Key findings
- Pivots on infrastructure associated to a Python backdoor used by RansomHub, as exposed by GuidePoint Security. These pivots enabled us to discover infrastructure close to this one, related to the offensive tool Eye Pyramid.
- Explanations on the open-source tool Eye Pyramid and details on the recent IP addresses that started to expose a banner associated with the tool, since 17 January 2025. Some of these IP addresses are related to additional payloads such as Cobalt Strike, Sliver, Rhadamanthys and the ransomware Rhysida. A number of these IP addresses are hosted on known bulletproof hosting providers such as Limenet, Aeza and Railnet.
- A JSON file was discovered which enabled us to link these infrastructure and IP addresses used previously by ransomware operations such as Rhysida, Vice Society and BlackCat. This JSON file was identified as being a default error response of Eye Pyramid servers. It could indicate similarity in the configuration of the servers of these clusters of activity.
Introduction
Ransomware operations often leverage offensive tools for post-compromise exploitation and lateral movement into compromised networks. They can rely on legitimate red-teaming tool such as Cobalt Strike, Metasploit or Sliver, but can also develop custom tools. In this manner, GuidePoint security recently gave insight into a Python backdoor used by RansomHub, after initial infections.
Our analysis started here, as we discovered an offensive tool by pivoting on the infrastructure associated with the Python backdoor. This offensive tool named “Eye Pyramid” leverages Python to deploy other offensive tools and/or payloads directly in memory. It was open sourced on GitHub in 2022, but we only discovered several IP addresses associated with this tool since mid-January 2025. Some of them are related to other malicious payloads such as Cobalt Strike, Sliver, Rhadamanthys and the ransomware Rhysida.
Eye Pyramid was identified in a case disclosed by The DFIR Report in December 2024[1], which ties this case to a threat actor associated with Fog ransomware. As this tool is effective and can be linked to potential ransomware delivery, as exposed by DFIR Report and in this analysis, it is important to document new infrastructure associated with it and better prepare defenses.
[1] https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/
Intrinsec’s CTI services
Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.
For this report, shared with our clients in January 2025, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.
Intrinsec also offers various services around Cyber Threat Intelligence:
- Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through:
-
- an operational feed of IOCs based on our exclusive activities.
- threat intel notes & reports, TIP-compliant.
-
- Digital risk monitoring:
-
- data leak detection & remediation
- external asset security monitoring (EASM)
- brand protection
-
For more information, go to www.intrinsec.com/en/cyber-threat-intelligence/.
