pyinstaller-pyarmor-dropper

Malware delivered as a PyInstaller single-file PE64 bootloader that extracts and runs a PyArmor-obfuscated Python payload. The outer binary is benign infrastructure; the threat logic is entirely inside the encrypted Python runtime.

Build Stack

• PyInstaller one-file C bootloader (MinGW-w64 or MSVC CRT)
• CPython 3.13.x runtime (python313.dll observed)
• PyArmor runtime extension (pyarmor_runtime_000000.pyd) for bytecode encryption
• zlib-compressed CFFI archive appended as PE overlay (~13+ MB typical)

Deploy / TTPs

• Static-only inference — the actual payload is decrypted at runtime by PyArmor; no C2 URLs or mutex names survive in the outer PE.
• Observed Python modules in archive: socket, urllib, email, base64, hashlib, subprocess, ctypes, wmi, uuid, platform.
• These modules enable network C2, system enumeration, and command execution once the PyArmor layer initializes.

Capabilities

• pyinstaller-single-file-extraction
• pyarmor-runtime-obfuscation
• python-native-networking-socket-urllib
• system-enumeration-psutil-wmi
• subprocess-command-execution
• email-based-exfil
• base64-hashlib-data-encoding
• no-static-c2-iocs

Variants / Siblings

• d297973f (this analysis) — 13.8 MB, CPython 3.13, no splash

Related

• pyinstaller-bootloader — outer infrastructure
• python-packed-payload — generic Python-packed technique
• pyarmor-obfuscation — PyArmor runtime deep-dive