Watch out for counterfeit PyPI software bundles spreading the SilentSync Remote Access Trojan undetected
In early August 2025, a series of malicious Python packages were identified by Zscaler analysts. These packages, named sisaws and secmeasure, were found to be delivering a newly discovered Remote Access Trojan (RAT) known as SilentSync.
Security researchers had been tracking a similar series of malicious Python packages since July, which employed a deceptive typosquatting technique. The sisaws package, for instance, specifically leverages typosquatting against the legitimate sisa package, which provides integration capabilities for Argentina's national health information system.
SilentSync targets four critical data categories from each browser profile: browsing history, autofill information, stored cookies, and saved credentials. It's worth noting that its data collection capabilities extend beyond basic file theft to include comprehensive browser data harvesting from Chromium-based browsers (Chrome, Edge, Brave) and Firefox.
The RAT's command-and-control infrastructure utilizes HTTP communication with IP address 200.58.107.25, stored in Base64 encoding and decoded during runtime. SilentSync employs platform-specific persistence techniques on Windows, Linux, and macOS.
On Windows systems, SilentSync creates a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key named PyHelper. For macOS targets, it generates a property list file named com[.]apple[.]pyhelper[.]plist within the ~ / Library/LaunchAgents directory. On Linux, it modifies the victim's crontab configuration file, inserting an @reboot directive.
After successful exfiltration, SilentSync systematically removes all traces of its activities from the infected system to minimize detection risks. The malware implements a REST API architecture using TCP port 5000, with specific endpoints for connectivity beacons, command requests, status reporting, and data exfiltration.
Currently, SilentSync is targeting Windows systems through the malicious PyPI packages, but it maintains built-in compatibility for Linux and macOS environments, suggesting potential future expansion of the campaign. The initial discovery of a package named termncolor marked the beginning of a broader campaign targeting the Python development community.
The threat actors demonstrated remarkable attention to detail, ensuring their packages would pass casual inspection while hiding dangerous payload delivery mechanisms within seemingly benign initialization functions. These malicious packages showcase sophisticated social engineering techniques, carefully mimicking the functionality and appearance of their legitimate counterparts.
The SilentSync RAT represents a significant advancement in Python-based malware, incorporating cross-platform persistence mechanisms, comprehensive data exfiltration capabilities, and sophisticated command-and-control communication protocols. At the beginning of August 2025, the malicious Python packages "termincolor," "sisaws," and "secmeasure" spreading the RAT tool SilentSync were linked to threat actors associated with the cyber espionage group known as APT41.
Read also:
- Strategies for Poland, Ukraine, and NATO to counteract Russian unmanned aerial vehicles (UAVs)
- Top 15 Pivotal Risks to Mobile Application's Security
- UK manufacturing halt extended to three weeks due to cyber attack at JLR factory
- Revising the title: Redefining "Bring Your Own Device" Policies for a Secure and Flexible Workspace in the Hybrid Work Environment
