S1097 HUI Loader
HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups including Cinnamon Tempest and menuPass to deploy malware on compromised hosts. HUI Loader has been observed in campaigns loading SodaMaster, PlugX, Cobalt Strike, Komplex, and several strains of ransomware.1
| Item | Value |
|---|---|
| ID | S1097 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 22 December 2023 |
| Last Modified | 02 January 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1140 | Deobfuscate/Decode Files or Information | HUI Loader can decrypt and load files containing malicious payloads.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | HUI Loader can be deployed to targeted systems via legitimate programs that are vulnerable to DLL search order hijacking.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.006 | Indicator Blocking | HUI Loader has the ability to disable Windows Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI) functions.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1021 | Cinnamon Tempest | 12 |
| G0045 | menuPass | 1 |