Peppy

Peppy is a malicious software (malware) that has been identified as part of a broader cyber threat landscape. The malware, which is a Python-based Remote Access Trojan (RAT), was discovered during an analysis of the registration information of several Trojan command and control domains used by ProjectM, including Andromeda, Crimson, and Peppy. This malware can infiltrate your system through suspicious downloads, emails, or websites and once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. The Andromeda samples were found to be delivering Peppy Trojans using undisguised domains. These Trojans utilized the previously observed ProjectM domain "bbmdroid.com" as a Command and Control (C2) server. Unit 42 observed this domain hosting several ProjectM tools, including identical Andromeda and Peppy samples that had previously used bbmdroid[.]com as a C2. These samples were hosted at "/est/estma.exe" and "/est/controller.exe" respectively. Furthermore, the group primarily targets military organizations, typically compromising them with Office documents armed with malicious VBA and open-source malware like Peppy RAT and CrimsonRAT. The Operation Transparent Tribe report by Darien Huss of Proofpoint provides a comprehensive analysis of the various tools used by this group, including Crimson and Peppy and their associated infrastructure. The actors have access to a sizeable toolset of Trojans, including custom developed tools called Crimson and Peppy, along with off-the-shelf remote administration tools (RATs) and downloaders, such as DarkComet and Bozok. Over the years, they have also been observed using other custom .NET malware, including a .NET RAT known as Crimson RAT.