Darktrace Analysis of Salt Typhoon’s SnappyBee (Deed RAT) Modular Backdoor
Darktrace published a technical deep-dive on SnappyBee (aka Deed RAT), a modular backdoor attributed to the China-linked espionage group Salt Typhoon (aka Earth Estries). The reporting describes SnappyBee as a post-compromise persistence tool used to entrench access and enable follow-on activity, including deployment of additional payloads such as Cobalt Strike and the Demodex rootkit. Darktrace’s write-up is positioned as an educational guide for analysts, walking through unpacking and analysis techniques to reverse engineer SnappyBee’s custom packing and runtime execution behavior.
Additional coverage highlighted key tradecraft used by SnappyBee to reduce detection, including a custom packing routine and DLL side-loading via a legitimate signed executable vulnerable to side-loading, helping the malware blend into trusted processes. The analysis also notes SnappyBee’s use of dynamically resolved Windows APIs (e.g., VirtualProtect, StartServiceCtrlDispatcherW) and in-memory manipulation to avoid static signatures and maintain stealthy persistence. Separately, a Cybereason-described campaign involving Silver Fox APT and ValleyRat/Winos 4.0 using “PoolParty Variant 7” process injection is unrelated to SnappyBee/Salt Typhoon and should not be conflated with this reporting.
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Technical Analysis of Malware Obfuscation and Packing Techniques (SnappyBee and GuLoader)
Darktrace published a technical walkthrough of unpacking and analyzing **SnappyBee** (aka **Deed RAT**), a modular backdoor previously reported in China-linked espionage activity attributed to **Salt Typhoon** (aka *Earth Estries*). The write-up describes SnappyBee as typically deployed **post-compromise** to establish persistence and enable follow-on tooling (including **Cobalt Strike** and the **Demodex** rootkit), and highlights its use of a **custom packing routine** intended to obscure the payload and hinder static analysis. Zscaler ThreatLabz detailed **GuLoader**’s evolving **obfuscation** methods designed to evade detection and frustrate reverse engineering. Techniques described include **polymorphic “dynamic constant construction”** (building constants at runtime via instruction sequences like `mov`, `xor`, `add`, `sub`) and **exception-based control-flow redirection** that replaces normal `jmp` logic with deliberately triggered CPU exceptions handled by custom exception handlers (e.g., `0x80000003` `STATUS_BREAKPOINT`, `0x80000004` `STATUS_SINGLE_STEP`, `0xC0000005` `STATUS_ACCESS_VIOLATION`), complicating automated tracing and signature-based detection.
1 months ago
Malware Analysis Evasion via Custom Packing and Modified PyInstaller Stubs
Researchers reported a new **PDFly** malware variant that uses a **custom-modified PyInstaller** executable to break common unpacking workflows and force manual reverse engineering. The sample alters PyInstaller identifiers (including a non-standard “magic cookie”) and corrupts strings so tools like *PyInstxtractor* fail to recognize the archive structure; even after adapting extraction scripts to accept the custom cookie and bypass validation checks, the recovered Python components remained **multi-layer encrypted**, with decryption logic implemented in separate bootstrap files that handle runtime extraction. Separately, an educational malware-analysis write-up detailed how to unpack **SnappyBee (Deed RAT)**, a modular backdoor previously reported in China-linked espionage activity and associated in public reporting with **Salt Typhoon / Earth Estries**. The post describes SnappyBee’s **custom packing routine** used to obscure its payload and evade static analysis, and positions the unpacking methodology as a repeatable approach for triaging similarly packed malware (including post-compromise tooling used for persistence and follow-on deployment such as **Cobalt Strike** and the **Demodex** rootkit).
1 months agoSalt Typhoon Espionage Attack on European Telecommunications Provider
Salt Typhoon, a China-linked advanced persistent threat (APT) group, conducted a sophisticated cyber espionage campaign targeting a European telecommunications organization. The attackers gained initial access by exploiting a Citrix NetScaler Gateway appliance, then moved laterally to internal Citrix Virtual Delivery Agent hosts. They used DLL sideloading via legitimate antivirus software to deploy the SNAPPYBEE (Deed RAT) backdoor, leveraging LightNode VPS endpoints and non-standard protocols for command-and-control to evade detection. The operation was detected by Darktrace and highlights the group’s focus on intelligence collection and geopolitical influence across critical infrastructure sectors. Security experts emphasize the evolving tactics, techniques, and procedures (TTPs) of Salt Typhoon, including the exploitation of zero-day vulnerabilities and outdated infrastructure. The incident underscores the challenges of defending public-facing appliances and the importance of robust network visibility and proactive threat detection. Organizations in telecommunications and other critical sectors are urged to strengthen their defenses against state-sponsored threats by improving monitoring, patch management, and incident response capabilities.
4 months ago