BLOODALCHEMY
BLOODALCHEMY is an x86 Windows backdoor written in C and associated with the REF5961 intrusion set. It was observed as shellcode injected into a signed benign process and requires a dedicated loader because it is not reflexive and is not compiled as position-independent code. In the reported intrusion chain, Brother Industries' BrDifxapi.exe was used to sideload a malicious BrLogAPI.dll loader, which then injected the BLOODALCHEMY shellcode; the observed BrDifxapi.exe sample had a revoked signature. Elastic assessed BLOODALCHEMY as likely still under active development.
The malware supports multiple execution and persistence modes. It can run in the main process thread, in a separate thread, by creating a process and injecting shellcode, or as a service. Persistence options include installation as a service, a CurrentVersion\Run registry key, a scheduled task, or via COM interfaces. It copies itself to a path ending in \Test\test.exe, selecting a root directory from %ProgramFiles%, %ProgramFiles(x86)%, %AppData%, or %LocalAppData%\Programs depending on privilege level. Observed service-related masquerading includes use of the service name Test and description Digital Imaging System, and when started by the Service Control Manager it sets status values to appear stopped while continuing to run. Process injection uses WriteProcessMemory, QueueUserAPC, and ResumeThread.
BLOODALCHEMY communicates over HTTP, named pipes, or sockets. In HTTP mode it requests the URI /Inform/logger/ and reads proxy settings from SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings. It also contains protocol strings for DNS, HTTP, HTTPS, MUX, UDP, SMB, SOCKS5, SOCKS4, and TCP, and can encrypt, LZNT1-compress, and Base64-encode data. Named pipe names are generated pseudo-randomly using the current PID as a seed.
Documented capabilities include overwriting toolset components, launching Test.exe, uninstalling and terminating itself, and gathering host information including CPU, OS, display, and network details. The malware uses encrypted string blobs with a single-byte decryption key per string and additional obfuscation around configuration string identifiers or offsets.
BLOODALCHEMY is linked in the provided reporting to China-nexus activity. It is part of Elastic Security Labs' REF5961 reporting, which targeted a Foreign Affairs Ministry in an ASEAN member state, and the content also states that BLOODALCHEMY appears to be favored by several China-aligned threat actors. ESET reporting cited in the content says a threat actor codenamed Speccom used a BLOODALCHEMY variant in phishing campaigns targeting the energy sector in Central Asia.
High-confidence indicators mentioned in the content include SHA-256 e14ee3e2ce0010110c409f119d56f6151fdca64e20d902412db46406ed89009a for BrLogAPI.dll, identified as the BLOODALCHEMY loader, and SHA-256 25268bc07b64d0d1df441eb6f4b40dc44a6af568be0657533088d3bfd2a05455 for the BLOODALCHEMY payload.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
References: https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor
...phishing emails to deliver a variant of BLOODALCHEMY and custom backdoors such as kidsRAT and RustVoralix.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
3 techniques
Execution
As a scheduled task, running with SYSTEM privilege via schtask.exe : b'schtasks.exe /CREATE /SC %s /TN "%s" /TR "\'%s\'" /RU "NT AUTHORITY\\SYSTEM" /Fb'
When using a named pipe, the name is randomly generated using the current PID as seed. | Persistence is achieved via different methods depending on the configuration: ... Using COM interfaces ... Using the TaskScheduler::ITaskService COM interface.
During the initial execution phase, the adversary deployed a benign utility, BrDifxapi.exe, which is vulnerable to DLL side-loading. When deploying this vulnerable utility the adversary could side-load the unsigned BLOODALCHEMY loader (BrLogAPI.dll) and inject shellcode into the current process.
Persistence
3 techniques
Persistence
As a scheduled task, running with SYSTEM privilege via schtask.exe : b'schtasks.exe /CREATE /SC %s /TN "%s" /TR "\'%s\'" /RU "NT AUTHORITY\\SYSTEM" /Fb'
Privilege Escalation
4 techniques
Privilege Escalation
As a scheduled task, running with SYSTEM privilege via schtask.exe : b'schtasks.exe /CREATE /SC %s /TN "%s" /TR "\'%s\'" /RU "NT AUTHORITY\\SYSTEM" /Fb'
Or create a Windows process from a hardcoded list and inject a shellcode passed by parameter to the entry point using the WriteProcessMemory+QueueUserAPC+ResumeThread method.
Stealth
4 techniques
Stealth
To hide its strings the BLOODALCHEMY malware uses a classic technique where each string is encrypted, preceded by a single-byte decryption key, and finally, all concatenated together to form what we call an encrypted blob.
Also when running as a service and started by the service manager the malware will masquerade itself as stopped by first setting the service status to “SERVICE_RUNNING” then setting the status to “SERVICE_STOPPED” while in fact the malware is still running.
Or create a Windows process from a hardcoded list and inject a shellcode passed by parameter to the entry point using the WriteProcessMemory+QueueUserAPC+ResumeThread method.
During the initial execution phase, the adversary deployed a benign utility, BrDifxapi.exe, which is vulnerable to DLL side-loading. When deploying this vulnerable utility the adversary could side-load the unsigned BLOODALCHEMY loader (BrLogAPI.dll) and inject shellcode into the current process.
Discovery
1 technique
Discovery
Command and Control
3 techniques
Command and Control
The malware communicates using either the HTTP protocol, named pipes, or sockets. When using the HTTP protocol the malware requests the following URI /Inform/logger/.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family delivered via phishing in a July 2025 campaign targeting the energy sector in Central Asia.
Backdoor malware used by multiple China-aligned APT groups for persistent access and espionage.
An x86 backdoor delivered as shellcode and loaded via DLL sideloading into a legitimate signed process. It supports multiple persistence methods, multiple communication channels including HTTP, named pipes, and sockets, process injection, service-based execution, host information gathering, and toolset overwrite/uninstall commands. The report notes it is likely part of a larger toolset and still in active development.
A newly referenced x86 backdoor associated with the REF5961 intrusion set.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.