ClickCease Deuterbear RAT: China-Linked Hackers' Cyber Espionage Tool

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Deuterbear RAT: China-Linked Hackers’ Cyber Espionage Tool

Wajahat Raja

May 30, 2024 - TuxCare expert team

Media reports claim that cybersecurity experts have recently unveiled new details about a remote access trojan (RAT) named Deuterbear, employed by the China-linked hacking group BlackTech. This sophisticated Deuterbear RAT malware is part of a broader cyber espionage operation targeting the Asia-Pacific region throughout the year.


Advancements Over Waterbear

Deuterbear exhibits notable advancements over its predecessor, Waterbear. According to researchers from Trend Micro, Pierre Lee, and Cyris Tseng,
Deuterbear RATincorporates enhanced capabilities such as support for shellcode plugins, the omission of handshake requirements for RAT operations, and the use of HTTPS for command-and-control (C&C) communications. Unlike Waterbear, Deuterbear employs a shellcode format, includes anti-memory scanning features, and shares a traffic key with its downloader, showcasing significant improvements.

BlackTech’s Long History of Cyber Attacks

Active since at least 2007, BlackTech has been recognized by various names in the cybersecurity community, including Circuit Panda,
Earth Hundun, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard. 

The group’s cyber attacks have historically involved deploying malware such as Waterbear, also known as DBGPRINT, for nearly 15 years. However, since October 2022, the group has also utilized an updated version of the malware called Deuterbear RAT.

Infection Mechanisms: Waterbear vs. Deuterbear

In this cyber attack, threat actors employed a
two-stage infection tactic to compromise the target system. Waterbear typically infiltrates systems by means of a patched legitimate executable, which uses DLL side-loading to launch a loader. 

This loader then decrypts and executes a downloader, which contacts a C&C server to retrieve the RAT module. Interestingly, the RAT module is fetched twice from attacker-controlled infrastructure. 

The first retrieval loads a Waterbear plugin that furthers the compromise by launching a different version of the Waterbear downloader to retrieve the RAT module from another C&C server. Essentially, the first Waterbear RAT acts as a plugin downloader, while the second serves as a backdoor, extracting sensitive information from the compromised host through 60 commands.

This cyber espionage campaign follows a similar infection pathway but with some tweaks. The first stage employs a loader to launch a downloader that connects to the C&C server to fetch the Deuterbear RAT. This intermediary then establishes persistence through a second-stage loader via DLL side-loading. The loader ultimately executes a downloader that again downloads the Deuterbear RAT from a C&C server, aiming at information theft. 

According to the researchers, only the second stage of Deuterbear is typically found on infected systems, as all first-stage components are removed post-persistence installation to protect the attackers’ tracks and complicate analysis by cybersecurity researchers.


Evolution and Continued Development of Deuterbear RAT

Deuterbear represents a more streamlined version of the
Waterbear malware, retaining only a subset of commands and adopting a plugin-based approach to add more functionality. Trend Micro notes that both Waterbear and Deuterbear continue to evolve independently, rather than one simply replacing the other.

Targeted Campaigns and New Threats

In parallel, another significant development in the cyber threat landscape is the emergence of the SugarGh0st RAT. Proofpoint has detailed an “extremely targeted” cyber campaign aimed at U.S. organizations involved in artificial intelligence (AI) efforts, including academia, private industry, and government entities. 

This campaign, tracked under the name UNK_SweetSpecter, uses the SugarGh0st RAT, a customized variant of the older Gh0st RAT, commonly used by Chinese-speaking threat actors.

SugarGh0st RAT first came to light late last year when Cisco Talos reported its use in attacks targeting the Uzbekistan Ministry of Foreign Affairs and South Korean users. These intrusions were attributed to suspected Chinese-speaking threat actors. The attack chains involve AI-themed phishing messages containing a ZIP archive that packs a Windows shortcut file, which then deploys a JavaScript dropper to launch the SugarGh0st payload.


Recent Campaigns and Potential Motives

The May 2024 campaign specifically targeted fewer than 10 individuals, all connected to a leading U.S.-based AI organization. The exact motive behind these attacks remains unclear, but it’s speculated that the attackers aim to steal non-public information about generative AI (GenAI). This targeting coincides with reports that the U.S. government is seeking to restrict China’s access to GenAI tools from companies like OpenAI, Google DeepMind, and Anthropic, suggesting a motive rooted in technological competition.

Earlier this year, the U.S. Department of Justice indicted a former Google software engineer for stealing proprietary information and attempting to use it at two AI-affiliated tech companies in China. This Advanced Persistent Threat (APT) underscores the possibility that Chinese-aligned cyber actors may target individuals with access to AI technologies to advance China’s development goals.



The continuous evolution of malware like Deuterbear and the emergence of threats like
Deuterbear RAT highlight the ever-present and growing threat of cyber espionage. As attackers develop more sophisticated tools and techniques, it becomes increasingly important for organizations to enhance their cybersecurity measures to protect sensitive information and maintain business continuity.

The sources for this piece include articles in The Hacker News and The Record.


Deuterbear RAT: China-Linked Hackers' Cyber Espionage Tool
Article Name
Deuterbear RAT: China-Linked Hackers' Cyber Espionage Tool
Learn about the Deuterbear RAT deployed by China-linked hackers. Discover its advanced capabilities and the evolving cyber threat landscape.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter