VERY IMPORTANT

Chinese threat actors have launched a new phishing campaign using DeedRAT, a modular backdoor. The campaign exploits a DLL side-loading vulnerability in VIPRE Antivirus Premium's MambaSafeModeUI.exe. DeedRAT now includes a new NetAgent module, expanding its capabilities. The malware uses TCP for C2 communication and employs various persistence techniques. Notable features include a custom encryption algorithm using a linear congruential generator, API protection, and junk functions to confuse analysts. The backdoor's continued development and increased obfuscation suggest the threat actors are actively enhancing their tools and techniques.