SnappyBee
SnappyBee, also referred to as Deed RAT or DeedRAT, is a modular backdoor / remote access Trojan described in the provided reporting as a successor to ShadowPad and, in one source, as a variant of ShadowPad. It has been associated with multiple China-nexus espionage clusters, including Earth Estries / Salt Typhoon, FamousSparrow, and UAT-8302, and was also reported in activity linked to the Space Pirates cluster. Reported targeting includes government entities in South America and southeastern Europe, telecommunications infrastructure in South America and Europe, and an Azerbaijani oil and gas company, indicating use in long-term espionage operations against government, telecom, technology, and energy-sector victims.
Observed delivery and execution commonly rely on DLL sideloading with legitimate software. In the Azerbaijani oil and gas intrusion, attackers exploited Microsoft Exchange via the ProxyNotShell chain, deployed web shells, and then installed Deed RAT / SnappyBee using an updated DLL sideloading technique built around legitimate LogMeIn Hamachi components. The chain used LMIGuardianSvc.exe with a malicious LMIGuardianDll.dll and an encrypted payload file named .hamachi.lng, installed under C:\Program Files (x86)\LogMeIn Hamachi\ and persisted via a Windows service masquerading as LogMeIn Hamachi. Reporting states the loader split execution across Init and ComMain exports and patched StartServiceCtrlDispatcherW so payload execution occurred only when the legitimate application followed normal control flow, reducing sandbox visibility. Other reporting describes SnappyBee being sideloaded alongside legitimate AV executables such as Norton, Bkav, and IObit Malware Fighter.
Technical details from the cited analyses indicate the .hamachi.lng payload was decrypted with AES-128-CBC using an IV of 16 null bytes and a key derived from the first 16 bytes of the file; shellcode resolved APIs at runtime; the Deed RAT orchestrator was encrypted with RC4 and decompressed with RtlDecompressBuffer using LZNT1; and plugins were decrypted with a PRNG-based XOR routine and decompressed with Deflate. One analyzed sample used a custom PE-like header magic value 0xFF66ABCD instead of the older 0xDEED4554. Reported configuration artifacts include the mutex HJBNDusadnfy3278rnhsdaf, registry storage under SOFTWARE\Microsoft\LogMeIn Hamachi, and C2 endpoints virusblocker[.]it[.]com:443 and, in a later modified variant, sentinelonepro[.]com:443. Additional reporting states Salt Typhoon infrastructure included C2 hostnames for SnappyBee.
SnappyBee has been observed alongside other malware families, including TernDoor, ZingDoor, Ghostspider, Demodex, ShadowPad, and loaders such as Mofu. In one documented UAT-8302 intrusion, operators deployed DeedRAT / SNAPPYBEE and then quickly switched to ZingDoor; other reporting notes combined SNAPPYBEE and ZingDoor use in China-linked activity. Splunk detection content associated with SnappyBee highlights suspicious creation or modification of registry values under SOFTWARE\Microsoft\Test and also associates the malware with anonymous pipe activity. High-confidence file and infrastructure indicators directly mentioned in the content include LMIGuardianSvc.exe (legitimate sideload target; MD5 0554f3b69d39d175dd110d765c11347a), malicious LMIGuardianDll.dll, encrypted payload .hamachi.lng, and C2 domains virusblocker[.]it[.]com and sentinelonepro[.]com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The process command line contained the MSExchangePowerShellAppPool argument, indicating that the attacker exploited the Exchange server via the ProxyNotShell exploit chain... ProxyNotShell (CVE-2022-41040, CVE-2022-41082) is a related exploit chain disclosed in 2022. Both allow unauthenticated attackers to execute code on unpatched Exchange servers. | Beyond the delivery mechanism, the operation is characterized by the deployment of two distinct backdoor families, Deed RAT and Terndoor, which were utilized across three separate waves of activity.
The operation deployed two distinct backdoor families, Deed RAT and Terndoor, across different stages.
In their latest campaign, the actor leverages one of the latest WinRAR vulnerabilities that will ultimately lead to running shellcode... Rule names: EE_Loader EE_Dropper WinRAR_ADS_Traversal References / Resources: WinRAR CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-8088
...exploited a public-facing Citrix NetScaler Gateway appliance, likely CVE-2023-3519, for initial access and deployed SnappyBee (also known as Deed RAT)... CVE-2023-3519 is a critical remote code execution (RCE) vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway appliances.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Beyond the delivery mechanism, the operation is characterized by the deployment of two distinct backdoor families, Deed RAT and Terndoor, which were utilized across three separate waves of activity.
Еще один вид ранее неизвестного ВПО, который в единственном экземпляре мы обнаружили у нашего клиента, представляет собой модульный бэкдор.
In one documented intrusion, the group also deployed SNAPPYBEE and ZingDoor together, a tactic independently highlighted by Trend Micro in 2024 reporting on similar China-linked activity.
...used for DLL side-loading in connection with Deed RAT (aka Snappybee) in prior activity attributed to Salt Typhoon...
...used for DLL side-loading in connection with Deed RAT (aka Snappybee) in prior activity attributed to Salt Typhoon...
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesDespite remediation attempts, they repeatedly re-entered the network, deploying different backdoors in three distinct waves.
The chain of evidence includes Exchange exploitation (T1190 Exploit Public-Facing Application)... The process command line contained the MSExchangePowerShellAppPool argument, indicating that the attacker exploited the Exchange server via the ProxyNotShell exploit chain.
