{
	"id": "c74f154d-ab97-4876-b605-0a741fb7caab",
	"created_at": "2026-04-06T00:12:43.59306Z",
	"updated_at": "2026-04-10T13:11:49.648739Z",
	"deleted_at": null,
	"sha1_hash": "351314360561abe30a8ea0595110d26e391215f1",
	"title": "Disclosing the BLOODALCHEMY backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 696360,
	"plain_text": "Disclosing the BLOODALCHEMY backdoor\r\nBy Cyril François\r\nPublished: 2023-10-13 · Archived: 2026-04-05 13:06:21 UTC\r\nPreamble\r\nBLOODALCHEMY is an x86 backdoor written in C and found as shellcode injected into a signed benign process. It was\r\ndiscovered in our analysis and is part of the REF5961 intrusion set, which you can read about here.\r\nBLOODALCHEMY requires a specific loader to be run because it isn't reflexive (it doesn’t have the capability to load and\r\nexecute by itself). Additionally, BLOODALCHEMY isn’t compiled as position independent (when loaded at a different base\r\naddress than the preferred one the binary has to be patched to take into account the new “position”).\r\nIn our analysis, the signed benign process was previously sideloaded with a malicious DLL. The DLL was missing from the\r\nsample data but was likely the container and the loader of the BLOODALCHEMY shellcode.\r\nWe believe from our research that the malware is part of a bigger toolset and is still in active development based on its\r\ncurrent lack of capabilities, enabled debug logging of exceptions, and the existence of test strings used for persistence\r\nservice setup.\r\nKey takeaways\r\nBLOODALCHEMY is likely a new backdoor and is still in active development\r\nBLOODALCHEMY abuses a legitimate binary for loading\r\nBLOODALCHEMY has multiple running modes, persistence mechanisms, and communication options\r\nInitial execution\r\nDuring the initial execution phase, the adversary deployed a benign utility, BrDifxapi.exe , which is vulnerable to DLL\r\nside-loading. When deploying this vulnerable utility the adversary could side-load the unsigned BLOODALCHEMY loader\r\n( BrLogAPI.dll ) and inject shellcode into the current process.\r\nCommand-line used to execute the BLOODALCHEMY loader\r\nFake BrLogApi.dll, part of BLOODALCHEMY toolset, sideloaded by BrDifxapi.exe\r\nBrDifxapi.exe is a binary developed by the Japanese company Brother Industries and the version we observed has a\r\nrevoked signature.\r\nhttps://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nPage 1 of 12\n\nBrDifxapi.exe with revoked signature\r\nThe legitimate DLL named BrLogApi.dll is an unsigned DLL also by Brother Industries. BLOODALCHEMY uses the\r\nsame DLL name.\r\nThe legitimate BrLogApi.dll is an unsigned DLL file\r\nCode analysis\r\nData Obfuscation\r\nTo hide its strings the BLOODALCHEMY malware uses a classic technique where each string is encrypted, preceded by a\r\nsingle-byte decryption key, and finally, all concatenated together to form what we call an encrypted blob.\r\nWhile the strings are not null-terminated, the offset from the beginning of the blob, the string, and the size are passed as a\r\nparameter to the decryption function. Here is the encrypted blob format:\r\nBlob = Key0 :EncryptedString0 + Key1:EncryptedString1 + ... + KeyN:EncryptedStringN\r\nThe implementation in Python of the string decryption algorithm is given below:\r\ndef decrypt_bytes(encrypted_data: bytes, offset: int, size: int) -\u003e bytes:\r\nhttps://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nPage 2 of 12\n\ndecrypted_size = size - 1\r\n decrypted_data = bytearray(decrypted_size)\r\n encrypted_data_ = encrypted_data[offset : offset + size]\r\n key = encrypted_data_[0]\r\n i = 0\r\n while i != decrypted_size:\r\n decrypted_data[i] = key ^ encrypted_data_[i + 1]\r\n key = (key + ((key \u003c\u003c ((i % 5) + 1)) | (key \u003e\u003e (7 - (i % 5))))) \u0026 0xFF\r\n