Researchers in cybersecurity have uncovered that the BLOODALCHEMY malware, used in attacks on government organizations in Southern and Southeastern Asia, is actually an updated form of Deed RAT, believed to be a successor to ShadowPad.
Japanese company emphasized the importance of monitoring this malware, stating, “The origin of BLOODALCHEMY and Deed RAT is ShadowPad, and given the history of ShadowPad in numerous APT campaigns, it is crucial to pay special attention to the usage trend of this malware.”
Researcher first documented BLOODALCHEMY in October 2023, linked to a campaign by an intrusion set it tracks as REF5961 targeting the Association of Southeast Asian Nations (ASEAN) countries.
This x86 backdoor, written in C, is injected into a signed benign process (“BrDifxapi.exe”) using DLL side-loading. It can overwrite the toolset, collect host information, load additional payloads, and uninstall and terminate itself.
While its purpose is not confirmed, the malware’s limited commands suggest it may be part of a larger intrusion set or malware package, still in development, or a highly focused malware for specific tactical use.
Attack chains observed have compromised a maintenance account on a VPN device to gain initial access, deploying BrDifxapi.exe, which then sideloads BrLogAPI.dll. This loader executes the BLOODALCHEMY shellcode in memory after extracting it from a file named DIFX.
The malware’s run mode determines its behavior, allowing it to evade analysis in sandbox environments, set up persistence, establish contact with a remote server, and control the infected host through backdoor commands.
The analysis also found code similarities with Deed RAT, a multifaceted malware used exclusively by a threat actor known as Space Pirates, seen as the next iteration of ShadowPad, which is itself an evolution of PlugX.
Similarities in the payload header’s unique data structures and the loading process of shellcode, as well as the DLL file used to read the shellcode, linking BLOODALCHEMY and Deed RAT.
Both PlugX (Korplug) and ShadowPad (aka PoisonPlug) have been extensively used by China-nexus hacking groups over the years.
Leaks from a Chinese state contractor earlier this year revealed that such tactical and tooling overlaps between Chinese hacking groups are due to support from hack-for-hire entities for multiple campaigns with similar tools, suggesting the presence of “digital quartermasters” overseeing a centralized pool of tools and techniques.
These findings coincide with the expansion of targeting by a China-linked threat actor, Sharp Dragon (formerly Sharp Panda), to include governmental organizations in Africa and the Caribbean as part of an ongoing cyber espionage campaign.
To prevent BLOODALCHEMY attacks, organizations should prioritize strong credential hygiene and regular patching. Implementing multi-factor authentication (MFA) can add an extra layer of security. Additionally, regular security audits and monitoring for suspicious activity can help detect and mitigate potential threats early.
