Blood Root -v1.1.3.3- -stdoppel- | 1080p |

stDoppel is a contraction of Stateful Doppelgänger. Whereas classic process doppelgänging replaces the image of a legitimate process (e.g., svchost.exe) with malicious code while keeping the PID and environment handles, Blood Root’s stDoppel works in reverse: it duplicates the memory state of a suspicious process and runs a copy inside a lightweight hypervisor trace, observing how detection tools react.

If you are writing detection rules, this version introduces stealth improvements you should be aware of:

To detect Blood Root v1.1.3.3 stDoppel phantoms, scan for: Blood Root -v1.1.3.3- -stDoppel-

// bloodroot/stdoppel.h — version 1.1.3.3
STDOPPEL_HANDLE br_stdoppel_create(
    IN ULONG TargetPid,
    IN BOOLEAN MirrorPebOnly,
    IN OPTIONAL PVOID ShellcodeEntry
);
NTSTATUS br_stdoppel_execute_phantom(
IN STDOPPEL_HANDLE Handle,
IN UCHAR TriggerMethod  // 0 = APC, 1 = SetThreadContext, 2 = callback
);

Discovered by security researchers in 2017, Process Doppelgänging is a fileless code injection technique that exploits the Windows Transactional NTFS (TxF) feature. It allows malware to run a malicious executable inside the context of a legitimate process without writing the payload to disk.

The attack steps:

Result: The payload runs, but no malicious file exists on disk — fooling many antivirus engines.