A fraud investigation has uncovered a sophisticated Python-based malware deployment, revealing a layered attack that includes obfuscation, disposable infrastructure and commercial offensive tools. According to Secuinfra Falcon Team, the discovery began after a user reported unusual desktop behaviour and unauthorised PayPal transfers, with the victim noticing “strange black windows” and screenshots that exposed payload decoding and execution.
The investigation found PowerShell activity running in hidden mode with execution policy bypassed, and a file named svchoss[.]exe retrieved from an IP address 43.156.63.[.]124 and saved to a temporary directory, mimicking svchost[.]exe.
Memory analysis identified a concealed Python environment under %LOCALAPPDATA%\\Microsoft\\SystemCache25, and multiple payloads were hosted on the same server, including XWorm RAT v5.6, HTran tunnelling tool and Cobalt Strike Beacon, with a PyInstaller-packed svchoss[.]exe also detected.
VirusTotal detections for svchoss[.]exe reached 41 out of 71 engines as of December 5th 2025, while extracted strings suggested attempts to access Chromium autofill data, cryptocurrency wallets and Mozilla Firefox profiles, indicating credential theft functionality.