DeedRAT Backdoor Enhanced with Advanced Capabilities

July 21, 2025, 10:59 a.m.

Description

Chinese threat actors have launched a new phishing campaign using DeedRAT, a modular backdoor. The campaign exploits a DLL side-loading vulnerability in VIPRE Antivirus Premium's MambaSafeModeUI.exe. DeedRAT now includes a new NetAgent module, expanding its capabilities. The malware uses TCP for C2 communication and employs various persistence techniques. Notable features include a custom encryption algorithm using a linear congruential generator, API protection, and junk functions to confuse analysts. The backdoor's continued development and increased obfuscation suggest the threat actors are actively enhancing their tools and techniques.

External References

https://lab52.io/blog/deedrat-backdoor-enhanced-by-chinese-apts-with-advanced-capabilities/
https://otx.alienvault.com/pulse/687e17c60ec35a8df8a7ad9d
Tags
backdoor
obfuscation
phishing
persistence
dll side-loading
2025-07-21
antivirus exploitation
deedrat
netagent

Date

  • Created: July 21, 2025, 10:34 a.m.
  • Published: July 21, 2025, 10:34 a.m.
  • Modified: July 21, 2025, 10:59 a.m.

Indicators

  • e356dbd3bd62c19fa3ff8943fc73a4fab01a6446f989318b7da4abf48d565af2
  • 99a0b424bb3a6bbf60e972fd82c514fd971a948f9cedf3b9dc6b033117ecb106
  • 52f489d47618db8dfb503d6da98cbd76d08b063cc7ce0aac02b03601b6cae6a1
  • luckybear669.kozow.com

Attack Patterns

  • DeedRAT
  • Chinese APTs