icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Summary:
According to researchers at Hunt.io, hackers have been exploiting the open-source Pyramid pentesting tool to establish stealthy command-and-control (C2) communications. Pyramid, which was first released on GitHub in 2023, is a Python-based post-exploitation framework that is capable of evading endpoint detection and response tools by leveraging Python’s widespread presence in many environments. One of its core features is a lightweight HTTP/S server that designed to deliver encrypted payloads, while also acting as a command-and-control server for offensive/malicious operations. The framework also comes with several modules that load and execute malicious payloads like BloodHound, secretsdump, and LaZagne in-memory, within the context of a signed Python interpreter, enabling actors to bypass traditional security measures.

Security Officer Comments:
Public code repositories like GitHub have become central hubs, providing both defenders and attackers easy access to offensive security tools. Red team frameworks, which are often used for post-exploitation and stealthy operations, are frequently shared, enabling bad actors to repurpose them for malicious purposes, as previously seen with tools like Cobalt Strike and Sliver. Although tools like Pyramid are intended for legitimate penetration testing, their capabilities can also be leveraged by adversaries for post exploitation activity with minimal room for detection.

Suggested Corrections:
Hunt.io identified three IP addresses associated with Pyramid servers—104.238.61[.]144, 92.118.112[.]208, and 45.82.85[.]50— which were previously flagged as indicators of compromise (IoCs) in GuidePoint Security's analysis of RansomHub. These indicators were linked to a Python-based backdoor, suggesting a connection between the malicious Pyramid infrastructure observed and earlier operations. Researchers also identified another server (54.38.94[.]225) which resolves to multiple domains resembling DevaGroup, an internet marketing service in Poland. While no malicious samples have been identified yet, the domains were recently registered in December 2024, raising concerns about potential phishing or drive-by download attempts.

Hunt.io has shared the following parameters which can be used to craft a structured query to identify Pyramid-related infrastructure:
  • HTTP Status Code: 401 Unauthorized
  • Response Body Hash: SHA-256: 54477efe7ddfa471efdcc83f2e1ffb5687ac9dca2bc8a2b86b253cdbb5cb9c84
  • Server Header: The project is based on Python 3.10 and uses BaseHTTP version 0.6. Since these values may vary slightly across deployments, we can generalize them as wildcards (BaseHTTP/0.* Python/3.*).
  • Authentication and Content Headers: The presence of WWW-Authenticate: Basic realm="Demo Realm" and Content-Type: application/json.
Network Observables and IOCs can be found here.

Link(s):
https://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers

Contact Us for Threat Assistance
Back to Current Threats