DARKTRACE’S analysis describes SnappyBee as a modular backdoor linked to Salt Typhoon, previously documented by TrendMicro in November 2024, and used after compromise to establish persistence and deploy additional malware.
The malware employs a custom packing routine to obscure its payload, with two main components: a loader DLL that unpacks the malicious code and a data file containing the encrypted payload, and it can also abuse a legitimately signed executable via DLL sideloading to appear more legitimate to antivirus solutions.
The analysis follows the unpacking workflow from static analysis of the DLL’s DllMain, which checks the fdwReason value and uses dynamically resolved API calls such as VirtualProtect and StartServiceCtrlDispatcherW to hook and redirect execution, before decrypting the loaded data in memory. SnappyBee utilises the first 16 bytes of the data file as a key for mbedtls arc4 decryption, then marks the decrypted region as Read+Execute and runs the unpacked code in memory, enabling subsequent unpacking stages.
The piece also explains practical methods for obtaining the next stage, including re-implementing the unpacking routine or debugging the sample with x32dbg in a sandbox, with the analysis demonstrating breakpoints and memory dumps across multiple stages of in‑memory decryption and shellcode unpacking; IoCs are listed as loader and payload hashes. According to Microsoft Developer Network, a value of 1 in DllMain corresponds to DLL_PROCESS_ATTACH, which the sample uses as part of its loading behavior.