Hello and welcome to the Thursday, April 10th,

2025 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Xavier wrote about obfuscated Python.

In this particular case, the exploit first arrived as a simple script,

then use PowerShell to download additional Python.

Now, what was different about this particular Python script here is that it used Pi Armor

in order to obfuscate the code.

And, well, Xavier isn't here going towards

line by line, based on the obfuscation,

at least does show some techniques to get some

partial content from the script by doing

some behavioral analysis. The problem here again is that the script

also doesn't really run in sandboxes very well, so certainly making analysis of these scripts

more difficult. Pi armor itself is not necessarily malicious. It's often used for commercial Python scripts

in order to obfuscate the inner workings

for intellectual property protection and the like.

But if anybody has any tips here for Xavier,

how to better deal with Pi Armorour, obfuscated scripts.

Well, please let them know.

And we have an interesting vulnerability in CenterStack.

Center Stack is made by Cladinet,

...