Execution
7 techniquesAfter opening an interactive remote session, they launched a PowerShell console (T1059.001 PowerShell), and within minutes, LMIGuardianSvc.exe and its associated files appeared on the system.
ShellManager — удаленная командная строка... Приложения MITRE: T1059.003 Command and Scripting Interpreter: Windows Command Shell
ВПО группы Space Pirates использует функции WinAPI для запуска новых процессов и внедрения шеллкода
In their latest campaign, the actor leverages one of the latest WinRAR vulnerabilities that will ultimately lead to running shellcode.
Annotations ID Technique Tactic T1559 Inter-Process Communication Execution
MITRE ATT&CK Mapping... T1569.002 Service Execution LogMeIn Hamachi service executes LMIGuardianSvc.exe at system startup.
"Unlike standard DLL side-loading that relies on simple file replacement, this method overrides two specific exported functions within the malicious library. This creates a two-stage trigger that gates the Deed RAT loader's execution through the host application's natural control flow..."
Persistence
4 techniquesDeed RAT хранит в реестре все свои данные, включая конфигурацию и плагины
Despite remediation attempts, they repeatedly re-entered the network, deploying different backdoors in three distinct waves.
To secure persistence (T1543.003 Windows Service), the attackers created a service named LogMeIn Hamachi, configured to automatically launch C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe at system startup.
Privilege Escalation
3 techniquesThe recently observed intrusion... followed by web shell deployment, command execution, DLL sideloading, and backdoor deployment.
To secure persistence (T1543.003 Windows Service), the attackers created a service named LogMeIn Hamachi, configured to automatically launch C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe at system startup.
Stealth
7 techniquesThe third wave brought back a modified Deed RAT using sentinelonepro[.]com as its command-and-control address, impersonating a well-known security vendor to avoid detection in network logs.
При создании сервисов группа Space Pirates использует легитимно выглядящие имена
Группа Space Pirates маскирует свое ВПО под легитимное ПО
The recently observed intrusion... followed by web shell deployment, command execution, DLL sideloading, and backdoor deployment.
MITRE ATT&CK Mapping... T1140 Deobfuscate / Decode Files or Information RC4, AES-CBC, LZNT1, and Deflate decryption/decompression of Deed RAT components and plugins.
The payload only runs after the host application follows a specific internal sequence of calls, meaning a sandbox examining the file in isolation sees no malicious behavior at all.
"Unlike standard DLL side-loading that relies on simple file replacement, this method overrides two specific exported functions within the malicious library. This creates a two-stage trigger that gates the Deed RAT loader's execution through the host application's natural control flow..."
Defense Impairment
1 techniqueCredential Access
1 techniqueDiscovery
6 techniquesГруппа Space Pirates собирает информацию о сетевых параметрах зараженной машины
Группа Space Pirates собирает информацию о пользователях скомпрометированных компьютеров
Deed RAT собирает информацию об используемых прокси с помощью прослушивания трафика
Сразу же после установки соединения с C2 бэкдор собирает и отправляет информацию о системе... Приложения MITRE: T1082
The payload only runs after the host application follows a specific internal sequence of calls, meaning a sandbox examining the file in isolation sees no malicious behavior at all.
Deed RAT в процессе сбора информации о системе получает языковой идентификатор LCID
Lateral Movement
2 techniquesThey pivoted to another server using RDP (T1021.001 Remote Desktop Protocol) and authenticated with a domain administrator account...
Evidence shows that they used atexec and smbexec-style utilities (consistent with the Impacket toolkit) (T1021.002 SMB/Windows Admin Shares) to spread the infection to yet another machine...
Command and Control
8 techniquesВПО группы Space Pirates поддерживает работу с несколькими C2 и может обновлять список C2 через веб-страницы
MITRE ATT&CK Mapping... T1071.001 Application Layer Protocol HTTPS C2 to sentinelonepro[.]com:443 and virusblocker[.]it[.]com:443
RS5Manager — использование зараженного компьютера в качестве прокси-сервера... Deed RAT может обнаруживать и использовать прокси для соединения с C2
Группа Space Pirates загружает дополнительные утилиты с управляющего сервера посредством утилиты certutil
ВПО группы Space Pirates может сжимать сетевые сообщения с помощью алгоритмов LZNT1 и LZW
Группировка Space Pirates для связи с управляющим сервером использует нестандартные порты, такие как 8081, 5351, 63514 и другие
ВПО группы Space Pirates может шифровать сетевые сообщения с помощью симметричных алгоритмов
Other
1 techniqueIOCs tracked for this family
25 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor/RAT used by FamousSparrow in a multi-wave intrusion against an Azerbaijani oil and gas company. It was deployed via DLL sideloading using files disguised as LogMeIn Hamachi, with its payload stored in an encrypted file (.hamachi.lng), decrypted in memory using AES-128 and RC4, and persisted via a Windows service.
A remote access trojan/backdoor deployed by FamousSparrow during multiple waves of intrusion; described as a successor to ShadowPad and used to maintain access to the compromised network.
A backdoor/RAT described as a successor of ShadowPad, deployed in multiple waves during the intrusion to provide persistent access. The campaign used an evolved DLL side-loading technique leveraging the legitimate LogMeIn Hamachi binary to load a rogue DLL that executed the main payload.
A modular backdoor/RAT delivered via DLL sideloading using legitimate LogMeIn Hamachi components. It decrypts and loads staged payloads in memory, uses plugins, persists as a Windows service, supports process injection, and communicates over HTTPS with attacker-controlled C2 infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.