Skip to Content

Alchimist Command-and-Control Framework

Updated on 2022-10-15

Researchers at Cisco Talos Intelligence have detected a new command-and-control framework, Alchimist [sic], which is designed to target machines running Windows, Linux, and macOS. Talos researchers also discovered an associated remote-access trojan (RAT) called Insekt. “Cisco Talos assesses with moderate-high confidence that this framework is being used in the wild.”


  • Kudos to Talos as this is the second C2 they identify in the wild. We have added them to the C2 Matrix which now tracking 110 C2s:
  • The Alchimist C2 servers pass instructions to the Insekt implant to execute them on Windows and Linux systems. macOS systems must have a previously installed Mach-O file contains the exploit for CVE-2021-4034 (Polkit’s pkexec utility), noted the flawed version must pre-exist for the exploit to work. Alchemist is intended as an all-in-one attack framework which avoids detection, is high-quality, rich in features and is good for dropping implants on targets. These frameworks also make it easier for attackers to hide by blending in with other malicious traffic avoiding specific attribution.


Updated on 2022-10-14

Cisco Talos researchers published a report this week on Alchimist and Insekt, a new C&C framework and RAT, respectively, both of which have been spotted being deployed in attacks in the wild. Talos researchers said both tools are written in the Go programming language, Alchimist has a Chinese web interface, and Insekt has cross-platform capabilities, being able to infect Windows, Linux, and Mac machines alike.

Updated on 2022-10-13

Cisco Talos has discovered a new single-file command and control (C2) framework the authors call “Alchimist [sic].” Talos researchers found this C2 on a server that had a file listing active on the root directory along with a set of post-exploitation tools. Talos assesses with moderate-high confidence that this framework is being used in the wild. “Alchimist” is a 64-bit Linux executable written in GoLang and packed with assets including resources for the web interface and Insekt RAT payloads compiled for Windows and Linux. Insekt RAT, a new trojan Cisco Talos discovered, is Alchimist’s beacon implant written in GoLang and has a variety of remote access capabilities that can be instrumented by the Alchimist C2 server. Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands.

ClamAV signatures:

  • Osx.Exploit.CVE_2021_4034-9951522-2
  • Unix.Exploit.CVE_2021_4034-9951523-0
  • Unix.Exploit.CVE_2021_4034-9951524-0
  • Unix.Exploit.CVE_2021_4034-9951525-0
  • Unix.Exploit.CVE_2021_4034-9951526-0
  • Unix.Malware.Insekt-9955436-0
  • Win.Malware.Insekt-9955440-0
  • Unix.Malware.Alchimist-9955784-0
  • Multios.Malware.Insekt-9961177-0


A new attack and C2 framework, dubbed Alchimist, was found capable of targeting Linux, macOS, and Windows systems. It can run arbitrary commands and perform remote shellcode execution. Read more: Alchimist: A new attack framework in Chinese for Mac, Linux and Windows

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.