Cybersecurity researchers at ReversingLabs (RL) have uncovered a new malicious Python package named dbgpkg, which masquerades as a debugging tool. Instead, it stealthily installs a backdoor on developers’ systems, enabling attackers to run malicious code and steal sensitive data. The analysis of its techniques suggests involvement by a hacktivist group aligned with Ukrainian interests, specifically targeting Russian developers.
Upon its detection on Tuesday, researchers noted that the dbgpkg package contained no actual debugging functionalities. Its design serves to trick unsuspecting developers into compromising their systems. The malicious code employs advanced methods for implanting a backdoor that remains hidden until specific functions are invoked.
The package modifies standard Python network libraries using an advanced technique known as function wrapping. This clever deployment allows the backdoor to evade detection until Python networking functions are actively utilized by the developer. According to RL’s detailed investigation, the malicious code first checks for the backdoor’s existence before executing a series of concealed commands.
Investigators have drawn comparisons between the dbgpkg backdoor and malware previously utilized by the Phoenix Hyena hacktivist group, which has been implicated in numerous cyber attacks against Russian targets since the onset of the Ukraine conflict. This group has a history of leaking sensitive information via its Telegram channel, notably involving a breach of the cybersecurity firm Dr. Web. While RL cannot definitively attribute the new campaign exclusively to Phoenix Hyena, the pattern and timing indicate a politically charged initiative amidst ongoing geopolitical conflict.