The malicious code first calls the network connection-related API function to establish a connection with the remote server. It then receives an encrypted command from the server, which is decoded using decoding-related API functions, and subsequently executed. By establishing a backdoor pipeline on a user's system, attackers can achieve persistent remote control, allowing them to continue accessing the system even after the initial attack has been eliminated. This behavior can cause long-term and sustained damage to the system.

We found many malicious codes stealing sensitive information from the data collected. Malicious code collects host not only sensitive information but also information such as passwords and cookies from the user's browser, which can be used for malicious purposes. This type of malicious behavior can affect multiple systems and users. The attacker will first read sensitive local files using file operation-related API functions or system information using host information-related APIs, then may obfuscate this private information, typically using the base64() method, and finally call network connection-related APIs to send this information to a specified IP or URL.

We have discovered that some attackers use dynamic code execution at runtime to circumvent code signatures and other security measures. The malicious code can be in the form of a base64-encoded string of code that is either downloaded from a remote server or embedded within the code. The attacker first decodes the obfuscated malicious code using decoding-related API functions, then passes the decoded string to the compile() function, which compiles it into a Python code object. Finally, the attacker passes the code object to code execution-related API functions to execute the code and accomplish the attack objective.

Attackers use command execution-related API functions to execute malicious PowerShell or other shell commands to run other malicious programs, delete files, steal sensitive information, etc. The attacker may also use network connection-related API functions to send the collected information to a remote server. This attack can lead to complete system control, leading to serious data leakage and corruption.

The attacker uses the Python malicious code to connect to a remote server and download malicious executable files via remote connection-related API functions. These executables are then run on the local system by calling commands execution-related API functions. These executables may be various types of malware, such as Trojans, ransomware, password-stealing software, etc. Finally, the attacker will call file operation-related API functions to delete these executables to erase the attack's traces.