HyperBro
HyperBro is a custom Windows backdoor/remote access trojan (RAT) and an evolved version of HttpBrowser. It has been used since at least 2013 and remained in continuous development; Iron Tiger has used the HyperBro malware family since at least 2017, and the malware is also commonly attributed to LuckyMouse (also known as Emissary Panda/APT27). UNC215 has been reported to deploy HYPERBRO in later intrusion stages for information collection, and CISA reported HyperBro installed on a compromised Microsoft Exchange server and two additional systems during a Defense Industrial Base intrusion in 2021. HyperBro has also been associated with activity attributed to TAG-67.
Observed delivery and execution methods include trojanized installers and DLL side-loading. ESET reported that Able Desktop software was abused to deliver HyperBro in Mongolia, including trojanized 7-Zip SFX installers bundling legitimate software with the backdoor and a likely compromised update mechanism that caused the legitimate Able Desktop application to download and execute HyperBro. In those cases, legitimate executables such as Symantec IntgStat.exe and McAfee siteadv.exe were used as DLL side-loading hosts, with malicious DLLs decrypting, decompressing, and executing XOR-encoded payloads stored in thumb.db/thumbs.db. HyperBro has also been loaded through low-prevalence DLL search order hijacking using a benign vfhost.exe. Reporting also describes HyperBro operating in an in-memory state to leave minimal traces on disk.
Capabilities directly described in the source material include running shellcode injected into a newly created process; executing an application via CreateProcessW or a script/file via ShellExecuteW; listing all services and their configurations; starting and stopping a specified service; deleting a specified file; taking screenshots; keylogging; and packing its payload. It has been described as providing remote administration and persistence on infected systems.
Targeting described in the content includes Mongolian organizations, including government entities using Able Desktop, as well as broader espionage activity affecting Russian government, aerospace, IT, and energy organizations in reporting that overlaps with HyperBro-linked operations.
High-confidence indicators mentioned in the content include command-and-control URLs used by observed samples: https://developer.firefoxapi[.]com/ajax and https://139.180.208[.]225/ajax.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Although LuckyMouse has been spotted using a widely used Microsoft Office vulnerability (CVE-2017-11882) to weaponize Office documents in the past, researchers have no proofs of this technique being used in this particular attack against the data center.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
В качестве полезной нагрузки, которая была встроена в инсталляторы, исследователи называют бэкдоры HyperBro и Korplug (PlugX).
ESET researchers discovered that chat software called Able Desktop ... was used to deliver the HyperBro backdoor (commonly used by LuckyMouse) ... In mid-2018, we observed a first occurrence of the legitimate Able Desktop application being used to download and execute HyperBro.
UNC215 often uses FOCUSFJORD for the initial stages of an intrusion, and then later deploys HYPERBRO, which has more information collection capabilities such as screen capture and keylogging.
The same benign vfhost.exe file has also been abused in activity we attribute to... TAG-67 ... to load HyperBro through a similar low-prevalence DLL search order hijacking triad.
"...tools would attempt to infect users with HyperBro, a remote access trojan that operated via an 'in-memory' state, leaving minimal traces on disk..."
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesMITRE ATT&CK Techniques list includes "T1583.003 Acquire Infrastructure: Virtual Private Server"
"The main command and control (C&C) server ... belongs to a Ukrainian ISP, specifically to a MikroTik router ... Researchers believe the Mikrotik router was explicitly hacked for the campaign"
Initial Access
3 techniques“...redirected users to malicious sites hosting exploitation tools such as ScanBox and BEeF...” | “...used access to the data center to add JavaScript code to government sites, which redirected users to malicious sites...”
One of the Able update servers was likely compromised in order to deploy HyperBro and Tmanger.
"The initial attack vector ... is unclear, but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees"
Execution
4 techniques"ADVSTORESHELL is capable of starting a process using CreateProcess"; "build_downer has the ability to use the WinExec API"; "Aria-body has the ability to launch files using ShellExecute"
Able Desktop trojanized installer is executed by the user.
"Anchor can create and execute services to load its payload"; "APT32's backdoor has used Windows services as a way to execute its malicious payload"; "Ragnar Locker has used sc.exe to execute a service that it creates"; "Shamoon creates a new service named 'ntssrv' to execute the payload"
In the past, SysUpdate was loaded in memory by a known method involving three files: One legitimate executable, sometimes signed, and vulnerable to dynamic-link library (DLL) sideloading; One malicious DLL loaded by the legitimate file; One binary file usually containing obfuscated code, unpacked in memory by the malicious DLL.
Privilege Escalation
3 techniquesThe content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.
MITRE ATT&CK Techniques list includes "T1055.003 ... Thread Execution Hijacking"
GuLoader has the ability to inject shellcode into donor processes that is started in a suspended state. Cardinal RAT injects into a newly spawned process created from a native Windows executable. Pandora can start and inject code into a new svchost process. ShadowPad has injected an install module into a newly created process.
Stealth
11 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The launcher starts by instantiating the CLoadInfo object... Directory to copy all files %PROGRAMDATA%\Test\ ... Name of the legitimate executable dlpumgr32.exe ... Lastly, the launcher starts a suspended process with the command line “C:\Windows\system32\svchost.exe -k LocalServices,”and injects the appropriate shellcode into it.
The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.
MITRE ATT&CK Techniques list includes "T1055.003 ... Thread Execution Hijacking"
GuLoader has the ability to inject shellcode into donor processes that is started in a suspended state. Cardinal RAT injects into a newly spawned process created from a native Windows executable. Pandora can start and inject code into a new svchost process. ShadowPad has injected an install module into a newly created process.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
In the past, SysUpdate was loaded in memory by a known method involving three files: One legitimate executable, sometimes signed, and vulnerable to dynamic-link library (DLL) sideloading; One malicious DLL loaded by the legitimate file; One binary file usually containing obfuscated code, unpacked in memory by the malicious DLL.
“...HyperBro, a remote access trojan that operated via an ‘in-memory’ state, leaving minimal traces on disk...”
Credential Access
1 techniqueDiscovery
1 techniqueMITRE ATT&CK Techniques list includes "T1010 Application Window Discovery"
Collection
3 techniques"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
MITRE ATT&CK Techniques list includes "T1213 Data from Information Repositories"
Command and Control
4 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
“...hacked a MikroTik router to host the command and control server of the HyperBro RAT.”
MITRE ATT&CK Techniques list includes "T1095 Non-Application Layer Protocol"
MITRE ATT&CK Techniques list includes "T1105 Ingress Tool Transfer"; described delivery of tools and payloads post-access.
IOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
HyperBro is a remote access trojan used in targeted attacks, often associated with espionage operations.
Remote access trojan that injects shellcode into newly created processes and executes it.
Backdoor referenced as co-occurring with Zupdax/Tmanger/ShadowPad in the Able Desktop supply-chain operation; code/infrastructure intersections discussed in relation to Bronze Union (APT27) attribution.
Implant used in APT27/LuckyMouse intrusion chains via DLL side-loading; observed in long-dwell intrusions with additional post-exploitation tooling.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.