{
	"id": "56f2c5ee-8d3c-46f2-942a-a81b073fc74c",
	"created_at": "2026-05-05T02:45:42.333644Z",
	"updated_at": "2026-05-05T02:46:36.799043Z",
	"deleted_at": null,
	"sha1_hash": "919b4f4abba6e7b52ed35f7d8d2e1e67e1aa0ac6",
	"title": "Connecting the Bots",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2987113,
	"plain_text": "Connecting the Bots\r\nArchived: 2026-05-05 02:39:02 UTC\r\nThe Hancitor downloader has been around for quite some time already. It is known since at least 2016 for\r\ndropping Pony and Vawtrak. As a loader, it has been used to download other malware families, such as Ficker\r\nstealer and NetSupport RAT, to compromised hosts. Its operators also showed interest in post exploitation\r\nactivities, deploying Cobalt Strike Beacon on the hosts located in Active Directory environments. After a few\r\nunremarkable and quiet years, Hancitor resurfaced again — it decided to join the Big Game Hunting.\r\nHancitor became another commodity malware which partnered with ransomware gangs to help them gain initial\r\naccess to target networks – the increasing trend outlined by Group-IB researchers in the recent Ransomware\r\nUncovered 2020/2021 report.\r\nGroup-IB Threat Intelligence team found that Hancitor is being actively used by the threat actors to deploy Cuba\r\nransomware. Cuba ransomware has been active since at least January 2020. Its operators have a DLS site, where\r\nthey post exfiltrated data from their victims who refused to pay the ransom. As of April 28, the site mentioned\r\nnine companies primarily from aviation, financial, education and manufacturing industries. Hancitor’s deep\r\ninterest in Big Game Hunting is further supported by Jason Reaves‘s earlier findings about Hancitor’s association\r\nwith the Zeppelin ransomware.\r\nThe blog post examines a typical Hancitor and Cuba kill chain, the threat actors’ TTPs, detailed recommendations,\r\nand mitigation techniques.\r\nUsually, Hancitor is distributed via spam campaigns. Such emails are disguised to look like DocuSign\r\nnotifications:\r\nhttps://blog.group-ib.com/hancitor-cuba-ransomware\r\nPage 1 of 6\n\nFigure 1. An example of spam email content\r\nClicking the malicious link obviously leads to downloading a weaponized document. As always, the document\r\ncontains instructions on how to remove “protection”:\r\nFigure 2. The contents of weaponized document\r\nIn recent campaigns, if the content is enabled, the macros extracts and drops Hancitor DLL to\r\nC:\\Users\\%username%\\AppData\\Roaming\\Microsoft\\Word, and runs it via rundll32.exe.\r\nSuch behavior is easy detectable by host-based defenses as winword.exe should not normally start rundll32.exe:\r\nhttps://blog.group-ib.com/hancitor-cuba-ransomware\r\nPage 2 of 6\n\nFigure 3. Group-IB Managed XDR Huntpoint detecting abnormal activity caused by Hancitor\r\nData received from C2 server is base64-encoded and XORed with 0x7A. After decoding and decrypting, the\r\nreceived command is checked. The command should be presented as one of the following symbols: «b», «e», «l»,\r\n«n», «r». If it’s supported, Hancitor does one of the following actions:\r\nCommand\r\nCode\r\nDescription\r\nb\r\nDownloads a PE from the server, which address was received from C2. Downloaded data is\r\ndecrypted, decompressed and injected to newly started svchost.exe process.\r\ne\r\nDownloads a PE from the server, which address was received from C2. Downloaded data is\r\ndecrypted, decompressed and executed in separate thread of the Hancitor process.\r\nl\r\nDownloads a PE from the server, which address was received from C2. Downloaded data is\r\ndecrypted, decompressed and injected to newly started svchost.exe process via creation of the\r\nremote thread.\r\nn Looks like an equivalent of the ping command.\r\nr\r\nDownload a PE from the server, which address was received from C2. Downloaded data is\r\ndecrypted, decompressed and saved to a temporary file. If downloaded file is an EXE file, it\r\nis executed via CreateProcess, if downloaded file is a DLL file, it is executed via\r\nrundll32.exe.\r\nOne of the most common payloads delivered by Hancitor these days is Ficker stealer, which is actively advertised\r\non various underground forums and is capable of extracting data from various web-browsers, mail clients,\r\ncryptocurrency wallets, etc. However, Cobalt Strike usage deserves more attention.