The attackers used Python code to first download and execute a script that was created with an open-source tool called fileless-elf-exec.

PyPI malware termncolor and colorinal downloaded 884 times exploit DLL side-loading, persistence, and C2 communication.