{
	"id": "4c5acb77-0630-45fe-8f32-19a5105a26e2",
	"created_at": "2026-04-06T00:15:01.091056Z",
	"updated_at": "2026-04-10T03:37:51.354011Z",
	"deleted_at": null,
	"sha1_hash": "8d152cca7673e2ee32a33843f9b6826892402012",
	"title": "HUI Loader — Malware Analysis Note",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1913879,
	"plain_text": "HUI Loader — Malware Analysis Note\r\nBy morimolymoly\r\nPublished: 2023-08-02 · Archived: 2026-04-05 13:42:24 UTC\r\nHUI Loader is a loader type of malware.\r\nOld HUI Loader has weird string\r\nHUIHWASDIHWEIUDHDSFSFEFWEFEWFDSGEFERWGWEEFWFWEWD.\r\nHUI Loader was used by APT10, Blue Termite, A41APT, DEV-0401.\r\nPayload is below.\r\nPoisonIvy\r\nPlugX\r\nQuasar\r\nSodaMaster\r\nCobalt Strike Beacon(Ransomeware ops things by BRONZE STARLIGHT)\r\nI had investigated HUI Loader and links between APT10 and A41APT\r\nI found funny string in the sample.\r\nc:\\users\\hellokety.ini was embedded to the APT10’s\r\nPlugX(02b95ef7a33a87cc2b3b6fd47db03e711045974e1ecf631d3ba9e076e1e374e9) and new version of HUI\r\nLoader(this was used by A41APT?)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3\r\nPage 1 of 7\n\nhttps://twitter.com/cdi_research/status/1635507672417198080\r\nThis means A41APT is a sub group of APT10. (everyone know this but clue is important)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3\r\nPage 2 of 7\n\nDLL 64bit and compilation time is so fresh.\r\nPress enter or click to view image in full size\r\nDLL has many exports so first I look into cef_api_hash.\r\nGet morimolymoly’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nLet’s look at deeper with Binary Ninja.\r\nhttps://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3\r\nPage 3 of 7\n\nIt calls one function.\r\nThis function looks preparation routine.\r\nThis code set agent.data(payload name) to global variable.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nIt creates thread.\r\nLet’s look at this.\r\nhttps://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3\r\nPage 4 of 7\n\nFIrst two is a GetProcAddress stuff.\r\nLast one is main code.\r\nPress enter or click to view image in full size\r\nHeapAlloc + Decryption + VirtualProtect is a so old technique.\r\nAnd then, it launches shellcode.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3\r\nPage 5 of 7\n\nI don’t post full source but it is like a RC4 encryption.\r\nFinally, honestly first, Capa results is here.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3\r\nPage 6 of 7\n\nSource: https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3\r\nhttps://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3"
	],
	"report_names": [
		"hui-loader-malware-analysis-note-4fa0e1c791d3"
	],
	"threat_actors": [
		{
			"id": "ec14074c-8517-40e1-b4d7-3897f1254487",
			"created_at": "2023-01-06T13:46:38.300905Z",
			"updated_at": "2026-04-10T02:00:02.918468Z",
			"deleted_at": null,
			"main_name": "APT10",
			"aliases": [
				"Red Apollo",
				"HOGFISH",
				"BRONZE RIVERSIDE",
				"G0045",
				"TA429",
				"Purple Typhoon",
				"STONE PANDA",
				"Menupass Team",
				"happyyongzi",
				"CVNX",
				"Cloud Hopper",
				"ATK41",
				"Granite Taurus",
				"POTASSIUM"
			],
			"source_name": "MISPGALAXY:APT10",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c92de6de-9538-43e5-9190-9da092194884",
			"created_at": "2022-10-25T16:07:23.411024Z",
			"updated_at": "2026-04-10T02:00:04.587683Z",
			"deleted_at": null,
			"main_name": "Blue Termite",
			"aliases": [
				"Blue Termite",
				"Cloudy Omega"
			],
			"source_name": "ETDA:Blue Termite",
			"tools": [
				"Emdivi",
				"Newsripper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "48782737-377b-47b4-aff0-87424208a643",
			"created_at": "2023-01-06T13:46:38.569144Z",
			"updated_at": "2026-04-10T02:00:03.02685Z",
			"deleted_at": null,
			"main_name": "Blue Termite",
			"aliases": [
				"Cloudy Omega",
				"Emdivi"
