HUI Loader — Malware Analysis Note
By morimolymoly
Published: 2023-08-02 · Archived: 2026-04-05 13:42:24 UTC
HUI Loader is a loader type of malware.
Old HUI Loader has weird string
HUIHWASDIHWEIUDHDSFSFEFWEFEWFDSGEFERWGWEEFWFWEWD.
HUI Loader was used by APT10, Blue Termite, A41APT, DEV-0401.
Payload is below.
PoisonIvy
PlugX
Quasar
SodaMaster
Cobalt Strike Beacon(Ransomeware ops things by BRONZE STARLIGHT)
I had investigated HUI Loader and links between APT10 and A41APT
I found funny string in the sample.
c:\users\hellokety.ini was embedded to the APT10’s
PlugX(02b95ef7a33a87cc2b3b6fd47db03e711045974e1ecf631d3ba9e076e1e374e9) and new version of HUI
Loader(this was used by A41APT?)
Press enter or click to view image in full size
https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3
Page 1 of 7

https://twitter.com/cdi_research/status/1635507672417198080
This means A41APT is a sub group of APT10. (everyone know this but clue is important)
Press enter or click to view image in full size
https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3
Page 2 of 7

DLL 64bit and compilation time is so fresh.
Press enter or click to view image in full size
DLL has many exports so first I look into cef_api_hash.
Get morimolymoly’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
Let’s look at deeper with Binary Ninja.
https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3
Page 3 of 7

It calls one function.
This function looks preparation routine.
This code set agent.data(payload name) to global variable.
Press enter or click to view image in full size
Press enter or click to view image in full size
It creates thread.
Let’s look at this.
https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3
Page 4 of 7

FIrst two is a GetProcAddress stuff.
Last one is main code.
Press enter or click to view image in full size
HeapAlloc + Decryption + VirtualProtect is a so old technique.
And then, it launches shellcode.
Press enter or click to view image in full size
https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3
Page 5 of 7

I don’t post full source but it is like a RC4 encryption.
Finally, honestly first, Capa results is here.
Press enter or click to view image in full size
https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3
Page 6 of 7

Source: https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3
https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3
Page 7 of 7