A previously undocumented command-and-control (C2) framework dubbed Alchimist is likely being used in the wild to target Windows, macOS, and Linux systems.
“Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution, and run arbitrary commands,” Cisco Talos said in a report shared with The Hacker News.
Written in GoLang, Alchimist is complemented by a beacon implant called Insekt, which comes with remote access features that can be instrumented by the C2 server.
The discovery of Alchimist and its assorted family of malware implants comes three months after Talos also detailed another self-contained framework known as Manjusaka, which has been touted as the “Chinese sibling of Sliver and Cobalt Strike.”
Even more interestingly, both Manjusaka and Alchimist pack in similar functionalities, despite the differences in the implementation when it comes to the web interfaces.
“The rise of ready-to-go offensive frameworks such as Manjusaka and Alchimist is an indication of the popularity of post-compromise tools,” Talos researchers told The Hacker News.
images from Hacker News