PyMICROPSIA Windows malware steals browsing data, record audio

PyMICROPSIA malware is developed to target Windows operating systems yet it checks for other operating systems, such as “darwin” or “POSIX.”

In 2015, Trend Micro researchers identified a group of hackers called Arid Viper targeting victims in the Middle East especially Israel. The particular campaign involved malware infection through spear-phishing emails containing a pornographic video.

The video was actually malware that gathered data from compromised machines through what is known as a “smash-and-grab attack.”

Now, the IT security researchers at Palo Alto Networks’ Unit 42 have noted that the Arid Viper group is back in action but this time it is using a new infostealer trojan while its targets remain the same.

Dubbed PyMICROPSIA by researchers; the malware is written in Python language and is capable of loads of malicious activities upon infection. This includes:

  • Keylogging.
  • Deleting files.
  • File uploading.
  • Audio recording.
  • Taking screenshots.
  • Rebooting machine.
  • Executing commands.
  • Collecting file listing information.
  • Payload downloading and execution.
  • Compressing RAR files for stolen information.
  • Collecting process information and killing processes.
  • Deleting, creating, compressing, and exfiltrating files and folders.
  • Collecting Outlook .ost file. Killing and disabling Outlook process.
  • Collecting information from USB drives, including file exfiltration.
  • Browser credential stealing. Clearing browsing history and profiles.



Although Palo Alto Networks’ research confirms that PyMICROPSIA is developed to target Windows operating systems, the company has also found traces that involves malware checking for other operating systems, such as “darwin” or “POSIX.”

PyMICROPSIA overview (Image credit: Palo Alto Networks)

Another interesting fact about Arid Viper is that it uses different referencing themes in its code. For instance, previously, the group used The Big Bang Theory and Game of Thrones while this time the references were made to Fran Drescher, known for her role as Fran Fine in the hit TV series The Nanny, and Keanu Reeves, known for John Wick movie franchise.

Image credit: Palo Alto Networks

AridViper is an active threat group that continues developing new tools as part of their arsenal. PyMICROPSIA shows multiple overlaps with other existing AridViper tools such as MICROPSIA. Also, based on different aspects of PyMICROPSIA that we analyzed, several sections of the malware are still not used, indicating that it is likely a malware family under active development by this actor, researchers concluded.

Nevertheless, if you are using Windows on your system you are vulnerable to loads of malware attacks. Therefore, protect yourself from these threats by using a reliable anti-virus solution, scan your system regularly, and keep your OS updated to the latest version.

Moreover, don’t download or execute files received from unknown senders. You can also use VirusTotal to scan for malicious links to avoid visiting websites that may steal your login credentials or infect your device with malware or adware.

You may also like...