The discovery of Alchimist C2 tool, revealed a new attack framework to target Windows, macOS, and Linux systems

Pierluigi Paganini October 13, 2022

Experts discovered a new attack framework, including a C2 tool dubbed Alchimist, used in attacks against Windows, macOS, and Linux systems.

Researchers from Cisco Talos discovered a new, previously undocumented attack framework that included a C2 dubbed Alchimist. The framework is likely being used in attacks aimed at Windows, macOS, and Linux systems.

The experts also spotted a new GoLang malware dubbed Insekt supporting remote administration capabilities.


The Alchimist has a web interface in Simplified Chinese, Talos researchers found it on a server that had a file listing active on the root directory along with a set of post-exploitation tools.

The Alchimist C2 can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands.

The security form also found additional tools, such as a Mach-O dropper embedded with an exploit for the PwnKit CVE-2021-4034) flaw and a Mach-O bind shell backdoor. 

The server hosting the C2 also contained dual-use tools like psexec and netcat, along with a scanning tool called “fscan.”

In August, Talos observed a Chinese threat actor using a new offensive framework called Manjusaka (which can be translated to “cow flower” from the Simplified Chinese writing) that is similar to Sliver and Cobalt Strike tools.

The attack framework is advertised as an imitation of the Cobalt Strike framework, the experts reported that the implants for the new malware family are written in the Rust language for Windows and Linux.

Experts highlight that both Manjusaka and Alchimist support similar functionalities, despite they differ in the implementation of the web interfaces.

“However, Manjusaka and Alchimist have virtually the same set of features. They both have been designed and implemented to operate as standalone GoLang-based executables that can be distributed with relative ease to operators. The frameworks inside carry the implants and the whole web user interface.” reads the analysis published by the experts. “The implant configuration is defined using the Web UI (Web User Interface), which in both cases is completely written in Simplified Chinese. Also, they both mention the uncommon protocol SNI in one case already supported (Alchimist), with plans to support it in the other (Manjusaka).”

The Alchimist C2 panel stands out for its ability to generate PowerShell and wget code snippets for Windows and Linux. Threat actors could use these commands to build their infection chain for distributing the Insekt RAT. An attacker can embed these commands in a malicious script that could be embedded in a maldoc attachment and deliver it to the victims by various means.

The analysis of the Insekt RAT revealed it it a 64-bit implant written in GoLang, compiled for both Windows and Linux environments. The malicious code supports a variety of RAT capabilities that can be requested by the Alchimist C2.

During initialization, the implant will set up multiple handlers for seven primary capabilities:

  • Get file sizes.
  • Get OS information.
  • Run arbitrary commands via cmd[.]exe.
  • Upgrade the current Insekt implant.
  • Run arbitrary commands as a different user.
  • Sleep for periods of time defined by the C2.
  • Start/stop taking screenshots.

“The Linux variant of Insekt also has the functionality to list the contents of “.ssh” directory in the victim’s home directory and adds new SSH keys to the authorised_Keys file. Using this feature, the attacker can communicate with the victim’s machine from the C2 over SSH.” continues the analysis.

Insekt also includes a module that implements the different commands, including interactive shells based on PowerShell, bash and cmd[.]exe.

“Our discovery of Alchimist is yet another indication that threat actors are rapidly adopting off-the-shelf C2 frameworks to carry out their operations.” concludes the report. “A threat actor gaining privileged shell access on a victim’s machine is like having a Swiss Army knife, enabling the execution of arbitrary commands or shellcodes in the victim’s environment, resulting in significant effects on the target organization,” the researchers said.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, attack framework)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment