ATLSECCON 2026

This presentation provides an in-depth technical analysis of SleepyMutagen, a sophisticated shellcode-based Remote Access Tool (RAT) leveraged by MUTANT SPIDER in the targeting healthcare organizations. SleepyMutagen demonstrates advanced evasion techniques including temporal cryptographic key derivation that renders payloads undecryptable outside two-day execution windows, runtime function encryption using dual XOR keys to evade memory scanning, and covert DNS-over-HTTPS command-and-control communications through Cloudflare using custom Base36 transcoding algorithms. SleepyMutagen implements pseudo-random sleep algorithms to defeat temporal C2 fingerprinting while providing comprehensive remote administration capabilities including token impersonation, in-memory payload execution, and file system operations. This presentation details SleepyMutagen's sophisticated infection chain, multi-stage PowerShell loaders, runtime protection mechanisms, and comprehensive command framework, providing security professionals with technical insights into cutting-edge malware development trends and practical detection methodologies for defenders.