Malware Analysis Evasion via Custom Packing and Modified PyInstaller Stubs
Researchers reported a new PDFly malware variant that uses a custom-modified PyInstaller executable to break common unpacking workflows and force manual reverse engineering. The sample alters PyInstaller identifiers (including a non-standard “magic cookie”) and corrupts strings so tools like PyInstxtractor fail to recognize the archive structure; even after adapting extraction scripts to accept the custom cookie and bypass validation checks, the recovered Python components remained multi-layer encrypted, with decryption logic implemented in separate bootstrap files that handle runtime extraction.
Separately, an educational malware-analysis write-up detailed how to unpack SnappyBee (Deed RAT), a modular backdoor previously reported in China-linked espionage activity and associated in public reporting with Salt Typhoon / Earth Estries. The post describes SnappyBee’s custom packing routine used to obscure its payload and evade static analysis, and positions the unpacking methodology as a repeatable approach for triaging similarly packed malware (including post-compromise tooling used for persistence and follow-on deployment such as Cobalt Strike and the Demodex rootkit).
Sources
Related Stories
Technical Analysis of Malware Obfuscation and Packing Techniques (SnappyBee and GuLoader)
Darktrace published a technical walkthrough of unpacking and analyzing **SnappyBee** (aka **Deed RAT**), a modular backdoor previously reported in China-linked espionage activity attributed to **Salt Typhoon** (aka *Earth Estries*). The write-up describes SnappyBee as typically deployed **post-compromise** to establish persistence and enable follow-on tooling (including **Cobalt Strike** and the **Demodex** rootkit), and highlights its use of a **custom packing routine** intended to obscure the payload and hinder static analysis. Zscaler ThreatLabz detailed **GuLoader**’s evolving **obfuscation** methods designed to evade detection and frustrate reverse engineering. Techniques described include **polymorphic “dynamic constant construction”** (building constants at runtime via instruction sequences like `mov`, `xor`, `add`, `sub`) and **exception-based control-flow redirection** that replaces normal `jmp` logic with deliberately triggered CPU exceptions handled by custom exception handlers (e.g., `0x80000003` `STATUS_BREAKPOINT`, `0x80000004` `STATUS_SINGLE_STEP`, `0xC0000005` `STATUS_ACCESS_VIOLATION`), complicating automated tracing and signature-based detection.
1 months ago
Darktrace Analysis of Salt Typhoon’s SnappyBee (Deed RAT) Modular Backdoor
Darktrace published a technical deep-dive on **SnappyBee** (aka **Deed RAT**), a **modular backdoor** attributed to the China-linked espionage group **Salt Typhoon** (aka **Earth Estries**). The reporting describes SnappyBee as a *post-compromise* persistence tool used to entrench access and enable follow-on activity, including deployment of additional payloads such as **Cobalt Strike** and the **Demodex** rootkit. Darktrace’s write-up is positioned as an educational guide for analysts, walking through unpacking and analysis techniques to reverse engineer SnappyBee’s custom packing and runtime execution behavior. Additional coverage highlighted key tradecraft used by SnappyBee to reduce detection, including a **custom packing routine** and **DLL side-loading** via a legitimate signed executable vulnerable to side-loading, helping the malware blend into trusted processes. The analysis also notes SnappyBee’s use of dynamically resolved Windows APIs (e.g., `VirtualProtect`, `StartServiceCtrlDispatcherW`) and in-memory manipulation to avoid static signatures and maintain stealthy persistence. Separately, a Cybereason-described campaign involving **Silver Fox APT** and **ValleyRat/Winos 4.0** using “PoolParty Variant 7” process injection is unrelated to SnappyBee/Salt Typhoon and should not be conflated with this reporting.
1 months ago
Malware Delivery via Image-Based Payload Hiding and Reused Steganographic Media
Security researchers reported multiple malware delivery chains that **hide or embed executable payloads inside image files** to evade detection. Veracode analyzed a malicious typosquatted NPM package, `buildrunner-dev`, that uses a `postinstall` hook to run `init.js`, which downloads an obfuscated batch script (`packageloader.bat`) from a Codeberg repository. The batch script ultimately retrieves PNG images hosted on a free image service and extracts hidden data from RGB pixel values (steganography), leading to a loader with **process hollowing**, **encrypted payload handling**, **AMSI bypass**, and per-AV evasion logic, culminating in deployment of the **Pulsar .NET RAT**. Separately, SANS ISC documented a phishing/malspam-style infection chain starting from an Excel attachment exploiting **CVE-2017-11882** (Equation Editor), which downloads an HTA that launches PowerShell to fetch a PNG (`optimized_MSI.png`) containing a Base64-encoded .NET payload delimited by `BaseStart-` and `-BaseEnd` tags. The handler noted **reuse of the same image across campaigns**, used VirusTotal similarity searches to identify many related samples, and produced a YARA rule to track the technique. Kaspersky’s write-up on **Arkanix Stealer** describes a MaaS stealer ecosystem (C++ and Python variants, ChromElevator usage, and broad credential/crypto theft) but does not center on image-based payload hiding, making it a separate topic from the image-steganography delivery chains described by Veracode and SANS ISC.
3 weeks ago