{ "id": "ba6c424d-4efb-4a1a-b59a-fafdcf15e6c3", "created_at": "2026-04-06T00:19:17.662081Z", "updated_at": "2026-04-10T03:20:16.133845Z", "deleted_at": null, "sha1_hash": "f07651cf05cea1e183ed8950a5b2965a7f38fad2", "title": "Spammers Revive Hancitor Downloader Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 114614, "plain_text": "Spammers Revive Hancitor Downloader Campaigns\r\nBy Tom Spring\r\nPublished: 2017-01-11 · Archived: 2026-04-05 18:26:45 UTC\r\nA recent lull in the distribution of spam linking to the malicious downloader Hancitor has been snapped as\r\nresearchers warn of new campaigns.\r\nA recent lull in the distribution of spam spreading information-stealing malware via the Hancitor downloader has\r\nbeen snapped.\r\nResearchers at the SANS Internet Storm Center are currently tracking an increase in spam purporting to be a\r\nforwarded parking ticket notification. The message prompts the recipient to click a link to pay a parking ticket; the\r\nhyperlink is to a Microsoft Word document.\r\n“The document contains a malicious VB macro described has Hancitor, Chanitor or Tordal,” wrote Brad Duncan,\r\nhandler at the SANS Internet Storm Center in blog post warning of the spam campaign. “If you enable macros, the\r\ndocument retrieves a Pony downloader DLL. The Pony downloader then retrieves and installs Vawtrak malware.”\r\nThere doesn’t appear to be anything unique when it comes to the Word Document and its standard ploy of pushing\r\nrecipients to “enable content” and run a malicious macro. An analysis of the link from the phishing e-mail\r\ncontains a base64-encoded string representing the recipient’s address. Using that string, attackers insert the\r\nrecipient’s name into the filename of the World document.\r\n“I used a base64 string for bert@shotts123.com (a made-up name/address) and received a file named\r\nparking_bert.doc,” Duncan said.\r\nhttps://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/\r\nPage 1 of 2\n\nOther aspects of the spam campaign are similar to previous waves of\r\nHancitor-related spam reported in 2016 by Palo Alto Networks and FireEye. “Pattern-wise, URLs from this\r\ninfection are similar to previous cases of Hancitor/Pony/Vawtrak malspam reported during the past two or three\r\nmonths,” Duncan wrote.\r\nIn August, a variant of the Hancitor downloader was identified by Palo Alto Networks that shifted away from\r\nleveraging the latest incarnation of H1N1 and distributed the Pony and Vawtrak executables. In September,\r\nFireEye reported the way that Hancitor’s payload was delivered differed from previous iterations. Researchers\r\nsaid the downloader had shifted to depend on native Windows API callback functions to execute shellcode.\r\nWhile malicious Hancitor campaigns fluctuate in volume, researchers say overall spam-based macro attacks are\r\non the rise. In a study released in October, Microsoft said incidents of macro-based malware hiding in Office\r\ndocuments has steadily been on the rise. In the enterprise, Microsoft reports, 98 percent of Office-targeted\r\nthreats still use old-school macro-based attacks.\r\n“We often become jaded as yet another wave of malspam does the same thing it’s done before.  Patterns behind\r\nsuch activity are often well-documented.  So why bother with discussion, if there’s nothing new?” Duncan wrote.\r\n“That attitude only encourages the criminal groups behind malspam.”\r\nDuncan reminds that there are a number of technical means to prevent these types of infections such as new\r\nprotections from Microsoft for its Office suite introduced in October.\r\nSource: https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/\r\nhttps://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/" ], "report_names": [ "123011" ], "threat_actors": [], "ts_created_at": 1775434757, "ts_updated_at": 1775791216, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f07651cf05cea1e183ed8950a5b2965a7f38fad2.pdf", "text": "https://archive.orkl.eu/f07651cf05cea1e183ed8950a5b2965a7f38fad2.txt", "img": "https://archive.orkl.eu/f07651cf05cea1e183ed8950a5b2965a7f38fad2.jpg" } }