Analysis Summary

Researchers have discovered a new malware strain named DOUBLELOADER, which uses an advanced obfuscation tool called ALCATRAZ to avoid being detected by security tools. Originally built for game hacking, ALCATRAZ has now been adopted by cybercriminals and threat actors to protect their malware from analysis. DOUBLELOADER has been seen working alongside RHADAMANTHYS, a known infostealer, making it part of a more dangerous attack chain.

This malware first appeared in December and functions as a backdoor that allows attackers to control an infected system. Once inside, it gathers system information, tries to download updated versions of itself, and communicates with a hardcoded IP address (185.147.125.81), likely controlled by the attacker.

What makes DOUBLELOADER more stealthy is its use of ALCATRAZ, an open-source obfuscator released in 2023. ALCATRAZ allows malware authors to transform compiled binaries without needing access to the original source code. This makes it easier to hide the malware’s logic and much harder for analysts to reverse engineer or understand how it works.

Researchers uncovered multiple obfuscation layers within DOUBLELOADER. These included tricks like entrypoint obfuscation (hiding where the malware starts), anti-disassembly (confusing disassembly tools with fake jump instructions), instruction mutation (replacing simple commands with complex ones), constant unfolding (masking known values with bit tricks), LEA obfuscation (hiding operations using memory loads), and control flow flattening (breaking logical flow into confusing loops). These tactics all work together to slow down security analysis and delay detection.

The use of ALCATRAZ by DOUBLELOADER shows a clear trend: threat actors are increasingly using game hacking tools for real-world malware, taking advantage of their powerful code-hiding techniques to stay undetected longer.

Impact

• Unauthorized Access
• Code Execution

Indicators of Compromise

IP

• 185.147.125.81

MD5

• f4432a95cf2a5214d85f35b99e5b2f97

SHA-256

• 3050c464360ba7004d60f3ea7ebdf85d9a778d931fbf1041fa5867b930e1f7fd

SHA1

• 1cfda4e07b7970fb0d02dd0177670818df2267bd

Remediation

• Immediately block all active Indicators of Compromise (IOCs) associated with DOUBLELOADER and RHADAMANTHYS.
• Ensure all systems have updated antivirus/EDR solutions with the latest threat signatures.
• Keep all software, operating systems, and security tools fully updated with the latest patches.
• Use behavior-based threat detection tools to catch malware that uses obfuscation or system-level injection techniques.
• Implement strong application control policies using allowlisting to prevent execution of unknown or unapproved binaries.
• Regularly audit endpoints and servers for suspicious processes, hidden binaries, or unusual network connections.
• Analyze suspicious files in sandbox environments before allowing them into production systems.
• Restrict PowerShell, WMI, and scripting tools to authorized users only, and monitor their activity closely.
• Enforce multi-factor authentication (MFA) across all remote access and privileged accounts.