S0071: hcdLoader
Analyst context for executives and security teams
hcdLoader is a Windows remote access tool associated in ATT&CK with APT18 and linked to command-shell execution and Windows service-based persistence. For leaders, the practical issue is not the malware name alone: it represents the need to prove that Windows fleets can surface suspicious service creation/modification and command-shell activity that may indicate unauthorized remote control or durable access.
Executive priority
Prioritize validation of Windows endpoint visibility and response playbooks around service persistence and command-shell execution. These behaviors matter to business continuity because they can support long-lived access on Windows systems, complicate incident scoping, and create audit questions about whether the organization can detect and investigate persistence mechanisms. Because ATT&CK provides no detection text for this malware, confidence should come from local telemetry tests, control validation, and incident response readiness rather than from the software entry itself.
Technical view
ATT&CK lists hcdLoader as Windows malware and a RAT used by APT18. Relationship context says it uses T1059.003 Windows Command Shell and T1543.003 Windows Service. SOC and IR teams should validate that they can investigate command interpreter activity, parent-child process relationships, service creation or modification, service executable paths, and relevant registry/service configuration changes on Windows endpoints. Detection engineering should map coverage to the related techniques rather than relying on malware-specific indicators, since the object provides no official detection guidance or aliases.
Likely telemetry
- Windows process creation events for cmd.exe and related command-shell activity
- Parent-child process relationships and command-line arguments where collected
- Windows service creation, modification, start, stop, and configuration events
- Registry data related to Windows service configuration and executable paths
- Endpoint detection and response alerts or triage records for remote access tool behavior
Detection direction
- Build and validate detections against the related ATT&CK techniques: T1059.003 Windows Command Shell and T1543.003 Windows Service.
- Tune for suspicious service creation or modification, especially unusual service names, unexpected executable paths, command interpreters launched by services, or service changes outside approved administration workflows.
- Correlate command-shell execution with initiating user, host role, remote administration context, and nearby service changes to reduce false positives from legitimate IT automation.
- Confirm telemetry coverage on Windows systems where service and process events are often incomplete, filtered, or retained for too short a period to support incident scoping.
- Use the APT18 relationship as threat-intelligence context, not as proof of attribution in any local alert.
Mitigation priorities
- Harden and monitor Windows service management permissions so only authorized administrators and tools can create or modify services.
- Restrict and review administrative command-shell use, especially on servers and high-value workstations.
- Maintain endpoint logging and retention sufficient to reconstruct process execution and service configuration changes during incident response.
- Establish baselines for legitimate service changes and administrative automation to support faster triage.
- Test incident response procedures for suspected RAT persistence using Windows service and command-shell evidence.
Analyst notes and limits
This take is based on the ATT&CK S0071 hcdLoader software object, its Dell Lateral Movement reference, and relationships to APT18, T1059.003, and T1543.003. The strongest defensive value comes from validating coverage of the related Windows behaviors rather than from malware-family-specific detection content.
ATT&CK provides no official detection text, no tactics directly on the malware object, no aliases, and only Windows as the supported platform. The relationship to APT18 should not be used to infer attribution for local incidents without additional evidence. Local environment telemetry, baselines, and approved administration patterns are required to determine risk and detection quality.
hcdLoader
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | hcdLoader provides command-line access to the compromised system.CitationDell Lateral Movement |
| Enterprise | T1543.003 | Windows Service Sub-technique | hcdLoader installs itself as a service for persistence.CitationDell Lateral MovementCitationThreatStream Evasion Analysis |
Groups, software, and campaigns
G0026: APT18
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | e1eef858dc79… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dell Lateral Movement
Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
Open source URL -
[2]
mitre-attack S0071Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.