Technical Analysis of Malware Obfuscation and Packing Techniques (SnappyBee and GuLoader)
Darktrace published a technical walkthrough of unpacking and analyzing SnappyBee (aka Deed RAT), a modular backdoor previously reported in China-linked espionage activity attributed to Salt Typhoon (aka Earth Estries). The write-up describes SnappyBee as typically deployed post-compromise to establish persistence and enable follow-on tooling (including Cobalt Strike and the Demodex rootkit), and highlights its use of a custom packing routine intended to obscure the payload and hinder static analysis.
Zscaler ThreatLabz detailed GuLoader’s evolving obfuscation methods designed to evade detection and frustrate reverse engineering. Techniques described include polymorphic “dynamic constant construction” (building constants at runtime via instruction sequences like mov, xor, add, sub) and exception-based control-flow redirection that replaces normal jmp logic with deliberately triggered CPU exceptions handled by custom exception handlers (e.g., 0x80000003 STATUS_BREAKPOINT, 0x80000004 STATUS_SINGLE_STEP, 0xC0000005 STATUS_ACCESS_VIOLATION), complicating automated tracing and signature-based detection.
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Malware Analysis Evasion via Custom Packing and Modified PyInstaller Stubs
Researchers reported a new **PDFly** malware variant that uses a **custom-modified PyInstaller** executable to break common unpacking workflows and force manual reverse engineering. The sample alters PyInstaller identifiers (including a non-standard “magic cookie”) and corrupts strings so tools like *PyInstxtractor* fail to recognize the archive structure; even after adapting extraction scripts to accept the custom cookie and bypass validation checks, the recovered Python components remained **multi-layer encrypted**, with decryption logic implemented in separate bootstrap files that handle runtime extraction. Separately, an educational malware-analysis write-up detailed how to unpack **SnappyBee (Deed RAT)**, a modular backdoor previously reported in China-linked espionage activity and associated in public reporting with **Salt Typhoon / Earth Estries**. The post describes SnappyBee’s **custom packing routine** used to obscure its payload and evade static analysis, and positions the unpacking methodology as a repeatable approach for triaging similarly packed malware (including post-compromise tooling used for persistence and follow-on deployment such as **Cobalt Strike** and the **Demodex** rootkit).
1 months ago
Darktrace Analysis of Salt Typhoon’s SnappyBee (Deed RAT) Modular Backdoor
Darktrace published a technical deep-dive on **SnappyBee** (aka **Deed RAT**), a **modular backdoor** attributed to the China-linked espionage group **Salt Typhoon** (aka **Earth Estries**). The reporting describes SnappyBee as a *post-compromise* persistence tool used to entrench access and enable follow-on activity, including deployment of additional payloads such as **Cobalt Strike** and the **Demodex** rootkit. Darktrace’s write-up is positioned as an educational guide for analysts, walking through unpacking and analysis techniques to reverse engineer SnappyBee’s custom packing and runtime execution behavior. Additional coverage highlighted key tradecraft used by SnappyBee to reduce detection, including a **custom packing routine** and **DLL side-loading** via a legitimate signed executable vulnerable to side-loading, helping the malware blend into trusted processes. The analysis also notes SnappyBee’s use of dynamically resolved Windows APIs (e.g., `VirtualProtect`, `StartServiceCtrlDispatcherW`) and in-memory manipulation to avoid static signatures and maintain stealthy persistence. Separately, a Cybereason-described campaign involving **Silver Fox APT** and **ValleyRat/Winos 4.0** using “PoolParty Variant 7” process injection is unrelated to SnappyBee/Salt Typhoon and should not be conflated with this reporting.
1 months ago
Multi-stage malware campaigns using fileless loaders, RATs, and evasion techniques
Multiple reports detail **distinct, unrelated malware families and delivery chains** rather than a single shared incident. One analysis covers **NotOpenClaw**, a Windows malware loader distributed via **fake “OpenClaw” installers** (including GitHub-hosted lures) and emphasizing **VM/sandbox evasion**; the sample analyzed was tagged with stealer-related indicators (e.g., VidarStealer) and was previously referenced in third-party reporting about fake OpenClaw installers deploying additional malware. Separate research describes two different fileless/backdoor operations: **HellsUchecker**, a small native x64 backdoor delivered through a **10-stage chain** beginning with a **ClickFix** fake Cloudflare CAPTCHA that tricks users into pasting an obfuscated Run command, using a LOLBin to fetch payloads over **finger (TCP/79)** and retrieving encrypted C2 configuration from a **BNB Smart Chain** smart contract ("EtherHiding"), culminating in an **in-memory** final payload using **Hell’s Gate** direct syscalls; and **GhostWeaver**, a **fileless PowerShell RAT** that selects persistence based on the installed AV product, uses **TLS over TCP/25658**, and relies on multiple **DGA** routines for delivery and C2. A separate brief reports the **VOID#GEIST** campaign delivering **XWorm**, **AsyncRAT**, and **Xeno RAT** via phishing, batch scripts from **TryCloudflare** domains, staged ZIP payloads, Python-based decryption/execution, and abuse of `AppInstallerPythonRedirector.exe` to facilitate additional RAT deployment.
5 days ago