HyperBro
HyperBro is a remote access trojan/backdoor used in multiple Chinese-linked espionage campaigns and observed across numerous operations alongside malware families such as PlugX, ShadowPad, China Chopper, and Cobalt Strike. The content describes HyperBro as an evolved version of HttpBrowser and states that the Iron Tiger APT group has used it since at least 2017, while LuckyMouse/APT27 is also commonly associated with it and has reportedly used it since at least 2013. UNC215 is described as deploying HYPERBRO after initial intrusion stages, using it for richer information collection including screen capture and keylogging.
Documented capabilities include executing shellcode injected into a newly created process, taking screenshots, listing all services and their configurations, starting and stopping specified services, deleting specified files, packing its payload, and executing applications or scripts via CreateProcessW or ShellExecuteW. The malware has also been described as operating in an in-memory state to minimize disk artifacts, and as being used to maintain persistence and enable remote administration on compromised systems.
Observed delivery and execution methods include DLL side-loading and trojanized software installers. ESET reported that the Able Desktop chat application and likely its compromised update mechanism were used in Mongolia to deliver HyperBro, including via legitimate executables such as Symantec IntgStat.exe and McAfee siteadv.exe that side-loaded malicious DLLs to decrypt, decompress, and run the payload. Trojanized Able Desktop installers bundled HyperBro as a payload, and legitimate Able Desktop updates were observed downloading and executing HyperBro beginning in mid-2018. In another intrusion described by CISA, actors exploiting Microsoft Exchange vulnerabilities in 2021 later installed HyperBro on the Exchange server and two additional systems in a Defense Industrial Base environment.
Targeting mentioned in the content includes Mongolian government-related organizations through the Able Desktop supply-chain/update abuse, Russian, Georgian, and Mongolian organizations in broader Chinese-linked espionage contexts, and a Defense Industrial Base sector organization. Known command-and-control indicators directly cited in the content for HyperBro samples include https://developer.firefoxapi[.]com/ajax and https://139.180.208[.]225/ajax.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Although LuckyMouse has been spotted using a widely used Microsoft Office vulnerability (CVE-2017-11882) to weaponize Office documents in the past, researchers have no proofs of this technique being used in this particular attack against the data center.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
В качестве полезной нагрузки, которая была встроена в инсталляторы, исследователи называют бэкдоры HyperBro и Korplug (PlugX).
ESET researchers discovered that chat software called Able Desktop ... was used to deliver the HyperBro backdoor (commonly used by LuckyMouse) ... In mid-2018, we observed a first occurrence of the legitimate Able Desktop application being used to download and execute HyperBro.
UNC215 often uses FOCUSFJORD for the initial stages of an intrusion, and then later deploys HYPERBRO, which has more information collection capabilities such as screen capture and keylogging.
The same benign vfhost.exe file has also been abused in activity we attribute to... TAG-67 ... to load HyperBro through a similar low-prevalence DLL search order hijacking triad.
"...tools would attempt to infect users with HyperBro, a remote access trojan that operated via an 'in-memory' state, leaving minimal traces on disk..."
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
3 techniques
Initial Access
“...redirected users to malicious sites hosting exploitation tools such as ScanBox and BEeF...” | “...used access to the data center to add JavaScript code to government sites, which redirected users to malicious sites...”
Execution
4 techniques
Execution
"ADVSTORESHELL is capable of starting a process using CreateProcess"; "build_downer has the ability to use the WinExec API"; "Aria-body has the ability to launch files using ShellExecute"
"Anchor can create and execute services to load its payload"; "APT32's backdoor has used Windows services as a way to execute its malicious payload"; "Ragnar Locker has used sc.exe to execute a service that it creates"; "Shamoon creates a new service named 'ntssrv' to execute the payload"
In the past, SysUpdate was loaded in memory by a known method involving three files: One legitimate executable, sometimes signed, and vulnerable to dynamic-link library (DLL) sideloading; One malicious DLL loaded by the legitimate file; One binary file usually containing obfuscated code, unpacked in memory by the malicious DLL.
Privilege Escalation
3 techniques
Privilege Escalation
The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.
MITRE ATT&CK Techniques list includes "T1055.003 ... Thread Execution Hijacking"
GuLoader has the ability to inject shellcode into donor processes that is started in a suspended state. Cardinal RAT injects into a newly spawned process created from a native Windows executable. Pandora can start and inject code into a new svchost process. ShadowPad has injected an install module into a newly created process.
Stealth
11 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The launcher starts by instantiating the CLoadInfo object... Directory to copy all files %PROGRAMDATA%\Test\ ... Name of the legitimate executable dlpumgr32.exe ... Lastly, the launcher starts a suspended process with the command line “C:\Windows\system32\svchost.exe -k LocalServices,”and injects the appropriate shellcode into it.
The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.
MITRE ATT&CK Techniques list includes "T1055.003 ... Thread Execution Hijacking"
GuLoader has the ability to inject shellcode into donor processes that is started in a suspended state. Cardinal RAT injects into a newly spawned process created from a native Windows executable. Pandora can start and inject code into a new svchost process. ShadowPad has injected an install module into a newly created process.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
In the past, SysUpdate was loaded in memory by a known method involving three files: One legitimate executable, sometimes signed, and vulnerable to dynamic-link library (DLL) sideloading; One malicious DLL loaded by the legitimate file; One binary file usually containing obfuscated code, unpacked in memory by the malicious DLL.
Credential Access
1 technique
Credential Access
Discovery
1 technique
Discovery
Collection
3 techniques
Collection
"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Command and Control
4 techniques
Command and Control
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
“...hacked a MikroTik router to host the command and control server of the HyperBro RAT.”
IOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
34 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware family referenced as one of several shared tools appearing across multiple Chinese APT campaigns.
HyperBro is a remote access trojan used in targeted attacks, often associated with espionage operations.
Remote access trojan that injects shellcode into newly created processes and executes it.
Backdoor referenced as co-occurring with Zupdax/Tmanger/ShadowPad in the Able Desktop supply-chain operation; code/infrastructure intersections discussed in relation to Bronze Union (APT27) attribution.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.