framework to install a silent runtime backdoor.

Assessment
This is a targeted supply chain attack aimed at developers, designed to achieve unauthorized arbitrary Python and shell command execution on the host machine.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1195
(Supply Chain Compromise)

T1059.004
(Command and Scripting Interpreter: Unix Shell)

T1059.006
(Command and Scripting Interpreter: Python).

CVE Profile
N/A [CISA KEV Status: Inactive]

Telemetry

Package Names
'pyronut' (Malicious)
'pyrogram' (Legitimate target)

The structure resembles a typosquatting or deceptive dependency attack that copies a legitimate project's description and source code to mislead developers.

The payload suggests the capability to execute arbitrary commands across affected victim machines.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Issue immediate supply chain risk alerts to software engineering and DevOps teams regarding the 'pyronut' package.

DETECT (DE) – Monitoring & Analysis

Command
Query SIEM and EDR for executions of pip install pyronut or inclusion of 'pyronut' in any requirements.txt or Pipfile.

RESPOND (RS) – Mitigation & Containment

Command
Isolate all development workstations, CI/CD runners, and production servers where the 'pyronut' package is detected.

Command
Revoke and rotate all Telegram bot API tokens, SSH keys, and environmental variables present on compromised machines.

RECOVER (RC) – Restoration & Trust

Command
Rebuild affected environments from known-good images and verify the installation of the legitimate 'pyrogram' package.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Enforce strict dependency pinning, hash verification for all Python packages, and integrate software composition analysis (SCA) tools into the deployment pipeline.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
No immediate action required for standard home environments. This threat specifically targets developers building Telegram bots using Python. If you are not actively developing in Python, your risk is Theoretical/Low.

Priority 2: Identity

Command
If you inadvertently installed 'pyronut' while attempting to install 'pyrogram', rotate your Telegram Bot API tokens and any other credentials stored in your development environment using a known clean device.

Priority 3: Persistence

Command
Audit your local Python site-packages directory and virtual environments for the 'pyronut' package and permanently delete the environment if found.

Hardening & References

Baseline
CIS Controls v8 - Control 2 (Inventory and Control of Software Assets).

Framework
NIST CSF 2.0 (PR.PS-02: Software is maintained and replaced to reduce security risks).

Source

Endor Labs

 

[lokamoka820]

Is Telegram Web a safer option than the installed app?

 

[Halp2001]

Is Telegram Web a safer option than the installed app?

Yes and no. Telegram Web is safer because it stays 'isolated' inside your browser and doesn't have access to all your files like an installed app.

But keep in mind: 'Pyronut' doesn't target people using Telegram to chat; it targets developers who build bots and download the wrong coding tools by mistake. If you just use the app to talk to friends, you're safe.

 

[Divergent]

Is Telegram Web a safer option than the installed app?

This attack does not target standard Telegram users or the Telegram messaging clients (Web, Desktop, or Mobile). Instead, it targets software developers and the servers hosting custom Telegram bots.

Standard users logging into Telegram Web or downloading the official Telegram app from an app store are not downloading or compiling Python dependencies. Therefore, they are entirely outside the blast radius of this particular supply chain attack. The threat is strictly limited to Python development environments.

 

[Jonny Quest]

This attack does not target standard Telegram users or the Telegram messaging clients (Web, Desktop, or Mobile). Instead, it targets software developers and the servers hosting custom Telegram bots.

Standard users logging into Telegram Web or downloading the official Telegram app from an app store are not downloading or compiling Python dependencies. Therefore, they are entirely outside the blast radius of this particular supply chain attack. The threat is strictly limited to Python development environments.

Divergent, I'll try not to get to sappy but, for the last 2 maybe 3 months, your post have been especially helpful, with your "speaking in your own words" in a lot of your replies. Thank you for the AI breakdown posts for some of the topics as well, but especially for posts like these