A new technical analysis by Darktrace has peeled back the layers of SnappyBee (also known as Deed RAT), a sophisticated modular backdoor attributed to the China-linked threat group Salt Typhoon (Earth Estries). The analysis describes SnappyBee as a phantom designed for post-compromise entrenchment, typically deployed after the attacker has gained access to a system to establish long-term persistence and deploy further malware such as Cobalt Strike and the Demodex rootkit.
To stay hidden, SnappyBee employs a custom packing routine and uses DLL side-loading, loading a malicious SnappyBee DLL via a legitimate signed executable that is vulnerable to side-loading. The malware then performs memory operations, dynamically resolves Windows APIs at runtime to avoid static fingerprints and hooks the dispatcher function to redirect control back to the malware.
It reads a data file shipped with SnappyBee and decrypts its core payload in memory using the ARC4 cipher via the mbedtls library, reducing the forensic surface area to evade detection. For SOCs, the report stresses the need for manual unpacking and dynamic debugging to move defenders from reactive cleanup to proactive defence.