Python Malware Targets Tatar-Language Users: TA866 Threat Actor Strikes Again

This network protocol allows the transfer of files and folders from one host to another host via a TCP-based network, such as the internet.

In the latest cybersecurity news, researchers have found a new Python malware targeting Tatar language-speaking users. The Tatar language is a Turkic language spoken primarily by the Tatars, an ethnic group in Russia and neighboring countries.

This Python malware strain, sourced by Cyble, can capture screenshots on the victim’s systems and send them over to a remote server via FTP (File Transfer Protocol).

This network protocol allows the transfer of files and folders from one host to another host via a TCP-based network, such as the internet.

The perpetrator behind this campaign is the notorious TA866 threat actor. This notorious organization targets the Tatar language-speaking and leverages the Python malware for their operations.

Here’s how the TA866 threat actor uses Python malware

Source: Cyble

CRIL found that the TA866 threat actor used this new Python malware timed with the Tartar Republic Day. These attacks were running along with the Tartar Republic Day until the end of August.

According to the research, the TA866 threat actor employs a PowerShell script “responsible for taking screenshots and uploading them to a remote FTP server.

To begin the Python malware attack, the threat actors use phishing emails to target victims. These emails are embedded with a malicious RAR file.

This file consists of two seemingly innocuous files: a video file and a Python-based executable masquerading as an image file with a dual extension.

Source: Cyble

Once executed, the loader initiates a series of events. It fetches a zip file from Dropbox, concealing an additional executable file and two PowerShell scripts.

Source: Cyble

These scripts facilitate the creation of a scheduled task, enabling the execution of the malicious executable.

Source: Cyble

Proofpoint found the origins of this threat actor, which, according to the report, leads to a financially motivated activity called “Screentime.” This particular attack chain begins similarly to the one we saw in the Python malware case. 

The TA866 threat actor responsible for both campaigns, use an email attachment carrying the EmberCore and MirageVision.

The threat actor behind these two campaigns is a “well-organized group capable of carrying out planned attacks on a large scale,” reported Proofpoint. 

TA866 threat actor and their use of custom hacking tools

The reason why these hackers can launch these sophisticated attacks is because they have been successful in creating their custom tools and services.

Notably, the TA866 threat actor, a financially motivated threat actor, has been implicated in similar campaigns focusing on organizations in the United States and Germany.

According to CRIL, the threat actor uses the RAR file to infect the victim’s computers with the Python tool. But before it can launch the final payload, it goes through a chain of infection. This includes exploiting Tatar language filenames to evade detection

The threat actor uses a malicious executable that displays a message to the victims while surreptitiously executing PowerShell scripts to capture and transmit screenshots to an FTP server.

In the next phase, TA866 deploys additional post-exploitation tools, potentially including Cobalt Strike beacon, RATs (Remote Access Trojans), stealers, and other malicious programs.

The number of payloads and malware these hackers use shows that they are not a rookie group but an organization of highly skilled cybersecurity people, including experts in developing advanced malware strains and payloads. 

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ashish Khaitan

Ashish is a technical writer at The Cyber Express. He adores writing about the latest technologies and covering the latest cybersecurity events. In his free time, he likes to play horror and open-world video games.

Recent Posts

EU-US Data Privacy Framework Under Threat After Supreme Court Ruling

Legal experts expect any court challenge to take several years before reaching a final judgment.

3 days ago

Japan’s Aflac, KDDI, Sapporo, Nidec: Four Breaches, One Common Entry Point

The incidents highlight the importance of treating subsidiaries and external partners as part of the organization's overall security perimeter.

4 days ago

Alleged Scattered Spider Member Arrested in Finland, Extradited to U.S.

The Department of Justice emphasized that the complaint against Stokes contains allegations only.

4 days ago

AI Cyber Attacks Emerge as Biggest Threat to Indian Banking: RBI

The report noted that cyber risk has become a major financial stability concern as India's financial ecosystem becomes increasingly digital…

5 days ago

Apple Security Update Patches 30+ Vulnerabilities in iOS 26.5.2

Apple said the flaws were addressed through improved memory management, input validation, bounds checking, and stronger security origin tracking.

6 days ago

Ukraine Makes History With First $8.3M Seized Crypto Transfer to ARMA

ARMA said receiving the cryptocurrency marks an important step in the evolution of Ukraine's asset management system.

6 days ago

This website uses cookies. By continuing to use this website you are giving consent to cookies being used.

Read More