			],
			"source_name": "MISPGALAXY:Blue Termite",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ba9fa308-a29a-4928-9c06-73aafec7624c",
			"created_at": "2024-05-01T02:03:07.981061Z",
			"updated_at": "2026-04-10T02:00:03.750803Z",
			"deleted_at": null,
			"main_name": "BRONZE RIVERSIDE",
			"aliases": [
				"APT10 ",
				"CTG-5938 ",
				"CVNX ",
				"Hogfish ",
				"MenuPass ",
				"MirrorFace ",
				"POTASSIUM ",
				"Purple Typhoon ",
				"Red Apollo ",
				"Stone Panda "
			],
			"source_name": "Secureworks:BRONZE RIVERSIDE",
			"tools": [
				"ANEL",
				"AsyncRAT",
				"ChChes",
				"Cobalt Strike",
				"HiddenFace",
				"LODEINFO",
				"PlugX",
				"PoisonIvy",
				"QuasarRAT",
				"QuasarRAT Loader",
				"RedLeaves"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d",
			"created_at": "2022-10-25T16:07:23.42507Z",
			"updated_at": "2026-04-10T02:00:04.593122Z",
			"deleted_at": null,
			"main_name": "Bronze Starlight",
			"aliases": [
				"Cinnamon Tempest",
				"DEV-0401",
				"HighGround",
				"Operation ChattyGoblin",
				"SLIME34"
			],
			"source_name": "ETDA:Bronze Starlight",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"AtomSilo",
				"Cobalt Strike",
				"CobaltStrike",
				"Destroy RAT",
				"DestroyRAT",
				"HUI Loader",
				"Kaba",
				"Korplug",
				"LockFile",
				"Night Sky",
				"NightSky",
				"Pandora",
				"PlugX",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c69bcda3-0893-4ea1-9ec1-ae016332d283",
			"created_at": "2023-01-06T13:46:39.410593Z",
			"updated_at": "2026-04-10T02:00:03.317754Z",
			"deleted_at": null,
			"main_name": "BRONZE STARLIGHT",
			"aliases": [
				"DEV-0401",
				"Cinnamon Tempest",
				"Emperor Dragonfly",
				"SLIME34"
			],
			"source_name": "MISPGALAXY:BRONZE STARLIGHT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a",
			"created_at": "2022-10-25T15:50:23.298889Z",
			"updated_at": "2026-04-10T02:00:05.316886Z",
			"deleted_at": null,
			"main_name": "menuPass",
			"aliases": [
				"menuPass",
				"POTASSIUM",
				"Stone Panda",
				"APT10",
				"Red Apollo",
				"CVNX",
				"HOGFISH",
				"BRONZE RIVERSIDE"
			],
			"source_name": "MITRE:menuPass",
			"tools": [
				"certutil",
				"FYAnti",
				"UPPERCUT",
				"SNUGRIDE",
				"P8RAT",
				"RedLeaves",
				"SodaMaster",
				"pwdump",
				"Mimikatz",
				"PlugX",
				"PowerSploit",
				"ChChes",
				"cmd",
				"QuasarRAT",
				"AdFind",
				"Cobalt Strike",
				"PoisonIvy",
				"EvilGrab",
				"esentutl",
				"Impacket",
				"Ecipekac",
				"PsExec",
				"HUI Loader"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8",
			"created_at": "2025-08-07T02:03:24.674685Z",
			"updated_at": "2026-04-10T02:00:03.800936Z",
			"deleted_at": null,
			"main_name": "BRONZE STARLIGHT",
			"aliases": [
				"Cinnamon Tempest ",
				"DEV-0401 ",
				"Emperor Dragonfly "
			],
			"source_name": "Secureworks:BRONZE STARLIGHT",
			"tools": [
				"AtomSilo",
				"Cobalt Strike",
				"HUI Loader",
				"Impacket",
				"LockFile",
				"NightSky",
				"Pandora",
				"PlugX",
				"Rook"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "81e29474-63ad-4ce8-97db-b1712d5481d5",
			"created_at": "2024-04-24T02:00:49.570158Z",
			"updated_at": "2026-04-10T02:00:05.285111Z",
			"deleted_at": null,
			"main_name": "Cinnamon Tempest",
			"aliases": [
				"Cinnamon Tempest",
				"DEV-0401",
				"Emperor Dragonfly",
				"BRONZE STARLIGHT"
			],
			"source_name": "MITRE:Cinnamon Tempest",
			"tools": [
				"Pandora",
				"PlugX",
				"Cheerscrypt",
				"Impacket",
				"Cobalt Strike",
				"HUI Loader",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434501,
	"ts_updated_at": 1775792271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8d152cca7673e2ee32a33843f9b6826892402012.pdf",
		"text": "https://archive.orkl.eu/8d152cca7673e2ee32a33843f9b6826892402012.txt",
		"img": "https://archive.orkl.eu/8d152cca7673e2ee32a33843f9b6826892402012.jpg"
	}
}