{ "id": "7e14691e-263d-4a37-afa8-411f6587ee17", "created_at": "2026-04-06T00:16:47.101349Z", "updated_at": "2026-04-10T03:33:16.720271Z", "deleted_at": null, "sha1_hash": "55ffcfb89cd7fffb87a85640c782a2140d7191a2", "title": "Hancitor (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 81573, "plain_text": "Hancitor (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 17:42:00 UTC\r\nHancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing\r\nmails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.\r\n2022-08-17 ⋅ Group-IB ⋅\r\nSwitching side jobs Links between ATMZOW JS-sniffer and Hancitor\r\nHancitor 2022-02-12 ⋅ muha2xmad ⋅ Muhammad Hasan Ali\r\nFull Hancitor malware analysis\r\nHancitor 2022-01-08 ⋅ muha2xmad ⋅ Muhammad Hasan Ali\r\nUnpacking Hancitor malware\r\nHancitor 2021-12-31 ⋅ 0ffset Blog ⋅ Chuong Dong\r\nHANCITOR: Analysing The Main Loader\r\nHancitor 2021-12-28 ⋅ Medium Crovax ⋅ Crovax\r\nExtracting Hancitor’s Configuration with Ghidra part 1\r\nHancitor 2021-11-23 ⋅ 0ffset Blog ⋅ Chuong Dong\r\nHANCITOR: Analysing The Malicious Document\r\nHancitor 2021-11-01 ⋅ The DFIR Report ⋅ @iiamaleks, @samaritan_o\r\nFrom Zero to Domain Admin\r\nCobalt Strike Hancitor 2021-10-04 ⋅ Github (OALabs) ⋅ OALabs\r\nReverse engineered the Hancitor DLL and built a static config extractor\r\nHancitor 2021-10-04 ⋅ pid4.io ⋅ James Hovious\r\nHow to Write a Hancitor Extractor in Go\r\nHancitor 2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan\r\n2021-09-29 (Wednesday) - Hancitor with Cobalt Strike\r\nCobalt Strike Hancitor 2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan\r\nHancitor with Cobalt Strike\r\nCobalt Strike Hancitor 2021-09-09 ⋅ Cyber-Anubis ⋅ Nidal Fikri\r\nHancitor Loader | RE \u0026 Config Extraction\r\nHancitor 2021-08-05 ⋅ Group-IB ⋅ Nikita Rostovcev, Viktor Okorokov\r\nPrometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot\r\nPrometheus Backdoor Buer campoloader Hancitor IcedID QakBot 2021-07-20 ⋅ VMRay ⋅ Mateusz Lukaszewski\r\nHancitor’s Multi-Step Delivery Process\r\nHancitor 2021-07-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nHancitor tries XLL as initial malware file\r\nCobalt Strike Hancitor 2021-07-08 ⋅ McAfee ⋅ McAfee Labs\r\nHancitor Making Use of Cookies to Prevent URL Scraping\r\nHancitor 2021-06-28 ⋅ The DFIR Report ⋅ The DFIR Report\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor\r\nPage 1 of 3\n\nHancitor Continues to Push Cobalt Strike\r\nCobalt Strike Hancitor 2021-06-21 ⋅ Medium elis531989 ⋅ Eli Salem\r\nDissecting and automating Hancitor’s config extraction\r\nHancitor 2021-06-17 ⋅ Binary Defense ⋅ Brandon George\r\nAnalysis of Hancitor – When Boring Begets Beacon\r\nCobalt Strike Ficker Stealer Hancitor 2021-05-19 ⋅ Intel 471 ⋅ Intel 471\r\nLook how many cybercriminals love Cobalt Strike\r\nBazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot 2021-05-07 ⋅ Group-IB ⋅ Oleg\r\nSkulkin, Semyon Rogachev\r\nConnecting the Bots Hancitor fuels Cuba Ransomware Operations\r\nCuba Hancitor 2021-04-16 ⋅ InQuest ⋅ Dmitry Melikov\r\nUnearthing Hancitor Infrastructure\r\nHancitor 2021-04-07 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan\r\nWireshark Tutorial: Examining Traffic from Hancitor Infections\r\nHancitor 2021-04-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan\r\nHancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool\r\nCobalt Strike Hancitor Moskalvzapoe 2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report\r\nTweet on Hancitor Activity followed by cobaltsrike beacon\r\nCobalt Strike Hancitor 2021-02-01 ⋅ Silent Push ⋅ Martijn Grooten\r\nPivoting: finding malware domains without seeing malicious activity\r\nHancitor 2021-01-13 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nHancitor activity resumes after a hoilday break\r\nHancitor 2021-01-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves\r\nMAN1, Moskal, Hancitor and a side of Ransomware\r\nCobalt Strike Hancitor SendSafe VegaLocker Moskalvzapoe 2019-11-01 ⋅ Dodge This Security ⋅ Dodge This Security\r\nHancitor. Evasive new waves, and how COM objects can use Cached Credentials for Proxy Authentication\r\nHancitor 2019-05-01 ⋅ Felix Weyne\r\nHancitor's Packer Damystified\r\nHancitor 2018-11-05 ⋅ Vitali Kremez\r\nLet's Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018 Malware Progression\r\nHancitor 2018-02-27 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White\r\nDissecting Hancitor’s Latest 2018 Packer\r\nHancitor 2018-02-07 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan, Vicky Ray\r\nCompromised Servers \u0026 Fraud Accounts: Recent Hancitor Attacks\r\nHancitor 2016-09-23 ⋅ FireEye ⋅ Ankit Anubhav, Dileep Kumar Jallepalli\r\nHancitor (AKA Chanitor) observed using multiple attack approaches\r\nHancitor 2016-08-22 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White\r\nVB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick\r\nHancitor 2016-08-19 ⋅ Minerva Labs ⋅ Minerva Labs Research Team\r\nNew Hancitor Malware: Pimp my Downloaded\r\nHancitor 2016-07-12 ⋅ Fidelis Cybersecurity ⋅ Threat Research Team\r\nMe and Mr. Robot: Tracking the Actor Behind the MAN1 Crypter\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor\r\nPage 2 of 3\n\nHancitor Vawtrak 2016-05-12 ⋅ Proofpoint ⋅ Axel F, Matthew Mesa\r\nHancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck\r\nHancitor Ruckguv 2015-01-09 ⋅ Zscaler ⋅ Zscaler\r\nChanitor Downloader Actively Installing Vawtrak\r\nHancitor\r\n[TLP:WHITE] win_hancitor_auto (20251219 | Detects win.hancitor.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor\r\nPage 3 of 3\n\n https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor \nHancitor Vawtrak 2016-05-12 ⋅ Proofpoint ⋅ Axel F, Matthew Mesa\nHancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck\nHancitor Ruckguv 2015-01-09 ⋅ Zscaler ⋅ Zscaler \nChanitor Downloader Actively Installing Vawtrak \nHancitor \n[TLP:WHITE] win_hancitor_auto (20251219 | Detects win.hancitor.)\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor \n Page 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor" ], "report_names": [ "win.hancitor" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1f6ae238-765f-4495-9d54-6a7883d7a319", "created_at": "2022-10-25T16:07:24.573456Z", "updated_at": "2026-04-10T02:00:05.037738Z", "deleted_at": null, "main_name": "TA511", "aliases": [ "MAN1", "Moskalvzapoe" ], "source_name": "ETDA:TA511", "tools": [ "Agentemis", "Chanitor", "Cobalt Strike", "CobaltStrike", "Ficker Stealer", "Hancitor", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "542cf9d0-9c68-428c-aff8-81b6f59dc985", "created_at": "2023-02-15T02:01:49.554105Z", "updated_at": "2026-04-10T02:00:03.347115Z", "deleted_at": null, "main_name": "Moskalvzapoe", "aliases": [ "MAN1", "TA511" ], "source_name": "MISPGALAXY:Moskalvzapoe", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434607, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/55ffcfb89cd7fffb87a85640c782a2140d7191a2.pdf", "text": "https://archive.orkl.eu/55ffcfb89cd7fffb87a85640c782a2140d7191a2.txt", "img": "https://archive.orkl.eu/55ffcfb89cd7fffb87a85640c782a2140d7191a2.jpg" } }