DeedRAT Backdoor Enhanced by Chinese APTs with Advanced Capabilities

LAB52 (S2 Group) reports a phishing campaign delivering the DeedRAT modular backdoor by abusing a signed VIPRE antivirus binary (MambaSafeModeUI.exe / MicRun.exe) via DLL side-loading; the loader decrypts and executes encrypted shellcode in memory, establishes persistence (service and Run registry key), communicates with a C2 (luckybear669.kozow.com) over TCP/80/443, and includes a newly observed NetAgent module. The analysis includes detailed artifacts and IOCs (file hashes, paths, mutex, registry key, and C2) and notes low detection on VirusTotal and increased loader obfuscation.