i += 1\r\n return bytes(decrypted_data)\r\nThe strings contained in the configuration blob are encrypted using the same scheme, however the ids (or offsets) of each\r\nstring are obfuscated; it adds two additional layers of obfuscation that must be resolved. Below, we can resolve additional\r\nobfuscation layers to decrypt strings from the configuration:\r\ndef decrypt_configuration_string(id: int) -\u003e bytes:\r\n return decrypt_bytes(\r\n *get_configuration_encrypted_string(\r\n get_configuration_dword(id)))\r\nEach function is given below:\r\nThe get_configuration_dword function\r\ndef get_configuration_dword(id: int) -\u003e int:\r\n b = ida_bytes.get_bytes(CONFIGURATION_VA + id, 4)\r\n return b[0] + (b[1] + (b[2] + (b[3] \u003c\u003c 8) \u003c\u003c 8) \u003c\u003c 8)\r\nThe get_configuration_encrypted_strng function\r\ndef get_configuration_encrypted_string(id: int) -\u003e tuple[int, int]:\r\n ea = CONFIGURATION_VA + id\r\nhttps://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nPage 3 of 12\n\nv2 = 0\r\n i = 0\r\n while i \u003c= 63:\r\n c = ida_bytes.get_byte(ea)\r\n v6 = (c \u0026 127) \u003c\u003c i\r\n v2 = (v2 | v6) \u0026 0xFFFFFFFF\r\n ea += 1\r\n if c \u003e= 0:\r\n break\r\n i += 7\r\n return ea, v2\r\nPersistence\r\nBLOODALCHEMY maintains persistence by copying itself into its persistence folder with the path suffix\r\n\\Test\\test.exe ,\r\nBLOODALCHEMY folder and binary name\r\nThe root directory of the persistence folder is chosen based on its current privilege level, it can be either:\r\n%ProgramFiles%\r\n%ProgramFiles(x86)%\r\n%Appdata%\r\n%LocalAppData%\\Programs\r\nBLOODALCHEMY root persistence folder choice\r\nPersistence is achieved via different methods depending on the configuration:\r\nAs a service\r\nAs a registry key\r\nhttps://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nPage 4 of 12\n\nAs a scheduled task\r\nUsing COM interfaces\r\nTo identify the persistence mechanisms, we can use the uninstall command to observe the different ways that the malware\r\nremoves persistence.\r\nAs a service named Test .\r\nBLOODALCHEMY deleting previously installed service\r\nAs a registry key at CurrentVersion\\Run\r\nBLOODALCHEMY deleting “CurrentVersion\\Run” persistence registry key\r\nAs a scheduled task, running with SYSTEM privilege via schtask.exe :\r\nb'schtasks.exe /CREATE /SC %s /TN \"%s\" /TR \"\\'%s\\'\" /RU \"NT AUTHORITY\\\\SYSTEM\" /Fb'\r\nUsing the TaskScheduler::ITaskService COM interface. The intent of this persistence mechanism is currently unknown.\r\nInstantiation of the ITaskService COM interface\r\nRunning modes\r\nThe malware has different running modes depending on its configuration:\r\nWithin the main or separate process thread\r\nCreate a Windows process and inject a shellcode into it\r\nAs a service\r\nThe malware can either work within the main process thread.\r\nCapability function called within the main function\r\nOr run in a separate thread.\r\nCapability function called in a new thread\r\nhttps://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nPage 5 of 12\n\nOr create a Windows process from a hardcoded list and inject a shellcode passed by parameter to the entry point using the\r\nWriteProcessMemory+QueueUserAPC+ResumeThread method.\r\nProcess injection running method\r\nList of target binaries for process injection\r\nThe shellcode is contained in the parameters we call p_interesting_data . This parameter is actually a pointer to a\r\nstructure containing both the malware configuration and executable binary data.