1. Home
  2. Software
  3. HUI Loader

HUI Loader

HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups including Cinnamon Tempest and menuPass to deploy malware on compromised hosts. HUI Loader has been observed in campaigns loading SodaMaster, PlugX, Cobalt Strike, Komplex, and several strains of ransomware.[1]

ID: S1097
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 22 December 2023
Last Modified: 02 January 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

HUI Loader can decrypt and load files containing malicious payloads.[1]
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

HUI Loader can be deployed to targeted systems via legitimate programs that are vulnerable to DLL search order hijacking.[1]
Enterprise T1562 .006 Impair Defenses: Indicator Blocking

HUI Loader has the ability to disable Windows Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI) functions.[1]

Groups That Use This Software

ID Name References
G1021 Cinnamon Tempest

[1][2]
G0045 menuPass

[1]

References

  1. Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.
  1. SecureWorks. (n.d.). BRONZE STARLIGHT. Retrieved December 6, 2023.