Hello and welcome to the Thursday, January 30th, 2025 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

One of the comments we often get when we're talking about Python matter is that on Windows,

usually there is no sort of full Python environment

like you have it commonly on Linux. Well, today, Xavier has an interesting piece of Python

malware that actually includes the entire Python environment in the form of a fake document.

Document.sip is being downloaded here with the Python

environment. Also interesting and not really that terribly unusual when you start the malware.

A PDF will open. In this case, some sort of generic Garmin related PDF. This is usually done to make the user feel like they opened a document.

Probably the pretense here for delivering of the Malver was that this attachment is

supposed to include this PDF document.

So if the user now clicks on the file, which really starts the matter, the PDF

is opened for them, making them feel safe and sound, while in the background, all of their

crypto coins and other sensitive information is being exfiltrated. Then we have two updates

for 40 net users.

First of all, there is an exploit apparently for sale now, according to Threatmon.

They posted on X that they saw an exploit for sale on a Russian forum.

This exploit apparently takes advantage of the vulnerability I talked about yesterday.

That's the interesting remote access via web socket bypassing authentication vulnerability.

So definitely make sure that your devices are patched.

It affects 40OS version 7 version 700 through 7016. The second item is,

well, a little bit related maybe, but 40Net also notified its users that if you are running a

...