A new malware has been discovered targeting online gambling firms in China with watering hole attacks. The website visitors are tricked into downloading a malware loader that impersonates legitimate installers of apps such as Flash Player or MS Silverlight.

What happened?

According to researchers from Trend Micro, the fake installers eventually drop Cobalt Strike shellcode or a previously undocumented backdoor written in Python language, now named Biopass RAT.
  • The RAT has basic features observed in other malware, for example, file system assessment, file exfiltration, access to remote desktop, and the shell command execution. 
  • It has the ability to steal the private information of its victims by targeting the web browser and instant messaging client data. This stolen data can be used for other malicious actions.
  • It can monitor and capture the victim’s screen by exploiting the framework of Open Broadcaster Software (OBS) Studio, a well-known app used to establish live streaming to a cloud service using RTMP.
  • Moreover, the RAT can take advantage of the Object Storage Service (OSS) of Alibaba Cloud (Aliyun) to host Biopass RAT Python scripts to save the exfiltrated data from its victims.

Additionally, this threat might be connected with the Winnti Group (aka APT41) and still under development. During analysis, researchers observed references to different versions of code, such as V2 or BPSV3.

How does the attack work?

The delivery mechanism for this newly discovered malware is a watering hole attack, in which a compromised website injected with a custom JavaScript code is used to deliver the malware.
  • In most cases, the attackers had placed their injection script inside the target’s online support chat page. The injected script scans the affected host by sending HTTP requests to a list of ports.
  • If the malware receives any response with an expected string from this list of ports, the script will stop. This specific step is believed to be taken for avoiding an already infected victim.


Biopass RAT is a sophisticated malware implemented through Python scripts. The pretense of legitimate installers makes it a simple yet deadly threat that flaunts multiple capabilities. Therefore, organizations should have robust security mechanisms to stay protected from such advanced threats.

Cyware Publisher