\r\nEntrypoint prototype\r\nProvided shellcode copied in the remote process\r\nFinal part of the process injection procedure\r\nOr install and run itself as a service. In this scenario, the service name and description will be Test and Digital Imaging\r\nSystem :\r\nName and description strings used to install the BLOODALCHEMY service\r\nhttps://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nPage 6 of 12\n\nAlso when running as a service and started by the service manager the malware will masquerade itself as stopped by first\r\nsetting the service status to “SERVICE_RUNNING” then setting the status to “SERVICE_STOPPED” while in fact the\r\nmalware is still running.\r\nBLOODALCHEMY’s service entry point masquerading service status\r\nCommunication\r\nThe malware communicates using either the HTTP protocol, named pipes, or sockets.\r\nWhen using the HTTP protocol the malware requests the following URI /Inform/logger/.\r\nURI used to connect to C2\r\nIn this scenario, BLOODALCHEMY will try to use any proxy server found in the registry key\r\nSOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings .\r\nHost proxy information gathered from registry\r\nWe did not uncover any C2 infrastructure with our sample, but the URL could look something like this:\r\nhttps://malwa[.]re/Inform/logger\r\nWhen using a named pipe, the name is randomly generated using the current PID as seed.\r\nRandom pipe name generation seeded with current PID\r\nWhile waiting for a client to connect to this named pipe the malware scans the running processes and checks that its parent\r\nprocess is still running, this may be to limit access to the named pipe. That said, the malware is not checking that the pipe\r\nclient is the correct parent process, only that the parent process is running. This introduces flawed logic in protecting the\r\nnamed pipe.\r\nhttps://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nPage 7 of 12\n\nRetrieve parent PID\r\nFlawed check for restricting pipe access to parent process\r\nFrom the malware strings and imports we know that the malware can also operate using TCP/UDP sockets.\r\nUsage of the socket API in one of the implementations of the “communication” interface\r\nWhile we haven’t made any conclusions about their usage, we list all the protocols found in the encrypted strings.\r\nDNS://\r\nHTTP://\r\nHTTPS://\r\nMUX://\r\nUDP://\r\nSMB://\r\nSOCKS5://\r\nSOCKS4://\r\nTCP://\r\nFor all protocols the data can be encrypted, LZNT1 compressed, and/or Base64-encoded.\r\nCommands\r\nThe malware only contains a few commands with actual effects:\r\nWrite/overwrite the malware toolset\r\nLaunch its malware binary Test.exe\r\nUninstall and terminate\r\nGather host information\r\nThere are three commands that write (or overwrite) the malware tool set with the received Base64-encoded binary data:\r\nEither the malware binary ( Test.exe )\r\nhttps://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nPage 8 of 12\n\nthe sideloaded DLL ( BrLogAPI.dll )\r\nor the main trusted binary ( BrDifxapi.exe )\r\nBLOODALCHEMY tool set overwrite commands\r\nOne command that launches the Test.exe binary in the persistence folder.\r\nBLOODALCHEMY command to run the malware executable binary\r\nThe uninstall and terminate itself command will first delete all its files at specific locations then remove any persistence\r\nregistry key or scheduled task, then remove installed service and finish by terminating itself.\r\nCommand to uninstall and terminate itself\r\nUninstall function\r\nOne host information gathering command: CPU, OS, display, network, etc.\r\nInformation gathering command\r\nSummary\r\nhttps://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nPage 9 of 12\n\nBLOODALCHEMY is a backdoor shellcode containing only original code(no statically linked libraries). This code appears\r\nto be crafted by experienced malware developers.\r\nThe backdoor contains modular capabilities based on its configuration. These capabilities include multiple persistence, C2,\r\nand execution mechanisms.