Advertisement
Dubbed Alchimist and already used in the wild, the attack framework is implemented in GoLang, the same as the Insekt RAT that it implants on compromised systems.
The attack framework provides a web interface written in simplified Chinese that allows operators to generate and deploy malicious payloads, establish remote connections, execute code on the compromised machines, and take screenshots.
As part of the observed Alchimist campaign, Cisco also identified various other post-exploitation tools, including a reverse proxy targeting macOS (frp), a custom backdoor, and other various off-the-shelf tools (such as psexec, netcat, and fscan).