Hackers Weaponize Compiled HTML Assist to Ship Malicious Payload

Menace actors have exploited Microsoft Compiled HTML Assist (CHM) information to distribute malware, with a notable pattern named deklaracja.chm uploaded to VirusTotal from Poland.

This CHM file, a binary container for compressed HTML and related objects, serves as a supply car for a multi-stage an infection chain.

Upon execution by way of the default hh.exe handler, the file shows a decoy picture deklaracja.png, mimicking a financial institution switch receipt from Polish financial institution PKO to lull victims whereas initiating malicious processes within the background.

Technical Breakdown

Decompression reveals core elements: normal CHM system information prefixed with ‘#’, an obfuscated index.htm HTML file embedding JavaScript scripted with obfuscator.io patterns like _0x variables and array-indexed string retrieval, a cupboard file disguised as desktop.mp3 containing the unt32.dll payload, and the aforementioned decoy PNG.

The obfuscated JavaScript in index.htm decodes a big hexadecimal string into executable HTML, which orchestrates the assault by creating an iframe for the decoy show, leveraging the deprecated tag primarily appropriate with Web Explorer to force-download desktop.mp3 as a brief file, and instantiating an ActiveX object by way of CLSID adb880a6-d8ff-11cf-9377-00aa003b7a11 (linked to hhctrl.ocx).

Based on the Report, this ActiveX management simulates a button click on to execute a command chain: a minimized cmd.exe navigates to %temp%, employs the LOLbin forfiles.exe with /M to enumerate .tmp information, verifies file measurement at 180738 bytes (matching desktop.mp3), extracts the embedded DLL utilizing increase, and masses it by way of rundll32.exe invoking ordinal #1.

The unt32.dll, a C++ downloader with XOR-encrypted strings utilizing a 128-byte rotating key for chunked decryption (e.g., 5-byte segments for Person-Agent), makes use of WinHTTP APIs to fetch a payload from hxxps://rustyquill[.]high/shw/the-magnus-protoco1.jpg a site and filename referencing the Rusty Quill podcast.

The downloader validates the response measurement exceeds 289109 bytes, strips the preliminary section (probably a benign JPEG header), decrypts the appended information with the identical XOR key, saves the ensuing DLL as C:UserspercentuserpercentAppDataLocalTaskSyncnet32.dll, executes it by way of rundll32.exe on ordinal #1, and persists by way of a COM-based Scheduled Activity.

Broader Implications

This tactic aligns with prior campaigns, together with a CHM file in dowód_wpłaty.zip shared on April 7, 2025, additionally tied to rustyquill[.]high, suggesting a persistent risk actor.

Attribution factors to FrostyNeighbor or UNC1151, a Belarus-linked group with historic pursuits in focusing on Ukraine, Lithuania, Latvia, Poland, and Germany according to the Polish add origin.

The usage of themed lures like banking paperwork and podcast references signifies social engineering tailor-made to regional victims, probably evading detection by benign picture masquerades and oblique command execution by way of LOLbins.

Efforts to find appended-payload variations of the-magnus-protoco1.jpg by way of YARA guidelines matching JPEG headers and byte patterns yielded no matches, hinting at transient or geofenced supply.

This underscores the evolving abuse of legacy codecs like CHM for malware deployment, mixing obfuscation, ActiveX exploitation, and steganographic strategies in photos to bypass endpoint defenses.

Indicators of Compromise (IOCs)

Keep Up to date on Each day Cybersecurity Information. Observe us on Google Information, LinkedIn, and X.