DeedRAT: Unpacking a Modern Backdoor’s Playbook

Binary Defense ARC Labs analyzed DeedRAT, a stealthy backdoor attributed to the Salt Typhoon (Earth Estries) APT, showing a phishing-delivered ZIP that contains MicRun.exe, SBAMRES.dll, and SBAMRES.DLL.CC; the attack uses DLL sideloading to execute encrypted shellcode, persists by copying files to C:\ProgramData\MicroDefaults, and enables reconnaissance, file modification, and remote payload execution against government, telecom, and other critical sectors.