{
	"id": "a3d3b385-6325-4d1d-8ebc-f391683782a8",
	"created_at": "2026-04-06T01:29:23.003962Z",
	"updated_at": "2026-04-10T03:21:40.868579Z",
	"deleted_at": null,
	"sha1_hash": "a4f5c9ac7a9288c3014f4fe05766dc435e334593",
	"title": "Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 240489,
	"plain_text": "Hancitor and Ruckguv Reappear, Updated and With Vawtrak On\r\nDeck | Proofpoint US\r\nBy May 12, 2016 Axel F, Matthew Mesa\r\nPublished: 2016-05-12 · Archived: 2026-04-06 01:18:52 UTC\r\nOverview\r\nProofpoint researchers have recently observed the re-emergence of two malware downloaders that had largely\r\ndisappeared for several months. Hancitor (also known as Tordal and Chanitor) and Ruckguv have reappeared in\r\ncampaigns distributing Pony and Vawtrak with significant updates and increased functionality. We have also been\r\ntracking an actor experimenting with various loaders, providing insights into these evolving components of\r\nmalware ecosystems.\r\nHancitor Analysis\r\nStarting on April 28, we observed one of the Vawtrak actors (using ID 80, 81, 82) utilizing an updated version of\r\nthe Hancitor downloader. The last time that we saw this downloader used by one of the Vawtrak affiliates was\r\nApril 2015, when it was downloading an older version of Vawtrak. We believe this is the same actor now using the\r\nupdated downloader.\r\nIn this case, the Hancitor loader is dropped by a macro in the Microsoft Word email attachment. Hancitor, in turn,\r\ndownloads a Pony module and Vawtrak.\r\nhttps://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear\r\nPage 1 of 10\n\nFigure 1: Example email spreading Vawtrak on April 28th via new loader has subject “FW: debt fax from\r\n[company name]” and attachment 175415626.doc (random numbers)\r\nIn the year since we last observed the downloader in Proofpoint data, Hancitor has been overhauled and updated.\r\nNotable changes and functionality include:\r\nA rewrite of the network communication protocol\r\nThe ability to download and execute a Pony DLL module (and perhaps any DLL) from within the Hancitor\r\nprocess\r\nBefore this update, the Hancitor command-and-control (C\u0026C) check-in (such as with sample MD5:\r\nf472c00abef3324460989972362458e1) used a pipe-separated POST data format such as “\u003cGUID\u003e|\u003cBUILD\u003e|\r\n\u003cPCINFO\u003e|\u003cIP\u003e”. The updated Hancitor submits similar information to the C\u0026C, but in a different format.\r\nSpecifically, the new POST data format is “GUID=\u0026BUILD=\u0026INFO=\u0026IP=\u0026TYPE=1\u0026WIN=”.\r\nhttps://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear\r\nPage 2 of 10\n\nFigure 2: Example Hancitor C\u0026C check-in\r\nParameter Description\r\nGUID\r\nA 19-digit identifier generated with the UuidCreate Windows API (in early versions of the\r\nupdated Hancitor) or derived from the output of GetAdaptersAddresses Windows API (latest\r\nversion seen on May 10).\r\nBUILD\r\nA hardcoded 4-digit number that appears to represent the software version. These are not\r\nupdated in sequential order. Observed build numbers include 2804, and 0905\r\nINFO\r\nThe info shows the computer name, account name, and domain in the “[computer name] @\r\n[domain]\\[account]” format\r\nIP External IP address of the infected machine, determined from api.ipify[.]org\r\nTYPE Hardcoded value set to “1”\r\nWIN\r\nWindows major and minor versions, followed by the system architecture in the “[major].\r\n[minor] ([architecture])” format where architecture is x32 or x64.\r\nTable 1: Explanation of the parameters submitted to the C\u0026C server by the updated Hancitor\r\nIn response to the infected client check-in, the C\u0026C server can respond with a series of JSON-formatted\r\ncommands for the client to perform, formatted as shown in Figure 2. The meaning of each command is explained\r\nin Table 2.\r\nCommand Description\r\n{r:[URL]} Download and run an executable from URL\r\n{u:} Unimplemented\r\n{d:} Terminate malware process and delete backing file\r\nhttps://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear\r\nPage 3 of 10\n\n{l:[URL]} Download module (DLL) from a URL, write it to current process memory, and execute it\r\n{n:} Nothing to do\r\nTable 2: Commands sent by the C\u0026C server\r\nThe ability to download and execute a DLL module from within the Hancitor process is a new function of the\r\nupdated malware. The DLL is downloaded to heap memory, written directly into the Hancitor process (using\r\nVirtualAllocEx and WriteProcessMemory) and executed from there using the CreateThread Windows API. Thus,\r\nthe