\r\nDuring the post-exploitation phase, the threat actors rely mostly on Cobalt Strike, leveraging its capabilities on\r\nvarious stages of attack lifecycle.\r\nFrom execution perspective, just like many other ransomware operators, they used jump psexec and jump\r\npsexec_psh, and relied heavily on SMB Beacons, commonly using generic pipe names. In some cases, they also\r\nused less common techniques, such as WMI and WinRM to execute the Beacon stagers on remote hosts.\r\nhttps://blog.group-ib.com/hancitor-cuba-ransomware\r\nPage 3 of 6\n\nAs Cobalt Strike has credential dumping capabilities, the threat actors leverage mimikatz’s\r\nsekurlsa::logonpasswords. At the same time, in some cases they use a separate binary to run mimikatz on some\r\nhosts. This tool is also used for enabling lateral movement capability with obtained hashes and mimikatz’s\r\nsekurlsa::pth.\r\nThe Beacon’s capabilities were also used to scan the compromised network. In addition, the group leveraged some\r\ncustom tools for network reconnaissance. The first tool is called Netping – it’s a simple scanner capable of\r\ncollecting information about alive hosts in the network and saving it into a text file, the other tool, Protoping, to\r\ncollect information about available network shares. Built-in tools were also abused. For example, adversary used\r\nnet view command to collect information about the hosts in the network and nltest utility to collect information\r\nabout the compromised domain.\r\nBesides Cobalt Strike’s capabilities to run the Beacon stagers on remote hosts, the attackers used Remote Desktop\r\nProtocol to move laterally. They have a batch script called rdp.bat in their arsenal, which is used to enable RDP\r\nconnections and add corresponding firewall rule on the target host. Similar scripts were observed to be used by\r\nProLock and Egregor operators.\r\nFicker stealer wasn’t the only publicly advertised tool in the threat actors’ arsenal. Another tool, which is\r\nbecoming more and more popular among various ransomware operators – SystemBC. Such additional backdoors\r\nallowed the attackers to download and execute additional payloads even if Cobalt Strike activity was detected and\r\nblocked.\r\nThe approach to ransomware deployment is quite trivial, but still effective. Like many others, the threat actors\r\nusually leveraged PsExec for deployment.\r\nThe exfiltrated data is published on a dedicated Cuba DLS (Data Leak Site).\r\nhttps://blog.group-ib.com/hancitor-cuba-ransomware\r\nPage 4 of 6\n\nAs of April 28, the website offers to download data for free from 9 mainly US companies from the aviation,\r\nfinancial, education, manufacturing, and logistics companies which refused to pay the ransom. The actual number\r\nof victims is expected to be higher.\r\nAn interesting feature of the site is that it also includes the paid content section:\r\nFigure 4. Paid content featured on Cuba’s DLS\r\nCuba ransomware samples that Group-IB DFIR team observed wasn’t very sophisticated, and even didn’t have\r\nWindows Shadow Copies removing functionality, so the threat actors had to have additional scripting capabilities.\r\nFiles are encrypted using ChaCha20 with 12-bytes length IV. The keys are encrypted with RSA-4096 algorithm.\r\nThe RSA implementation is likely copied from the following repository.\r\nAccording to Group-IB TI\u0026A, the group behind ransomware deployments is Balbesi. Despite the fact the group is\r\nleveraging quite common techniques in their operations, their attacks are still quite effective and affects\r\norganizations from various sectors, including financial, pharmaceutical, educational, industrial, professional\r\nservices and software development, focusing mainly on Europe and USA.\r\nBelow you can find both MITRE ATT\u0026CK mapping and corresponding mitigations list.\r\nhttps://blog.group-ib.com/hancitor-cuba-ransomware\r\nPage 5 of 6\n\nSource: https://blog.group-ib.com/hancitor-cuba-ransomware\r\nhttps://blog.group-ib.com/hancitor-cuba-ransomware\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.group-ib.com/hancitor-cuba-ransomware"
	],
	"report_names": [
		"hancitor-cuba-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1777949142,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/919b4f4abba6e7b52ed35f7d8d2e1e67e1aa0ac6.pdf",
		"text": "https://archive.orkl.eu/919b4f4abba6e7b52ed35f7d8d2e1e67e1aa0ac6.txt",
		"img": "https://archive.orkl.eu/919b4f4abba6e7b52ed35f7d8d2e1e67e1aa0ac6.jpg"
	}
}