Hikit
Hikit is a Windows rootkit/backdoor with covert command-and-control and counter-forensic capabilities. It performs XOR encryption, uses HTTP for C2, supports peer connections, can upload files from compromised machines, and can create a remote shell to run commands. Hikit has also used a DLL named oci.dll as a persistence mechanism. During installation, oci.dll extracts files from its resources and drops the W7fw.sys rootkit driver, related .INF and .CAT driver installation files, a self-generated certificate named GlobalSign.cer, and certmgr.exe. The malware uses certmgr.exe to add the fake GlobalSign certificate to the local machine Root and Trusted Publisher stores, attempts to tamper with registry keys to weaken driver-signing enforcement, and verifies that the driver is loaded. Operationally, Hikit installs itself as a virtual network adapter layered between the NIC and upper protocol drivers, allowing it to monitor inbound packets, intercept C2 traffic in the network stack, and spawn user-mode threads to parse commands. This design enables inbound-only C2 over ports 80/443, helping traffic blend with normal inbound HTTP on infected Windows servers, particularly observed on DMZ web servers. Hikit can also force infected systems to act as open proxies, which has enabled tunneling of Remote Desktop and creation of internal/external hop points on multi-homed hosts. High-confidence host indicators mentioned in the content include oci.dll, W7fw.sys, GlobalSign.cer, certmgr.exe, associated service configuration, invalid digital signature characteristics, and suspicious oci.dll imports, resources, metadata, and compile time. The content also references a fileless variant of HiKit dubbed Hias.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...a fileless version of the well-known ‘HiKit’ malware dubbed ‘Hias’."
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueExecution
2 techniquesThe content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.
Stealth
2 techniquesDefense Impairment
2 techniquesCollection
1 techniqueCommand and Control
5 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
Exfiltration
1 techniqueMany entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Minor Software changes: ... Hikit
Well-known RAT family; content discusses a fileless variant (Hias) and newly discovered persistence mechanism.
Kernel-mode rootkit/backdoor that installs a driver (e.g., W7fw.sys) and uses a covert inbound C2 mechanism by inserting itself as a virtual network adapter in the Windows network stack to monitor/intercept packets. It can spawn user-mode threads to parse C2, provide typical backdoor capabilities (shell/command execution/file transfer), and can force the host to act as an open proxy to enable tunneling (e.g., Remote Desktop) into internal networks. Uses counter-forensics including installing a self-generated fake 'GlobalSign' root CA/trusted publisher certificate and attempting to disable driver signing verification via registry tampering.
Malware that uses HTTP for command-and-control (C2).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.