module is not written to the disk, and no files or persistence mechanisms are created for it. So far, we have\r\nobserved only Pony downloaded as a module, but other DLLs could be loaded similarly. \r\nFigure 3: Module DLL written to current process and executed from there\r\nFigure 4: Pseudocode shows Hancitor downloading a DLL module, writing it to current process memory, and\r\nexecuting it\r\nRuckguv Analysis\r\nOn May 4, shortly after the updated Hancitor was first seen downloading Vawtrak, the same actor was observed\r\nusing a new version of Ruckguv downloader. Before this, the last time that we saw this downloader was in\r\nDecember 2015, loading a Cryptowall payload. Similar to the updated Hancitor, the updated Ruckguv was\r\ndropped by a macro in the Word document. Ruckguv, in turn, downloaded a Pony module and Vawtrak.\r\nhttps://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear\r\nPage 4 of 10\n\nFigure 5: Example email spreading Vawtrak on May 4th via new loader has subject “FW: [company website] irs\r\nnotification” and attachment irs_468718228.doc (random numbers)\r\nSince we last saw the downloader in Proofpoint data, Ruckguv has also been overhauled and updated. Notable\r\nchanges and new malware features include:\r\nPayload URLs are no longer encoded with ROT13\r\nDownloaded payload is written to the system with one possible file name instead of three\r\nMore robust download code, instead of simply calling the URLDownloadToFileA API\r\nThe ability to download and run a Pony DLL as a module\r\nThe old version of Ruckguv (for example, MD5: 1c319670a717305f7373c8529092f8c3) encoded its payload\r\nURLs stored in the malware binary with ROT13, and decoded them at run-time. This is no longer the case; but\r\nother strings, such as DLL names used by the malware are now ROT13-encoded instead.\r\nThe downloaded payload is now written to the %APPDATA%\\csrss_[volume_serial].exe file, where\r\nvolume_serial is an eight-character string is generated with GetVolumeInformationA. Previously, the payload was\r\nalso written to the %APPDATA% folder, but with one of three possible filenames, including csrss_nn.exe,\r\nWindowsDriver_nn.exe, or Frifox_nn.exe, where nn was a random two-digit number.\r\nhttps://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear\r\nPage 5 of 10\n\nFigure 6: Code snippet showing filename generation for the downloaded payload\r\nThe old version of the malware simply downloaded the payload with the URLDownloadToFileA Windows API,\r\nwhich “downloads bits from the Internet and saves them to a file.” The new version reworked that functionality to\r\ninstead use the InternetOpen, InternetOpenUrl, CreateFile, and WriteFile functions. The use of these functions\r\nallows for further customization, such as setting the User-Agent to “Mozilla/5.0 (compatible; MSIE 9.0; Windows\r\nNT 6.1; Trident/5.0)”. Additionally the downloaded file size is now checked; if it is less than 2,000 bytes, it is\r\nconsidered a failed download and the loader attempts an alternative download location. This check may\r\nincidentally or intentionally help against white hat hackers that may alter/neuter the malware payload sites, such\r\nas those described in the “STUPID LOCKY” incident [2].\r\nFigure 7: Code snippet showing the attempt to download the payload from an initial location, followed by a\r\ndownload file size check\r\nhttps://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear\r\nPage 6 of 10\n\nFinally, the updated Ruckguv added the ability to download and run a DLL (we have only observed Pony DLL\r\nbeing downloaded so far). The DLL is downloaded to the %APPDATA%\\wsrv_[volume_serial].dll location. The\r\nDLL is encrypted with a 10-byte RC4 key (“NJB#6452^\u0026” in our sample). The DLL file is then read with\r\nReadFile and executed from within the parent Ruckguv process by allocating memory, writing it to the parent\r\nprocess and jumping to its entry point.\r\nFigure 8: Code snippet showing the DLL file name generation and DLL download\r\nOther Loaders and Actor Details\r\nThis Vawtrak actor has also been experimenting with H1N1 Loader as the initial payload dropped by macro\r\ndocuments. Like the other loaders discussed, it is used to download a Pony DLL and Vawtrak executable.\r\nHowever, H1N1 can also steal credentials. H1N1 also received updates recently, which are discussed on the\r\nKernelMode forums [1].