HUI Loader

HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups including Cinnamon Tempest and menuPass to deploy malware on compromised hosts. HUI Loader has been observed in campaigns loading SodaMaster, PlugX, Cobalt Strike, Komplex, and several strains of ransomware.[1]

ID: S1097
Platforms: Windows
Version: 1.0
Created: 22 December 2023
Last Modified: 02 January 2024

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

HUI Loader can decrypt and load files containing malicious payloads.[1]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

HUI Loader can be deployed to targeted systems via legitimate programs that are vulnerable to DLL search order hijacking.[1]

Enterprise T1562 .006 Impair Defenses: Indicator Blocking

HUI Loader has the ability to disable Windows Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI) functions.[1]

Groups That Use This Software