Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Serpent Malware Campaign Abuses Chocolatey Windows Package Manager

Serpent Malware Campaign Abuses Chocolatey Windows Package Manager

Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new ‘Serpent’ backdoor malware on systems of French government agencies and large construction firms.

Chocolatey is an open-source package manager for Windows that allows users to install and manage over 9,000 applications and any dependencies through the command line.

In a new phishing campaign discovered by Proofpoint, threat actors use an intricate infection chain consisting of macro-laced Microsoft Word documents, the Chocolatey package manager, and steganographic images to infect devices while bypassing detection.

Stenography + Chocolatey to evade detection

Proofpoint researchers discovered a new phishing campaign targeting French organizations in the construction, real estate, and government industries.

The multi-step attack starts with a phishing email impersonating the European Union’s General Data Protection Regulations agency (GDPR). This email includes a Word document attachment document containing malicious macro code.

Also Read: 6 ways to recognize a potential phishing scam and what to do if you receive one

The GDPR-themed document containing macro code
The GDPR-themed document containing macro code (Proofpoint)

If opened and content is enabled, the malicious macro fetches an image of Swiper the Fox from the cartoon series Dora the Explorer.

Fox image containing encoded PowerShell
Fox image containing encoded PowerShell (Proofpoint)

However, this image is not entirely harmless, as it uses Stenography to hide a PowerShell script that the macros will execute. Stenography is used to hide data, in this case, malicious code, to evade detection by users and antivirus tools as it appears like a regular image.

The PowerShell script will first download and install the Chocolatey Windows package manager, which is then used to install the Python programming language and the PIP package installer, as shown below.

PowerShell script hidden within the image
PowerShell script hidden within the image
Source: BleepingComputer

Chocolatey is also being used to evade detection by security software as it is commonly used in enterprise environments to manage software remotely and could be on an allowed list in IT environments.

Also Read: How does ransomware happen? Here are 7 ways to prevent them

“Proofpoint has not previously observed a threat actor use Chocolatey in campaigns,” Proofpoint researchers explain in their report.

Eventually, a second steganographic image is downloaded to load the Serpent backdoor, which is Python-based malware, hence the need for the previously installed packages in the previous steps.

Serpent's infection chain
Serpent’s infection chain (Proofpoint)

Once loaded, the Serpent backdoor malware will communicate with the attacker’s command and control server to receive commands to execute on the infected device.

Proofpoint says that the backdoor can execute any command sent by the attacks, allowing the threat actors to download further malware, open reverse shells, and gain complete access to the device.

Chocolatey told BleepingComputer that they were not aware that their software was abused in the manner and are looking into it.

Likely a new threat actor

Apart from the custom backdoor (Serpent) and the abuse of Chocolatey, which hasn’t been previously observed in the cyberthreat space, Proofpoint also noticed a novel application of signed binary proxy execution using schtrasks.exe, essentially a new detection bypass technique.

These elements indicate that the threat actor is a new group, characterized by high sophistication and capabilities, and not linked to other known operatives.

Proofpoint couldn’t detect anything that may be used to attribute the activity to a particular threat actor, which is indicative of the actor’s overall operational security.

While the goal of the unknown adversary hasn’t been determined yet, it appears that the tactics point towards espionage, with data access, host control, and the installation of additional payloads being the main pillars of the attacks.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us