Malware development is a process of continuous refinement. In this session, we analyze the evolution of **VIPERTUNNEL**, a Python-based backdoor used by the UNC2165 (EvilCorp) activity cluster for stealthy persistence and network pivoting.
The core of this talk focuses on the "evolutionary leap" in the malware's code logic and defensive posture. We will walk through three distinct stages of its development:

1. **The Public Phase:** Early variants that relied on well-documented, open-source obfuscators (like `pyobfuscate`), which are easily defeated by standard tools.
2. **The Prototype:** The emergence of a custom-built loader that, while still exhibiting "noisy" cleartext strings and linear execution, signaled a shift toward a private, proprietary framework .
3. **The Production Variant:** The current "gold standard" used in DragonForce engagements. This version is a multi-layered beast featuring **ChaCha20 encryption**, **BLAKE3 integrity checks**, and **control-flow flattening** to force analysts into a grueling, non-linear reversing process .
We will also explore the "Shared DNA" between VIPERTUNNEL and other tools like the ShadowCoil credential stealer. By analyzing a privately maintained, multi-stage packer common to both, we uncovered unexpected Linux-specific anti-debugging checks buried within Windows-targeted payloads—a clear indicator of modular, cross-platform ambitions by the developers .