{
	"id": "844d7b34-cc02-4c66-b8cd-ee4ffedb57d9",
	"created_at": "2026-04-06T00:16:48.912437Z",
	"updated_at": "2026-04-10T03:24:30.323326Z",
	"deleted_at": null,
	"sha1_hash": "0a13762faaa6a277724a6de220dc02f89bb8f985",
	"title": "Backdoor:W32/Hupigon | F-Secure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86616,
	"plain_text": "Backdoor:W32/Hupigon | F-Secure\r\nArchived: 2026-04-05 22:50:54 UTC\r\nClassification\r\nAliases:\r\nBackdoor:W32/Hupigon\r\nSummary\r\nA remote administration tool (RAT) that bypasses the security features of a program, computer or network to give\r\nunauthorized access or control to its user.\r\nRemoval\r\nBased on the settings of your F-Secure security product, it will either move the file to the quarantine where it\r\ncannot spread or cause harm, or remove it.\r\nA False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles\r\nknown harmful programs. A False Positive will usually be fixed in a subsequent database update without any\r\naction needed on your part. If you wish, you may also:\r\nCheck for the latest database updates\r\nFirst, check if your F-Secure security program is using the latest updates, then try scanning the file again.\r\nSubmit a sample\r\nAfter checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.\r\nNote: If the file was moved to quarantine, you need to collect the file from quarantine before you can\r\nsubmit it.\r\nExclude a file from further scanning\r\nIf you are certain that the file is safe and want to continue using it, you can exclude it from further scanning\r\nby the F-Secure security product.\r\nNote: You need administrative rights to change the settings.\r\nTechnical Details\r\nhttps://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml\r\nPage 1 of 6\n\nHupigon variants are backdoor programs, which provide an attacker with access to, and control of, an infected\r\nmachine. There are a large number of variants in the Hupigon family.\r\nThe backdoor's file is a PE executable. The file may be packed with UPX. Unpacked, the code size is 710kB. It is\r\nvery rare for a Hupigon variant to be smaller than 299kB.\r\nHupigons are written with Borland Delphi.\r\nThe following text strings can typically be found in a Hupigon variant:\r\n6600.org\r\nBEI_ZHU\r\nGrayPigeon\r\nHacker.com.cn.exe\r\nhuaihuaitudou\r\nRejoice2007\r\nwoainisisi\r\nInstallation\r\nWhen the backdoor's file is started, it copies itself as a file named something similar to \"Hacker.com.cn.exe\" in the\r\nWindows System folder and then uses the following processes to make itself to look like a valid Windows\r\nprogram:\r\ncalc.exe\r\ncmd.exe\r\nmmc.exe\r\nmspaint.exe\r\nmstsc.exe\r\nnotepad.exe\r\nosk.exe\r\nsndrec.exe\r\nsndvol32.exe\r\nsvchost.exe\r\nwinchat.exe\r\nIt also makes a number of additions to the registry.\r\nActivity\r\nHupigon variants have several different types of features. The following list is an example of some:\r\nIt allows others to access the computer\r\nAllows for recording with the user's webcam\r\nCan make the user's computer to attack various servers\r\nSend victim's computer messages\r\nhttps://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml\r\nPage 2 of 6\n\nHas rootkit functionality so it has a stealth component that hides files\r\nCreate logs from keystrokes, steals passwords, and sends this information to remote servers\r\nPropagation\r\nHupigon doesn't have any automatic mechanisms to spread itself. It must be sent by its author via email, through a\r\nwebsite, or even via Instant Messengers (IM) such as Yahoo, MSN, ICQ, and Skype.\r\nCreating Hupigon Variants\r\nHupigon variants are created using kit software. The kit is maintained in a very professional fashion with a highly\r\ndeveloped User Interface (UI).\r\nThe main UI of the kit can be seen below:\r\nMany options can be set. The \"Fast Configuration\" shown below enable the following options:\r\nService name is rejoice44.exe\r\nInstallation path is Msinfo\u0026hellip;\r\nPassword is 1234\r\nIcon is taken from MS Media Player\r\nUses Internet Explorer to bypass firewall\r\nCreate mutex and remove installer from installer folder\r\nPack code by using UPX\r\nSelf/auto-clone protected installation path is \"system32\"\r\nExecutable is calc.exe\r\nThere is also a \"rootkit\" option available. Other options including adding a URL to target for a Distributed Denial\r\nof Service (DDoS) attack:\r\nThe kit as default settings to create mutexes. Many Hupigon variants therefore create mutexes in the following\r\nformat:\r\nxxx.com.cn_MUTEX\r\nThe \"xxx\" being a variable, for example: Hacker.com.cn_MUTEX\r\nRegistry Modifications\r\nCreates these keys:\r\nHKLM\\System\\CurrentControlSet\\Services\\system32 ImagePath = C:\\WINDOWS\\Hacker.com.cn.exe\r\nhttps://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml\r\nPage 3 of 6\n\nHKLM\\System\\CurrentControlSet\\Services\\system32\r\nHKLM\\System\\CurrentControlSet\\Services\\system32\\Security\r\nProtect your devices from malware with F‑Secure Total\r\nProtecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes\r\nthis easy, helping you to secure your devices in a brilliantly simple way.\r\nAward-winning antivirus and malware protection\r\nOnline browsing, banking, and shopping protection\r\n24/7 online identity and data breach monitoring\r\nUnlimited VPN service to safeguard your privacy\r\nPassword manager with private data protection\r\nChoose how many devices you want to protect to get started.\r\nFree customer support\r\nCancel anytime\r\nThe trial does not obligate you to buy the product\r\nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €69.99.\r\nhttps://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml\r\nPage 4 of 6\n\nFree customer support\r\nCancel anytime\r\nThe trial does not obligate you to buy the product\r\nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €89.99.\r\nFree customer support\r\nCancel anytime\r\nThe trial does not obligate you to buy the product\r\nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €99.99.\r\nMore Support\r\nhttps://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml\r\nPage 5 of 6\n\nContact Support\r\nChat with with or call an agent.\r\nSource: https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml\r\nhttps://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml\r\nPage 6 of 6\n\nCancel anytime The trial does not obligate you to buy the product   \nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €69.99.\n  Page 4 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml"
	],
	"report_names": [
		"backdoor_w32_hupigon.shtml"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434608,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a13762faaa6a277724a6de220dc02f89bb8f985.pdf",
		"text": "https://archive.orkl.eu/0a13762faaa6a277724a6de220dc02f89bb8f985.txt",
		"img": "https://archive.orkl.eu/0a13762faaa6a277724a6de220dc02f89bb8f985.jpg"
	}
}