SOCRadar® Cyber Intelligence Inc. | New Alchimist Framework Targets Windows, macOS, and Linux Systems


Oct 14, 2022
5 Mins Read

New Alchimist Framework Targets Windows, macOS, and Linux Systems

Researchers discovered a new post-exploit C2 framework by the name of Alchimist. The framework targets devices using Windows, Linux, and Mac operating systems; and is possibly already being used. 

Alchimist can be used by attackers with little technical knowledge as well. The framework illustrates how threat actors are trying to create substitutes for Cobalt StrikeBrute Ratel, and Sliver.

Capabilities of Alchimist 

The Alchimist framework comes with a backdoor, malware for macOS exploits, and the remote access trojan (RAT) called “Insekt,” it also includes reverse proxies and tools like psexecnetcat, and fscan.

It is known to contain a particular macOS malware dropper to exploit CVE-2021-4034 for privilege escalation. 

Cisco Talos’ blog describes Alchimist as a 64-bit Linux executable. Its web interface is in Chinese and has a hardcoded self-signed certificate.

Web interface of Alchimist
Web interface of Alchimist (Source: Cisco Talos Intelligence)

Both Alchimist and its primary payload Insekt are developed in GoLang. The blog also mentions that the malware found within the framework provides many features, like generating configured payloads, starting remote sessions, running arbitrary commands and shellcode, and collecting screenshots. 

Payload Generation

In web UI, attackers can generate a payload with several parameters. The web UI takes the configuration values and then sends a POST request to the “/pay” URL of the C2 server.

(Source: Cisco Talos)

Patching the C2 server value (RHOST):

(Source: Cisco Talos)


Initiating the connection to the C2 server.

(Source: Cisco Talos)

Alchimist Framework implements interactive shells based on Powershellcmd[.]exe, and bash

Alchimist executes predefined commands on the victim systems. You can see the command lists.


Net user add

Creates a user T1136


Net localgroup administrators

Assşgn privilages T1136


Net user /domain

List users in domain T1087


Domain controllers

List domain controllers T1087


Hklm/system/CurrentControlSet/Control/Terminal Server

Activate terminal services T1562


Netsh firewall set opmode = disabled

Disable Firewall T1562


Netsh adfirewall firewall add rule

Change firewall rules to allow incoming specific TCP ports T1562

New Cyberattack Frameworks Emerge 

At least since January, there has been a campaign using the Alchimist framework. 

According to Nick Biasini from Cisco Talos, the purpose of the attacks is to breach and gain permanent access to victim environments, even though Talos is unaware of the particular targeting planned in this operation. 

Three months ago, Talos described another framework called Manjusaka, referred to as the “Chinese sister of Sliver and Cobalt Strike.” Now, Alchimist and its diverse family of malware implants have been found.

The C2 frameworks Alchimist and Manjusaka have similar design concepts but different implementations. According to Cisco Talos, both are pre-configured and ready to use, and they can get both patches and create implants like the Insekt RAT. 

The capability of the new C2 to generate PowerShell and wget code snippets for Windows and Linux was one important feature. Threat actors can use the snippets to build an Insekt RAT infection vector without having to write custom code or use extra tools, according to Biasini.

Attackers can infect targets by adding the PowerShell/wget code to a delivery vector, such as a malicious document’s VBA macro or a malicious shortcut file. 

The developers of the C2 framework may be trying to attract threat actors by including more functionality in this offering.

Alchimist-generated delivery commands for Insekt payloads
Alchimist-generated delivery commands for Insekt payloads

Alchimist IOCs


  • 45[.]32[.]132[.]166
  • 149[.]28[.]54[.]212
  • 95[.]179[.]246[.]73
  • 149[.]28[.]36[.]160

Payload URL:

  • hxxp://45.32.132[.]166/client_
  • hxxp://45.32.132[.]166/
  • hxxp://45.32.132[.]166/psexec64[.]exe
  • hxxp://45.32.132[.]166/frpc
  • hxxp://45.32.132[.]166/down[.]sct
  • hxxp://45.32.132[.]166/client_arm
  • hxxp://45.32.132[.]166/fs21774b77bbf7739178beefe647e7ec757b08367c2a2db6b5bbc0d2982310ef12
  • hxxp://45.32.132[.]166/client
  • hxxp://45.32.132[.]166/sump
  • hxxp://45.32.132[.]166/zzz_exploit[.]py
  • hxxp://45.32.132[.]166/exploit
  • hxxp://45.32.132[.]166/Alchimist
  • hxxp://45.32.132[.]166/ltmp
  • hxxp://45.32.132[.]166/1tmp
  • hxxp://45.32.132[.]166/
  • hxxp://45.32.132[.]166/
  • hxxp://
























Check all available indicators of compromise here.