T1059.006 Python is a sub-technique of Command and Scripting Interpreter (T1059) in the MITRE ATT&CK framework, under the Execution tactic. It refers to the use of the Python programming language by adversaries to execute code and automate actions on compromised systems.
Python is a high-level, interpreted language known for its simplicity, extensive standard library, and cross-platform availability across Windows, Linux, and macOS. These characteristics make Python well suited for scripting, automation, and rapid development of functionality that can interact with operating system components, network services, and external libraries.
To read about other sub-techniques of the T1059 Command and Scripting Interpreter technique, you can visit the related hub blog.
Adversaries use T1059.006 Python to carry out malicious activities by leveraging a portable and flexible execution environment. Python scripts can be easily deployed across different operating systems and integrated into custom malware, loaders, or post-exploitation frameworks.
In attack campaigns, Python is commonly used to execute payloads, automate attack workflows, interact with network services, download additional components, and orchestrate follow-on actions such as persistence or lateral movement. Its readability and ease of modification allow attackers to rapidly adapt tooling while maintaining cross-platform compatibility, making Python a recurring element in modern adversary tradecraft.
The versatility and portability of Python render it a valuable asset for attackers in their operations. Python can seamlessly run on most operating systems and can be readily integrated into various tools and frameworks.
For instance, according to an analysis released in December 2025, the Pakistan-based threat actor APT36 (also known as Transparent Tribe) demonstrated a significant evolution in their capabilities [1]. Historically focused on Windows-centric espionage against Indian government/defense entities, the group expanded its arsenal to include sophisticated Linux malware, specifically targeting the Bharat Operating System Solutions (BOSS) distribution used in India's public sector
The cornerstone of this new campaign is a malware strain identified as swcbc. Analysis confirms this is a Python-based Remote Administration Tool (RAT) compiled into a 64-bit ELF binary using PyInstaller. This compilation technique allows the malware to run on any compatible Linux system without requiring the victim to install Python dependencies manually.
To survive system reboots, swcbc leverages the systemd init system, which is standard across most modern Linux distributions including BOSS. The malware drops a shell script, swcbc.sh, which automates the creation of a user-level service. This technique allows the malware to persist without requiring root privileges, a common constraint in hardened government environments.
The following shell commands were recovered from the infection chain. The script creates a .service file in the user's configuration directory and enables it.
|
# Define service path and executable location |
This script ensures the RAT is launched immediately upon user login (WantedBy=default.target) and restarts automatically if the process is killed (Restart=always).
In January 2024, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory detailing the Androxgh0st malware, a Python-scripted threat primarily used to target .env files containing confidential information, such as credentials for high-profile applications like Amazon Web Services (AWS) and Microsoft Office 365 [2]. Threat actors deploying Androxgh0st have been observed exploiting specific vulnerabilities, including CVE-2017-9841, to remotely execute code on vulnerable websites via PHPUnit.
In May 2024, researchers reported on a campaign targeting Brazilian users with a new banking trojan named "CarnavalHeist" [3]The attack chain involved a Windows batch file that downloaded a Python interpreter from the official Python FTP server and installed it in a malware-created folder. Subsequently, an embedded base64-encoded Python script was executed, serving as a loader to inject a malicious DLL payload into memory:
|
from time import sleep |
Adversaries can leverage Python scripting for resource hijacking. For instance, PyLoose is a Python-based fileless malware that targets cloud workloads with a focus on executing a cryptominer directly in memory [4]. It gains initial access through vulnerable Jupyter Notebook services, which allow the execution of Python code and system commands. The malware is fetched from a public paste site using HTTPS, circumventing file system-based detection by loading directly into the Python runtime's memory. The script is concise, with only nine lines of code that decode and decompress an XMRig miner payload, then execute it in-memory using Linux's memfd feature, which creates file-like memory objects.
|
import ctypes, os, base64, zlib |
This method of execution is stealthy, as it leaves no traditional file system footprint, making detection and forensic investigation difficult. The attack is sophisticated, employing evasion techniques and demonstrating an advanced level of threat actor skill, indicative of an adversary with significant capabilities in targeting cloud environments.
In August 2023, the National Police of Spain warned of an ongoing 'LockBit Locker' ransomware campaign targeting architecture companies through phishing emails [5].
In their attack campaigns, the attackers send emails from a made-up domain. They pretend to be a photography store looking for renovation plans to build trust with their targets. Once trust is established, they propose a meeting and provide an IMG file containing a disguised Windows shortcut. When this shortcut is activated, it triggers a Python script that checks for admin privileges.
Figure 1. Malicious Python Script of LockBit Locker Ransomware [5].
If admin rights are present, the script establishes persistence mechanisms on the system and executes the ransomware, encrypting the user's files. In cases where admin rights are absent, the script employs a UAC bypass technique to execute the ransomware with elevated privileges.
The sophistication of this campaign lies in its ability to convincingly mimic legitimate business inquiries, thereby evading standard anti-phishing defenses employed by companies.
[1] “APT36 Python Based ELF Malware Targeting Indian Government Entities,” CYFIRMA. Available: https://www.cyfirma.com/research/apt36-python-based-elf-malware-targeting-indian-government-entities/. [Accessed: Dec. 02, 2025]
[2] “Website.” Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a
[3] C. Talos, “New banking trojan ‘CarnavalHeist’ targets Brazil with overlay attacks,” Cisco Talos Blog, May 31, 2024. Available: https://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/. [Accessed: Nov. 27, 2024]
[4] “PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer,” wiz.io, Jul. 11, 2023. Available: https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads. [Accessed: Dec. 20, 2023]
[5] B. Toulas, “Spain warns of LockBit Locker ransomware phishing attacks,” BleepingComputer, Aug. 28, 2023. Available: https://www.bleepingcomputer.com/news/security/spain-warns-of-lockbit-locker-ransomware-phishing-attacks/. [Accessed: Dec. 20, 2023]