{
	"id": "cda909b2-85ba-44fa-91c1-50224234dff1",
	"created_at": "2026-04-06T00:09:25.407754Z",
	"updated_at": "2026-04-10T03:20:52.925195Z",
	"deleted_at": null,
	"sha1_hash": "24ac8994b35ba2d55aff81e88988e668bcad03d7",
	"title": "Threat Brief: Hancitor Actors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 759561,
	"plain_text": "Threat Brief: Hancitor Actors\r\nBy Unit 42\r\nPublished: 2018-02-07 · Archived: 2026-04-02 11:18:04 UTC\r\nIf you need to understand one thing about cybercrime, it’s that it is all about business.\r\nIn our latest Unit 42 research on cybercriminals using the Hancitor malware, we show that not only are their\r\nattacks about business, we can see these cybercriminals deftly applying some fundamental business principles\r\naround timing, specialization, and globalization.\r\nHancitor is a malware that focuses getting other malware onto the victim’s system. In the case of Hancitor, it’s\r\ntypically banking Trojans that steal the victim’s banking information.\r\nIn our latest research, we can see the attackers behind Hancitor have been timing their attacks to happen during the\r\nbusiest time of the global working week, the middle of the week. And we’ve seen that in adapting their attacks to\r\nbetter evade detection, they’ve specialized their operations around the globe.\r\nHancitor isn’t particularly advanced in its tactics: it’s ideal target is an old or outdated version of Microsoft\r\nWindows like Windows 7 or even Windows XP. But it’s effective enough that when used in several hundred\r\ndifferent spam campaigns every month it pays for the criminals to keep up these attacks against targets around the\r\nworld.\r\nTiming\r\nIn our most recent research, one of the things that jumped out for our researchers is the clear pattern around the\r\ntiming of the attacks. As you can see in Figure 1 below, throughout 2017, the Hancitor attacks show clear spikes in\r\ntheir occurrence and these spikes happen during the middle of the week.\r\nFigure 1: Timeline of Hancitor campaign activity since January 2017.\r\nThe attackers behind Hancitor aren’t the first to time their spam attacks like this, but it is an effective tactic to try\r\nand increase their chances of success, especially when combined with the other innovation that we’ve seen.\r\nAdapting the Attacks\r\nhttps://unit42.paloaltonetworks.com/threat-brief-hancitor-actors/\r\nPage 1 of 4\n\nIn the past, Hancitor was sent as a malicious attachment in a spam email which would then download and install\r\nthe attackers’ final malware like a banking Trojan. When they would do this, the Hancitor attachment would\r\ndownload and install the final malware from a malicious or compromised site.\r\nBut as organizations have gotten more effective at blocking malicious attachments like Hancitor, we’ve seen the\r\nattackers behind Hancitor adapt to evade detection and prevention.\r\nThey’ve done this by moving the Hancitor malware from being a malicious attachment in spam to itself being a\r\nmalicious download. The spam the attackers use no long has a malicious attachment but instead a malicious link\r\nthat downloads the malicious Hancitor attachment.\r\nTo do this, they make the spam look like something that requires you to click and download something like and\r\ninvoice, a message, or a delivery notification. Figure 2 shows one of these that was made to look like an Amazon\r\nshipping notice.\r\nFigure 2: Hancitor malspam example from February 2017.\r\nThis means that a Hancitor attack now has two downloads rather than one and what these attackers did around the\r\nmalicious downloads shows another modern business tactic: globalization.\r\nGlobalizing the Attacks\r\nFigure 3 below is a map showing where our Unit 42 researchers have found webistes involved in Hancitor attacks.\r\nhttps://unit42.paloaltonetworks.com/threat-brief-hancitor-actors/\r\nPage 2 of 4\n\nFigure 3: Hancitor distribution servers globally thus far in 2017\r\nCountry Number of Distribution servers\r\nUnited States 197\r\nJapan 23\r\nVietnam 13\r\nSingapore 12\r\nRussia 7\r\nBrazil 6\r\nMalaysia 6\r\nHong Kong 5\r\nSouth Africa 4\r\nThailand 4\r\nIndia 2\r\nIreland 2\r\nKazakhstan 2\r\nTaiwan 2\r\nTurkey 2\r\nhttps://unit42.paloaltonetworks.com/threat-brief-hancitor-actors/\r\nPage 3 of 4\n\nUkraine 2\r\nArgentina 1\r\nCanada 1\r\nGermany 1\r\nIsrael 1\r\nItaly 1\r\nNetherlands 1\r\nRepublic of Korea 1\r\nRepublic of Lithuania 1\r\nUnited Kingdom 1\r\nTable 1 – Number of Distribution Servers by Country\r\nThe hot spots in the United States represents distribution servers which are created using fraud based accounts at\r\nvarious hosting providers that are hosting the Hancitor documents while the hotspots in Asia represent legitimate\r\nsites for small and medium businesses that have been compromised by the actors behind Hancitor campaign to\r\nhost the malicious Hancitor documents.\r\nConclusion\r\nAttackers are always making business decisions to optimize their attacks in ways that are most successful and\r\nprofitable. What is most interesting about Hancitor is the way these decisions so clearly reflect an awareness of\r\nbusiness realities (by targeting peak working times) and dividing up the “work” of their attacks in a way that so\r\nclearly mirrors mainstream business decisions around globalizing operations.\r\nIn the end, while Hancitor may not be sophisticated, these steps to adapt and stay effective seem to be succeeding.\r\nAnd we expect to continue to see Hancitor be a global threat for the foreseeable future.\r\nSource: https://unit42.paloaltonetworks.com/threat-brief-hancitor-actors/\r\nhttps://unit42.paloaltonetworks.com/threat-brief-hancitor-actors/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/threat-brief-hancitor-actors/"
	],
	"report_names": [
		"threat-brief-hancitor-actors"
	],
	"threat_actors": [],
	"ts_created_at": 1775434165,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24ac8994b35ba2d55aff81e88988e668bcad03d7.pdf",
		"text": "https://archive.orkl.eu/24ac8994b35ba2d55aff81e88988e668bcad03d7.txt",
		"img": "https://archive.orkl.eu/24ac8994b35ba2d55aff81e88988e668bcad03d7.jpg"
	}
}