\r\nThe Vawtrak botnets IDs described here (80, 81, and 82) target primarily U.S. financial organizations with their\r\ninjects, although a few Canadian and UK organizations have also been targeted. Previously a typical campaign\r\nwould consist of only a handful of unique documents and several hundred thousand email messages. Starting in\r\nApril, the actor started using many unique documents for their campaigns—some days using as many as tens of\r\nthousands of documents, likely as an attempt to evade detections. We first observed this Vawtrak variant last\r\nSeptember. It’s notable for its modularity (it included a Pony stealer, a debug module, an inject module, and a back\r\nconnect module).\r\nVawtrak may also download TinyLoader, which we have previously observed installing AbaddonPOS malware.\r\nWe have also recently observed Vawtrak downloading the spambot used to send these campaigns (Send-Safe\r\nEnterprise Mailer).\r\nConclusion\r\nMalware loaders often don't receive the same attention as their payload malware. Yet loaders like Hancitor,\r\nRuckguv, Pony, and others are critical parts of the malware ecosystem. Not only are they incorporating increasing\r\nfunctionality on their own, but they also help threat actors evade detection because of their small download size.\r\nhttps://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear\r\nPage 7 of 10\n\nThey also increase actors' flexibility, allowing them to rapidly swap out payloads as campaigns evolve or\r\ndifferentiate payloads by geolocation, IP, or other instructions provided by C\u0026C infrastructure.\r\nAnd to that end, updates to loaders bear watching for anyone looking to stay ahead of savvy actors.\r\nReferences\r\n1. http://www.kernelmode.info/forum/viewtopic.php?f=16\u0026t=3851\r\n2. https://blog.avira.com/im-with-stupid-locky/\r\nIndicators of Compromise (IOC)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n9b3fa5dc3b340e0df08d26dd53cd3aa83212950b2d41cf1b1e5a6dd1acd0e4df\r\nSHA56\r\nHash\r\nDocument that\r\ndropped\r\nHancitor on\r\nApril 28\r\n5ec4ba1a97500e664af6896f4c02846ca6777e671bb600103dc8d49224e38f48\r\nSHA56\r\nHash\r\nHancitor\r\nb19ec186f59b1f72c768ed2fcd8344d75821e527870b71e8123db96f683f1b68\r\nSHA56\r\nHash\r\nPony (Hancitor\r\nmodule)\r\nec9a14f442bbb549388c7a36f8f221fab4f8d3578540ad528f9cb12d35e73fa5\r\nSHA56\r\nHash\r\nVawtrak\r\n(Hancitor\r\npayload)\r\n[hxxp://hadfanawass[.]com/sl/gate.php] URL Hancitor C2\r\n[hxxp://rophenreswi[.]ru/sl/gate.php] URL Hancitor C2\r\n[hxxp://mihesfitons[.]ru/sl/gate.php] URL Hancitor C2\r\n[hxxps://krrewiaog3u4npcg[.]onion.to/sl/gate.php] URL Hancitor C2\r\n[hxxp://quoapps[.]es/pm.dll] URL\r\nHancitor\r\ndownloading\r\nPony\r\n[hxxp://posturepals[.]es/inst1.exe] URL\r\nHancitor\r\ndownloading\r\nVawtrak\r\nb1ba251cf4f494a00ff0d64a50004d839928dac816afb81c33af51622baf2c12 SHA256\r\nHash\r\nDocument that\r\ndropped\r\nhttps://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear\r\nPage 8 of 10\n\nRuckguv on\r\nMay 4\r\n0b6e868c196c7ad80fac72a7d02159cfa4f72ad657604cd3e5eb03c796df01ba\r\nSHA56\r\nHash\r\nRuckguv\r\n2ccebf5fee30073e849895c6e43f6519017f226281c80177d72febcfbaf1f0d3\r\nSHA56\r\nHash\r\nPony (Ruckguv\r\nmodule)\r\n9b11304e4362a8fbe2ee91d8e31d7ae5774019aaeef9240c6878da78bdf0bfa9\r\nSHA56\r\nHash\r\nVawtrak\r\n(Ruckguv\r\npayload)\r\n[hxxp://logimax[.]net[.]in/ii.exe] URL\r\nRuckguv\r\ndownloading\r\nVawtrak\r\n[hxxp://tourjacket[.]me/ii.exe] URL\r\nRuckguv\r\ndownloading\r\nVawtrak\r\n[hxxp://urbanrecreation[.]eu/ii.exe] URL\r\nRuckguv\r\ndownloading\r\nVawtrak\r\n[hxxp://tantrix[.]com[.]tr/pm.dll] URL\r\nRuckguv\r\ndownloading\r\nPony\r\n[hxxp://therapeutica[.]com[.]br/pm.dll] URL\r\nRuckguv\r\ndownloading\r\nPony\r\n[hxxp://therapeutica[.]com[.]br/pm.dll] URL\r\nRuckguv\r\ndownloading\r\nPony\r\nSelect ET Signatures that would fire on such traffic:\r\n2819959 || ETPRO TROJAN Hancitor Dropper Checkin\r\n2819978 || ETPRO TROJAN Tordal/Hancitor/Chanitor\r\n2021997 || ET POLICY External IP Lookup api.ipify.org\r\n2014411 || ET TROJAN Fareit/Pony Downloader Checkin 2\r\n2022225 || ET TROJAN Vawtrak HTTP CnC Beacon\r\nhttps://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear\r\nPage 9 of 10\n\n2813060 || ETPRO TROJAN Vawtrak Retrieving Module\r\nSource: https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear\r\nhttps://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear"
	],
	"report_names": [
		"hancitor-ruckguv-reappear"
	],
	"threat_actors": [],
	"ts_created_at": 1775438963,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a4f5c9ac7a9288c3014f4fe05766dc435e334593.pdf",
		"text": "https://archive.orkl.eu/a4f5c9ac7a9288c3014f4fe05766dc435e334593.txt",
		"img": "https://archive.orkl.eu/a4f5c9ac7a9288c3014f4fe05766dc435e334593.jpg"
	}
}