HTTPBrowser
HTTPBrowser is a remote access trojan (RAT) believed to have Chinese origins and reported as used by certain Chinese intrusion groups. It has been associated in the provided content with BRONZE UNION / Emissary Panda / APT27 and with Wekby / APT18 / Dynamite Panda. Reported capabilities include keystroke capture and spawning a reverse shell on victim systems. HTTPBrowser has used HTTP and HTTPS for command-and-control, and at least one Wekby campaign used an obfuscated variant that communicated via DNS TXT records as a covert control channel; in that campaign the actors referred to the malware as "Token Control." Infection and execution methods described in the content include strategic web compromises, phishing lures themed as IT helpdesk VPN/Citrix upgrades, and DLL side-loading / DLL search-order hijacking. One documented installer dropped a malicious DLL named navlu.dll, masquerading as a legitimate Symantec DLL, to decrypt and run the RAT; the malware also deleted its original installer after installation. In the Wekby campaign, installers downloaded from phishing URLs installed the malware as %APPDATA%\wdm.exe and established persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run using a value such as wdm; previous samples reportedly used a Run value for 360v. Typical HTTPBrowser traffic was described as using HTTP with the user-agent string HTTPBrowser/1.0. Observed DNS-based C2 domains in the cited campaign included glb.it-desktop.com, local.it-desktop.com, and hi.getgo2.com. Related phishing URLs included hXXp://it-desktop[.]com/vpn/cisco/vpnclient.exe and hXXp://wangke99[.]tgk[.]delldns[.]com/tools.exe. Referenced sample hashes included d0f79de7bd194c1843e7411c473e4288, e5414c5215c9305feeebbe0dbee43567, and 985eba97e12c3e5bce9221631fb66d68.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
BRONZE UNION previously used this technique to enable execution of PlugX and HttpBrowser tools in a way that is challenging for network defenders to detect.
"...either the well-known ‘PlugX’ or ‘HttpBrowser’ RAT, a tool which is believed to have Chinese origins and to be used only by certain Chinese hacking groups."
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
3 techniquesThe content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.
“find the addresses of LoadLibrary and GetProcAddress to load all the necessary functions dynamically.”
Persistence
1 techniqueThe content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
1 techniqueThe content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
5 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Credential Access
1 techniqueDiscovery
1 technique“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”
Collection
1 techniqueCommand and Control
4 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Chinese-origin remote access trojan referenced as a common payload for Emissary Panda; the newly described in-development tool is assessed to share code/ties with HttpBrowser developers.
A malware tool used by BRONZE UNION and executed via DLL side-loading to evade detection.
A tool used by BRONZE UNION to maintain access and facilitate operations within victim environments; the content does not provide deeper technical detail.
Backdoor/RAT used by Wekby that is delivered via phishing lures (e.g., fake VPN/Citrix upgrades). It installs to %APPDATA%\wdm.exe, establishes persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and in this campaign uses DNS TXT records as a covert C2 channel (instead of its more typical HTTP communications with user-agent HTTPBrowser/1.0). The sample also uses heavy obfuscation including ROP-based control-flow manipulation and many NOP-like functions to hinder analysis.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.