\r\nWhile unconfirmed, the presence of so few effective commands indicates that the malware may be a subfeature of a larger\r\nintrusion set or malware package, still in development, or an extremely focused piece of malware for a specific tactical\r\nusage.\r\nBLOODALCHEMY and MITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced\r\npersistent threats used against enterprise networks.\r\nTactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an\r\naction.\r\nCommand and Control\r\nDefense Evasion\r\nDiscovery\r\nExecution\r\nProcess Injection\r\nMalware prevention capabilities\r\nBLOODALCHEMY\r\nYARA\r\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify the BLOODALCHEMY\r\nmalware:\r\nBLOODALCHEMY\r\nrule Windows_Trojan_BloodAlchemy_1 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-05-09\"\r\n last_modified = \"2023-06-13\"\r\n threat_name = \"Windows.Trojan.BloodAlchemy\"\r\n license = \"Elastic License v2\"\r\n os = \"windows\"\r\nhttps://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nPage 10 of 12\n\nstrings:\r\n $a1 = { 55 8B EC 51 83 65 FC 00 53 56 57 BF 00 20 00 00 57 6A 40 FF 15 }\r\n $a2 = { 55 8B EC 81 EC 80 00 00 00 53 56 57 33 FF 8D 45 80 6A 64 57 50 89 7D E4 89 7D EC 89 7D F0 89 7D }\r\n condition:\r\n all of them\r\n}\r\nrule Windows_Trojan_BloodAlchemy_2 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-05-09\"\r\n last_modified = \"2023-06-13\"\r\n threat_name = \"Windows.Trojan.BloodAlchemy\"\r\n license = \"Elastic License v2\"\r\n os = \"windows\"\r\n strings:\r\n $a1 = { 55 8B EC 83 EC 54 53 8B 5D 08 56 57 33 FF 89 55 F4 89 4D F0 BE 00 00 00 02 89 7D F8 89 7D FC 85 DB }\r\n $a2 = { 55 8B EC 83 EC 0C 56 57 33 C0 8D 7D F4 AB 8D 4D F4 AB AB E8 42 10 00 00 8B 7D F4 33 F6 85 FF 74 03 8B 77\r\n condition:\r\n any of them\r\n}\r\nrule Windows_Trojan_BloodAlchemy_3 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-05-10\"\r\n last_modified = \"2023-06-13\"\r\n threat_name = \"Windows.Trojan.BloodAlchemy\"\r\n license = \"Elastic License v2\"\r\n os = \"windows\"\r\n strings:\r\n $a = { 55 8B EC 83 EC 38 53 56 57 8B 75 08 8D 7D F0 33 C0 33 DB AB 89 5D C8 89 5D D0 89 5D D4 AB 89 5D }\r\n condition:\r\n all of them\r\nhttps://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nPage 11 of 12\n\n}\r\nrule Windows_Trojan_BloodAlchemy_4 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-05-10\"\r\n last_modified = \"2023-06-13\"\r\n threat_name = \"Windows.Trojan.BloodAlchemy\"\r\n license = \"Elastic License v2\"\r\n os = \"windows\"\r\n strings:\r\n $a = { 55 8B EC 83 EC 30 53 56 57 33 C0 8D 7D F0 AB 33 DB 68 02 80 00 00 6A 40 89 5D FC AB AB FF 15 28 }\r\n condition:\r\n all of them\r\n}\r\nObservations\r\nAll observables are also available for download in both ECS and STIX format in a combined zip bundle.\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\ne14ee3e2ce0010110c409f119d56f6151fdca64e20d902412db46406ed89009a\r\nSHA-256\r\nBrLogAPI.dll\r\nBLOODALCHEMY\r\nloader\r\n25268bc07b64d0d1df441eb6f4b40dc44a6af568be0657533088d3bfd2a05455\r\nSHA-256\r\nNA\r\nBLOODALCHEMY\r\npayload\r\nSource: https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nhttps://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor"
	],
	"report_names": [
		"disclosing-the-bloodalchemy-backdoor"
	],
	"threat_actors": [
		{
			"id": "6957eadc-136d-4e6c-b158-4035175b2db4",
			"created_at": "2023-11-07T02:00:07.106754Z",
			"updated_at": "2026-04-10T02:00:03.410616Z",
			"deleted_at": null,
			"main_name": "REF5961",
			"aliases": [],
			"source_name": "MISPGALAXY:REF5961",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434363,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/351314360561abe30a8ea0595110d26e391215f1.pdf",
		"text": "https://archive.orkl.eu/351314360561abe30a8ea0595110d26e391215f1.txt",
		"img": "https://archive.orkl.eu/351314360561abe30a8ea0595110d26e391215f1.jpg"
	}
}