'BlazeStealer' Python Malware Allows Complete Takeover of Developer Machines

Checkmarx researchers warn that BlazeStealer can exfiltrate information, steal passwords, disable PCs, and take over webcams.

Jeffrey Schwartz, Contributing Writer

November 9, 2023

2 Min Read
a python coiled on a tree limb
Source: Ernie Janes via Alamy Stock Photo

Malicious Python packages masquerading as legitimate code obfuscation tools are targeting developers via the PyPI code repository.

Focusing on those interested in code obfuscation is a savvy choice that could offer up organizational crown jewels, according to researchers at Checkmarx, who dubbed the malware "BlazeStealer."

They warned on Nov. 8 that BlazeStealer is particularly concerning because it can exfiltrate host data, steal passwords, launch keyloggers, encrypt files, and execute host commands. It becomes even more dangerous thanks to the astute choice of targets, according to Checkmarx threat researcher Yehuda Gelb.

"Developers who engage in code obfuscation are likely working with valuable and sensitive information. As a result, hackers see them as valuable targets to pursue and therefore are likely to be the victims targeted in this attack," Gelb explains.

BlazeStealer is the latest in a wave of compromised Python packages attackers have released in 2023. In July, Wiz researchers warned of PyLoose, malware consisting of Python code that loads an XMRig miner into a computer’s memory using the memfd Linux fileless process. At the time, Wiz observed nearly 200 instances in which the attackers used it for cryptomining.

For its part, Checkmark has tracked various malicious Python-based packages, including its September 2023 discovery of culturestreak, which runs a concurrent loop to tie up system resources for unauthorized Dero cryptocurrency mining.

Firing Up BlazeStealer Malware

The BlazeStealer payload can extract a malicious script from an external source, giving attackers complete control over the victim's computer. According to Gelb, the malicious BlazeStealer payload activates once it is installed on the compromised system.

For command and control, BlazeStealer runs a bot carried via the Discord messaging service using a unique identifier.

"This bot, once activated, effectively provides the attacker full control of the target's system, allowing them to perform a myriad of harmful actions on the victim's machine," Gelb warns. Besides gathering detailed host data, BlazeStealer can download files, deactivate Windows Defender and Task Manager, and lock a computer by overloading the CPU. It does the latter by running a batch script in the startup directory to shut down the computer, or forces a BSO error with a Python script.

BlazeStealer can also take control of a PC's webcam using a bot that stealthily downloads a .ZIP file from a remote server and installs the freeware application WebCamImageSave.exe.

"This allows the bot to secretly capture a photo using the webcam. The resulting image is then sent back to the Discord channel without leaving any evidence of its presence after deleting the downloaded files," Gelb notes.

About the Author

Jeffrey Schwartz

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights