Operators of the BLOODALCHEMY malware leveraged in intrusions against southern and Southeast Asian government entities derived the payload from the Deed RAT trojan, which descended from the ShadowPad malware, according to The Hacker News.
Both BLOODALCHEMY — which Elastic Security Labs reported to be a C-based x86 backdoor with toolset overwriting, host information exfiltration, additional payload download, and self-termination capabilities — and Deed RAT — which is used by the Space Pirates threat operation — had similar shellcode loading processes and a shellcode-reading DLL file, a report from ITOCHU Cyber & Intelligence showed.
"The origin of BLOODALCHEMY and Deed RAT is ShadowPad and given the history of ShadowPad being utilized in numerous APT campaigns, it is crucial to pay special attention to the usage trend of this malware," said researchers.
Such a development comes after Chinese cybercrime gangs were revealed by an I-Soon leak to have been using similar tools in facilitating various hacking campaigns.