Hackers have been leveraging the open-source Pyramid pentesting tool to establish stealthy command-and-control (C2) communications.<\/p>\n
Pyramid, first released on GitHub in 2023, is a Python-based post-exploitation framework designed to evade endpoint detection<\/a> and response (EDR) tools.<\/p>\n Its lightweight HTTP\/S server capabilities make it an attractive choice for malicious actors seeking to minimize detection.<\/p>\n Pyramid is built on Python\u2019s legitimate presence in many environments, utilizing a Python-based HTTP\/S server to deliver files and act as a C2 server for offensive operations.<\/p>\n The framework includes modules that load well-known tools like BloodHound, secretsdump, and LaZagne directly into memory.<\/p>\n Security analysts at Hunt.io identified<\/a> that this in-memory execution allows operators to act within the context of a signed Python interpreter, potentially bypassing traditional endpoint security measures.<\/p>\n Identifying Pyramid servers involves analyzing specific network signatures. When interacting with a suspected Pyramid server, the response headers exhibit distinct characteristics:<\/p>\n The server also returns a JSON response body:-<\/p>\n Recent scans have identified several IP addresses associated with Pyramid servers, including 104.238.61[.]144, 92.118.112[.]208, and 45.82.85[.]50.<\/p>\n These servers were linked to domains resembling DevaGroup, an internet marketing<\/a> service, though no malicious samples have been found yet.<\/p>\n Technical Details for Detection:-<\/p>\n These parameters can be used to craft structured queries for identifying Pyramid-related infrastructure, enhancing cybersecurity defenses.<\/p>\n By focusing on authentication challenges<\/a>, response headers, and specific error messages, defenders can improve detection fidelity and minimize false positives.<\/p>\n As open-source offensive security<\/a> tools continue to advance, tracking similar implementations will provide early warnings of new infrastructure and refine detection methodologies.<\/p>\n The post Hackers Using Pyramid Pentesting Tool For Stealthy C2 Communications<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi0RP3ilWP7z_dFNNAxHuNzWdGWGHb1hLR9ZGjPAw5sqDBj-Rp7x4QLJ_v037D-cS7kLOFJ70GV1POZKOVFcAq9Usn-GeCFHMzbfz017joa73bRi6ZAoN4xAUSar30Irq5zJlQLxmK9M-erPogkyeggbMdUfNgZ0-Xa9qI8QDD5I0CR6W0v4MNHrDDwiFY\/s16000\/Pyramid%2520README%2520Screenshot%2520%28Source%2520-%2520Hunt.io%29.webp?ssl=1\")
Detection Opportunities<\/strong><\/h2>\n
Server: BaseHTTP\/0.6 Python\/3.10.4\nDate:\nWWW-Authenticate: Basic realm=\"Demo Realm\"\nContent-Type: application\/json<\/code><\/pre>\n{\n \"success\": false,\n \"error\": \"No auth header received\"\n}<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNEJmgofpUxGrju8y2Movxd1qALQlBd2fOxwJrvtYfEKZ0PyuNWR9IM5e-LIy61g-qyC5V_h4MQvQrARF5369zlP8cf-PspSD-wZsWFyGiFk0QSY5X4jQ3lH4sYccEvvWrPplEqrCINtFk5yN4xVb2P3iWIlS8PLSWvVqkf8O5kfT_5kafOvef8EHIG4M\/s16000\/Pyramid%2520C2%2520HTTP%2520401%2520Response%2520%28Source%2520-%2520Hunt.io%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh9BgjT2vlIXDtPtAo3ikxzCWrGXmP9mIpKdnjWQtZsr-Z7dUUOb_3zh7ZvJWACKxahF80nLbzaM_SWLXQp9YdRtYhqWz4nsSm-efMcCr0hxny2dPXNgFnB8OA_m0hWzann82lqAe2R5lACpxu0Iio-4CcVPpchd6q2JUOcjFCcFs-FilCuPr4nLuA6RCw\/s16000\/Pyramid%2520C2%2520Servers%2520Tracked%2520%28Source%2520-%2520Hunt.io%29.webp?ssl=1\")
\n
Investigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\n