{
	"id": "a1d35830-81a0-48fd-aded-b7d4303d2bb2",
	"created_at": "2026-04-06T00:21:46.296994Z",
	"updated_at": "2026-04-10T13:13:00.815533Z",
	"deleted_at": null,
	"sha1_hash": "98a80839238517252242709c08b95bc1fb73e139",
	"title": "Backdoor:W32/Hupigon.EMV | F-Secure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 87008,
	"plain_text": "Backdoor:W32/Hupigon.EMV | F-Secure\r\nArchived: 2026-04-05 12:37:19 UTC\r\nClassification\r\nAliases:\r\nBackdoor.Win32.Hupigon.emv\r\nSummary\r\nA backdoor is a Remote Administration Tools (RAT) that expose infected machines to external control via the\r\nInternet by remote attackers.\r\nRemoval\r\nBased on the settings of your F-Secure security product, it will either move the file to the quarantine where it\r\ncannot spread or cause harm, or remove it.\r\nA False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles\r\nknown harmful programs. A False Positive will usually be fixed in a subsequent database update without any\r\naction needed on your part. If you wish, you may also:\r\nCheck for the latest database updates\r\nFirst, check if your F-Secure security program is using the latest updates, then try scanning the file again.\r\nSubmit a sample\r\nAfter checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.\r\nNote: If the file was moved to quarantine, you need to collect the file from quarantine before you can\r\nsubmit it.\r\nExclude a file from further scanning\r\nIf you are certain that the file is safe and want to continue using it, you can exclude it from further scanning\r\nby the F-Secure security product.\r\nNote: You need administrative rights to change the settings.\r\nTechnical Details\r\nhttps://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml\r\nPage 1 of 5\n\nThis backdoor is detected as a member of the Hupigon family. the Backdoor:W32/Hupigon description provides\r\nadditional details.Copies itself to:\r\n%Windows%\\dllhost.exe\r\n%Windows%\\setuprs1.PIF\r\nReplicates these original Windows applications with an additional \"EXE\" extension:\r\n%Windows%\\system32\\cmd.exe to %Windows%\\system32\\cmd.exe.exe\r\n%Windows%\\regedit.exe to %Windows%\\regedit.exe.exe\r\nHupigon.EMV attempts to disable/redirect Windows applications using the following registry entries:\r\nHKLM\\Software\\Microsoft\\Windows NT\\ CurrentVersion\\Image File Execution Options\\cmd.exe\r\nDebugger = setuprs1.PIF\r\nHKLM\\Software\\Microsoft\\Windows NT\\ CurrentVersion\\Image File Execution Options\\regedit.exe\r\nDebugger = setuprs1.PIF\r\nHKLM\\Software\\Microsoft\\Windows NT\\ CurrentVersion\\Image File Execution Options\\regedt32.exe\r\nDebugger = setuprs1.PIF\r\nHKLM\\Software\\Microsoft\\Windows NT\\ CurrentVersion\\Image File Execution Options\\msconfig.exe\r\nDebugger = 7303.PIF\r\nRegisters itself as Windows COM+ System Application service using these registry entries:\r\nHKLM\\System\\CurrentControlSet\\Services\\COMSystemApp Type = 00000110\r\nHKLM\\System\\CurrentControlSet\\Services\\COMSystemApp ErrorControl = 00000000\r\nHKLM\\System\\CurrentControlSet\\Services\\COMSystemApp ImagePath = C:\\WINDOWS\\dllhost.exe -\r\nnetsvcs\r\nHKLM\\System\\CurrentControlSet\\Services\\COMSystemApp DisplayName = COM+ System Applications\r\nAttempts to locate and terminate the following process:\r\n360tray.exe\r\nautoruns.exe\r\navp.exe\r\navpcc.exe\r\ncpf.exe\r\newido.exe\r\nFireTray.exe\r\nFireWall.exe\r\nFYFireWall.exe\r\njpf.exe\r\nkav.exe\r\nKAVPF.exe\r\nKavPFW.EXE\r\nkpf4gui.exe\r\nhttps://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml\r\nPage 2 of 5\n\nKPFW32.EXE\r\nKVCenter.kxp\r\nKvMonXP.kxp\r\nKVXP.kxp\r\nMcAfeeFire.exe\r\nmmc.exe\r\noutpost.exe\r\nPFW.exe\r\nprocexp.exe\r\nRas.exe\r\nRfwMain.EXE\r\nRRfwMain.EXE\r\nruniep.exe\r\nssgui.exe\r\nSysSafe.exe\r\nTrojDie.kxp\r\nWoptiProcess.exe\r\nAttempts to close windows containing these strings:\r\nZoneAlarm\r\nZoneAlarm Pro\r\nAttempts to connect to 218.16.138.64 on TCP port 81.\r\nPropagation\r\nIt attempts to propagate by creating \"\\runauto..\\autorun.pif\" and \"\\autorun.inf\" on all available drives, including\r\nremovable drives.The autorun.inf file is detected as Worm.Win32.AutoRun.dms.The autorun.inf appears as:\r\n[AutoRun] open=RUNAUT~1\\autorun.pif shell\\1=\u0026acute;\u0026ograve;\u0026iquest;\u0026ordf;(\u0026O)\r\nshell\\1\\Command=RUNAUT~1\\autorun.pif shell\\2\\=\u0026auml;\u0026macr;\u0026Agrave;\u0026Agrave;(\u0026B)\r\nshell\\2\\Command=RUNAUT~1\\autorun.pif shellexecute=RUNAUT~1\\autorun.pif\r\nTo make sure it will only run once, the mutex \"Red_Server_2007\" is created.\r\nFile System Changes\r\nCreate these directories:\r\n%drive%\\runauto..\\\r\nProtect your devices from malware with F‑Secure Total\r\nProtecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes\r\nthis easy, helping you to secure your devices in a brilliantly simple way.\r\nhttps://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml\r\nPage 3 of 5\n\nAward-winning antivirus and malware protection\r\nOnline browsing, banking, and shopping protection\r\n24/7 online identity and data breach monitoring\r\nUnlimited VPN service to safeguard your privacy\r\nPassword manager with private data protection\r\nChoose how many devices you want to protect to get started.\r\nFree customer support\r\nCancel anytime\r\nThe trial does not obligate you to buy the product\r\nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €69.99.\r\nFree customer support\r\nCancel anytime\r\nThe trial does not obligate you to buy the product\r\nhttps://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml\r\nPage 4 of 5\n\nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €89.99.\r\nFree customer support\r\nCancel anytime\r\nThe trial does not obligate you to buy the product\r\nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €99.99.\r\nMore Support\r\nContact Support\r\nChat with with or call an agent.\r\nSource: https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml\r\nhttps://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml"
	],
	"report_names": [
		"backdoor_w32_hupigon_emv.shtml"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434906,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98a80839238517252242709c08b95bc1fb73e139.pdf",
		"text": "https://archive.orkl.eu/98a80839238517252242709c08b95bc1fb73e139.txt",
		"img": "https://archive.orkl.eu/98a80839238517252242709c08b95bc1fb73e139.jpg"
	}
}