Ddos 
Elastic Security Labs has identified a new malware family dubbed “DOUBLELOADER” that leverages ALCATRAZ—a game-hacking inspired obfuscator—to deploy advanced evasion techniques alongside the RHADAMANTHYS infostealer.
While ALCATRAZ originated in the game hacking scene, it has now been co-opted by cybercriminals and advanced persistent threat (APT) actors, allowing malware authors to apply layered obfuscation techniques that significantly delay detection and analysis.
“One interesting attribute of DOUBLELOADER is that it is protected with an open-source obfuscator, ALCATRAZ… observed in the e-crime space and used in targeted intrusions,” Elastic Security Labs reported.
The malware first emerged in December and is characterized as a generic backdoor that is often paired with RHADAMANTHYS, a known infostealer. DOUBLELOADER uses direct system calls like NtOpenProcess, NtWriteVirtualMemory, and NtCreateThreadEx to inject unbacked code into explorer.exe.
“The malware collects host information, requests an updated version of itself, and starts beaconing to a hardcoded IP (185.147.125.81),” Elastic’s researchers noted.
ALCATRAZ, first released in 2023, provides users with a bin2bin transformation flow that enables them to obfuscate already-compiled binaries without needing to alter source code. This convenience has made it popular among both hobbyists and threat actors.
Elastic Labs identified multiple obfuscation techniques embedded in DOUBLELOADER, including:
- Entrypoint Obfuscation: Hides the actual program start using calculated jumps and bitwise tricks.
- Anti-Disassembly: Adds misleading jump instructions (0xEB) to break linear disassembly in tools like IDA.
- Instruction Mutation: Replaces simple operations (e.g., add) with complex instruction chains.
- Constant Unfolding: Obscures known constants with bitwise operations, making values like 46 unreadable at first glance.
- LEA Obfuscation: Hides values in indirect memory loads and arithmetic.
- Control Flow Flattening: Disrupts readable branching logic with dispatcher-based loops that use state variables.
“Obfuscation techniques such as control flow flattening continue to serve as roadblocks for analysts,” the report warns.
Elastic Security Labs didn’t stop at analysis—they released tooling and example IDA Python scripts to help reverse engineers and malware analysts deobfuscate binaries protected by ALCATRAZ.
They also used community tools like the D810 IDA plugin to reverse engineer the obfuscated control flows, showing how complex structures could be flattened and cleaned.
“While malware analysis reports often show the final outcomes, a good portion of time is often spent up-front working towards removing obfuscation,” the team explained.
Donate