ChChes
ChChes is a malware family, also referred to as Haymaker and Scorpion in the provided content, that surfaced in late 2016. It is described as having relatively limited functionality and appears designed to establish an initial foothold and perform system fingerprinting. The malware communicates with command-and-control servers over HTTP and embeds data in the Cookie header. Its C2 data can be encoded with a custom technique that uses Base64, and its traffic can be encrypted with AES or RC4. Reported capabilities include altering the victim's proxy configuration, stealing credentials stored in Internet Explorer, and downloading and executing additional payloads in modular form. The content also notes that ChChes copies itself to an executable filename intended to imitate Norton Antivirus, such as "notron.exe." ChChes has been associated with APT10/MenuPass/Red Apollo activity, including MSP-focused intrusions and spear-phishing-based delivery, and was described as unique to that group in some reporting. Samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and revoked.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
HAYMAKER and SNUGRIDE have been used as first stage backdoors... HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules.
Tools QuasarRAT, RedLeaves, PoisonIvy, ChChes, QuasarRAT Loader, PlugX, ANEL, Cobalt Strike
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueOften deployed via spear phishing, they are lightweight, have particular capabilities and are designed to facilitate system identification and lateral movement.
Execution
2 techniquesPersistence
1 techniqueThe content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
2 techniquesIt attempts to inject into running processes, focussing on security products and native Windows processes.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
5 techniquesThe code is heavily obfuscated, via the use of position-independence alongside other techniques.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
It attempts to inject into running processes, focussing on security products and native Windows processes.
If executed, the malware begins by removing itself from the current directory and copying itself to the user’s roaming profile under a different name.
"receiving modules from C&C servers and loading them on the memory." | "modules with the following functions... Load and run DLLs"
Defense Impairment
1 techniqueThe content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.
Credential Access
2 techniquesChChes targets the credentials stored inside Internet Explorer
The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
Discovery
3 techniquesIt also conducts basic victim profiling activity, collecting the computer name, running process IDs...
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”
Command and Control
7 techniquesExamples include 'AppleJeus's COLDCAT C2 leverages cookie headers to contain data over HTTPS,' 'ChChes ... embeds data within the Cookie HTTP header,' 'GoldMax ... used custom HTTP cookies for C2,' and 'UPPERCUT ... sending error codes in Cookie headers.'
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
ChChes can alter the victim's proxy configuration... MuddyWater can disable the system's local proxy settings... During Night Dragon, the actors also disabled proxy settings to allow direct communication from victims to the Internet.
"modules with the following functions... Download files"
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
"Encrypt communication using AES"; "communication with C&C servers after this point will be encrypted in AES on top of the existing encryption method."
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
Exfiltration
1 technique"modules with the following functions... Upload files"; "execution results of the received command are sent to C&C servers"
Other
1 techniqueThe content repeatedly describes threat actors and malware disabling or modifying security tools, EDR/AV, logging, firewall rules, integrity checkers, and security settings; e.g., 'Agrius used several mechanisms to try to disable security tools' and 'BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.'
IOCs tracked for this family
58 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor malware that can modify proxy settings on compromised hosts.
Malware/backdoor referenced as used in spear-phishing compromises of MSPs to enable access for espionage operations.
ChChes used a leaked and later revoked certificate for code signing.
Malware that uses a custom Base64-based technique to encode command-and-control data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.