Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 18:22:16 UTC
Home > List all groups > List all tools > List all groups using tool Hotwax
 Tool: Hotwax
Names
Hotwax
HOTWAX
Category Malware
Type Loader
Description
HOTWAX is a module that upon starting imports all necessary system API functions, and
searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a
hard-coded key and then searches the target process and attempts to inject the decrypted
payload module from the CHM file into the address space of the target process.
Information
Malpedia Last change to this tool card: 29 December 2022
Download this tool card in JSON format
All groups using tool Hotwax
Changed Name Country Observed
APT groups
 Lazarus Group, Hidden Cobra, Labyrinth Chollima 2007-May 2025
1 group listed (1 APT, 0 other, 0 unknown)
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=54742926-6bb1-4c80-aee5-86077acc36a9
Page 1 of 2

Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=54742926-6bb1-4c80-aee5-86077acc36a9
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=54742926-6bb1-4c80-aee5-86077acc36a9
Page 2 of 2

APT groups Lazarus Group, Hidden Cobra, Labyrinth Chollima 2007-May 2025
1 group listed (1 APT, 0 other, 0 unknown) 
   Page 1 of 2