1. Home
  2. Techniques
  3. Enterprise
  4. Command and Scripting Interpreter
  5. Python

Command and Scripting Interpreter: Python

ID Name
T1059.001 PowerShell
T1059.002 AppleScript
T1059.003 Windows Command Shell
T1059.004 Unix Shell
T1059.005 Visual Basic
T1059.006 Python
T1059.007 JavaScript
T1059.008 Network Device CLI
T1059.009 Cloud API
T1059.010 AutoHotKey & AutoIT
T1059.011 Lua
T1059.012 Hypervisor CLI
T1059.013 Container CLI/API

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.[1]

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

ID: T1059.006
Sub-technique of:  T1059
Tactic: Execution
Platforms: ESXi, Linux, Windows, macOS
Version: 1.1
Created: 09 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0016 APT29

APT29 has developed malware variants written in Python.[2]
G0067 APT37

APT37 has used Python scripts to execute payloads.[3]
G0087 APT39

APT39 has used a command line utility and a network scanner written in python.[4][5]
S0234 Bandook

Bandook can support commands to execute Python-based payloads.[6]
G0060 BRONZE BUTLER

BRONZE BUTLER has made use of Python-based remote access tools.[7]
S0482 Bundlore

Bundlore has used Python scripts to execute payloads.[8]
S0631 Chaes

Chaes has used Python scripts for execution and the installation of additional files.[9]

G1021 Cinnamon Tempest

Cinnamon Tempest has used a customized version of the Impacket wmiexec.py module to create renamed output files.[10]
S0154 Cobalt Strike

Cobalt Strike can use Python to perform execution.[11][12][13][14]
S0369 CoinTicker

CoinTicker executes a Python script to download its second stage.[15]
G1052 Contagious Interview

Contagious Interview has used the Python-based malware such as InvisibleFerret to install and execute Python Packages and Python modules.[16][17][18]
S0492 CookieMiner

CookieMiner has used python scripts on the user’s system, as well as the Python variant of the Empire agent, EmPyre.[19]
C0029 Cutting Edge

During Cutting Edge, threat actors used a Python reverse shell and the PySoxy SOCKS5 proxy tool.[20][21]
S0695 Donut

Donut can generate shellcode outputs that execute via Python.[22]

G0035 Dragonfly

Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.[23]
S0547 DropBook

DropBook is a Python-based backdoor compiled with PyInstaller.[24]
G1006 Earth Lusca

Earth Lusca used Python scripts for port scanning or building reverse shells.[25]
S0377 Ebury

Ebury has used Python to implement its DGA.[26]

S1120 FRAMESTING

FRAMESTING is a Python web shell that can embed in the Ivanti Connect Secure CAV Python package.[27]
S1245 InvisibleFerret

InvisibleFerret is written in Python and has used Python scripts for execution.[16][28][17][29][18]
S0581 IronNetInjector

IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.[30]
S0387 KeyBoy

KeyBoy uses Python scripts for installing files and performing execution.[31]
S0276 Keydnap

Keydnap uses Python for scripting to execute additional commands.[32]
G0094 Kimsuky

Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.[33][34]
S0681 Lizar

Lizar has used Python scripts (ps2x.py script and ps2p.py) to execute files on remote hosts using the Impacket library.[35]

S1213 Lumma Stealer

Lumma Stealer has used malicious Python scripts to execute payloads.[36]
S0409 Machete

Machete is written in Python and is used in conjunction with additional Python scripts.[37][38][39]
G0095 Machete

Machete used multiple compiled Python scripts on the victim’s system. Machete's main backdoor Machete is also written in Python.[40][37][39]
S0459 MechaFlounder

MechaFlounder uses a python-based payload.[41]
G0069 MuddyWater

MuddyWater has developed tools in Python including Out1.[42]
S1189 Neo-reGeorg

Neo-reGeorg is a Python-based web shell.[43]
C0014 Operation Wocao

During Operation Wocao, threat actors' backdoors were written in Python and compiled with py2exe.[44]
S0428 PoetRAT

PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.[45]
S0196 PUNCHBUGGY

PUNCHBUGGY has used python scripts.[46]
S0192 Pupy

Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts ("scriptlets") to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.[47]
S1032 PyDCrypt

PyDCrypt, along with its functions, is written in Python.[48]
S0583 Pysa

Pysa has used Python scripts to deploy ransomware.[49]
G1039 RedCurl

RedCurl has used a Python script to establish outbound communication and to execute commands using SMB port 445.[50]

S1187 reGeorg

reGeorg is a Python-based web shell.[51]
S0332 Remcos

Remcos uses Python scripts.[52]
G0106 Rocke

Rocke has used Python-based malware to install and spread their coinminer.[53]
C0059 Salesforce Data Exfiltration

During Salesforce Data Exfiltration, threat actors used custom applications developed in python.[54]
C0045 ShadowRay

During ShadowRay, threat actors used the Python pty module to open reverse shells.[55]
S0692 SILENTTRINITY

SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.[56][57]
S1035 Small Sieve

Small Sieve can use Python scripts to execute commands.[58]
S0374 SpeakUp

SpeakUp uses Python scripts.[59]
S1223 THINCRUST

THINCRUST can use Python scripts for command execution.[60]
G0131 Tonto Team

Tonto Team has used Python-based tools for execution.[61]

S0647 Turian

Turian has the ability to use Python to spawn a Unix shell.[62]
G0010 Turla

Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.[30]
G1048 UNC3886

UNC3886 has used Python scripts to enumerate ESXi hosts and guest VMs.[63]
S1164 UPSTYLE

UPSTYLE is a Python-based application.[64][65]
S1218 VIRTUALPIE

VIRTUALPIE is a Python-based backdoor malware.[66][67]
S1217 VIRTUALPITA

VIRTUALPITA can call a Python script to run commands on a targeted guest virtual machine.[66]
G0128 ZIRCONIUM

ZIRCONIUM has used Python-based implants to interact with compromised hosts.[68][1]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can be used to automatically quarantine suspicious files.

M1047 Audit

Inventory systems for unauthorized Python installations.
M1038 Execution Prevention

Denylist Python where not required.
M1033 Limit Software Installation

Prevent users from installing Python where not required.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0063 Cross-Platform Behavioral Detection of Python Execution AN0172

Detects Python execution via python.exe or py.exe with anomalous parent lineage (e.g., Office macros, LOLBAS), execution from unusual directories, or chained network/PowerShell/system-level activity.
AN0173

Detects native Python or framework-based execution from Terminal, embedded apps, or launchd jobs. Flags network calls, persistence writes, or system enumeration after Python launch.
AN0174

Detects Python execution from non-standard user contexts or cron jobs that invoke outbound traffic, access sensitive files, or perform process injection (e.g., ptrace or /proc memory maps).
AN0175

Detects Python script or interpreter execution on ESXi hosts via embedded BusyBox shells, nested installations, or dropped files via SSH or datastore mount. Flags unusual scripting or post-compromise enumeration behavior.

References

  1. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  2. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  3. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  4. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  5. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  6. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  7. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  8. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  9. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  10. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  11. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024.
  12. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  13. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  14. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  15. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  16. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025.
  17. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
  18. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.
  19. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  20. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  21. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
  22. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  23. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  24. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  25. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  26. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  27. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  28. Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025.
  29. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.
  30. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  31. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  32. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
  33. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  34. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  1. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  2. Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025.
  3. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  4. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  5. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  6. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  7. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
  8. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  9. L-Codes. (2019). Neo-reGeorg. Retrieved December 4, 2024.
  10. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  11. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  12. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  13. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  14. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  15. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  16. Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.
  17. xl7dev. (2016). reGeorg-master. Retrieved December 3, 2024.
  18. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  19. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  20. Google Threat Intelligence Group. (2025, June 4). The Cost of a Call: From Voice Phishing to Data Extortion. Retrieved October 22, 2025.
  21. Lumelsly, A. et al. (2024, March 26). ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild. Retrieved December 2, 2024.
  22. Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.
  23. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  24. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  25. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  26. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.
  27. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  28. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  29. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.
  30. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
  31. Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025.
  32. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.
  33. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
  34. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.