S0499: Hancitor
Analyst context for executives and security teams
Hancitor is a Windows downloader associated in ATT&CK with delivering Pony and other information-stealing malware. The business issue is not just the downloader itself; it represents an entry and staging pattern where phishing, user execution, obfuscated content, PowerShell, native Windows execution paths, persistence, and follow-on tool transfer can combine into a broader intrusion. Leaders should treat this as a test of email security, endpoint visibility, user-execution controls, and incident response readiness for downloader-led compromises.
Executive priority
Prioritize Hancitor-like behavior where a Windows phishing event can become a malware delivery chain. Key executive questions: can the organization prove it captures the email, endpoint, PowerShell, registry, and network evidence needed to reconstruct a downloader incident; can SOC teams distinguish suspicious user-driven execution from routine business activity; and are response teams prepared to scope secondary payload delivery such as information stealers. This also supports audit and compliance evidence around phishing defense, endpoint monitoring, logging, and malware response procedures.
Technical view
ATT&CK provides no official detection text for Hancitor, so defenders should validate coverage through the related behaviors: spearphishing attachments and links, malicious file or link execution, PowerShell execution, verclsid.exe proxy execution, Native API-based execution, obfuscated or compressed payloads, deobfuscation/decoding, file deletion, registry Run Key or Startup Folder persistence, ingress tool transfer, and virtualization or sandbox evasion. Because the software platform is Windows, validation should focus on Windows endpoint, email, web/proxy, DNS, and network telemetry correlated by user, host, process tree, and time.
Likely telemetry
- Email security logs for attachments, links, sender metadata, delivery, quarantine, and user click/open events
- Endpoint process creation telemetry, including parent-child relationships for Office applications, browsers, PowerShell, verclsid.exe, archive utilities, and downloaded executables
- PowerShell logging where enabled, including command line, script block, and module/activity records
- Windows registry monitoring for Run Keys and Startup Folder persistence locations
- File system telemetry for compressed archives, decoded or dropped payloads, temporary files, and suspicious file deletion
Detection direction
- Build detections around chains, not single events: phishing delivery followed by user execution, PowerShell or verclsid.exe activity, payload retrieval, file cleanup, and Run Key or Startup Folder changes.
- Tune PowerShell and verclsid.exe alerts against normal administrative and application behavior to reduce false positives while preserving suspicious parent processes, unusual command lines, and external download context.
- Correlate compressed or obfuscated files with subsequent decode, execution, and network retrieval activity; compressed files alone are common and require context.
- Validate visibility for file deletion after execution, since cleanup can remove the obvious artifact before triage begins.
- Use email-to-endpoint correlation to determine whether a delivered attachment or link resulted in execution on a Windows host.
Mitigation priorities
- First, strengthen phishing resilience: attachment and link inspection, user reporting workflows, and rapid removal or containment of delivered messages.
- Second, harden Windows execution paths by controlling risky script execution, monitoring PowerShell, and scrutinizing proxy execution through trusted binaries such as verclsid.exe.
- Third, ensure endpoint controls and logging cover registry Run Keys, Startup Folder changes, file creation/deletion, and suspicious process trees.
- Fourth, restrict and monitor outbound connections needed for ingress tool transfer, especially from user workstations after email or browser execution events.
- Fifth, rehearse incident response playbooks for downloader cases, including scoping secondary payloads, credential or information theft risk, and host isolation decisions.
Analyst notes and limits
The most useful defensive framing is the downloader chain: initial access through spearphishing, execution through user action and Windows execution mechanisms, evasion through obfuscation/compression/decoding and sandbox checks, persistence through Run Keys or Startup Folder entries, and follow-on payload transfer. Local baselining is essential because many related behaviors, especially PowerShell, compressed files, browser downloads, and registry changes, can be legitimate in enterprise environments.
The supplied ATT&CK object does not include official detection guidance, aliases beyond the external reference name Chanitor, or detailed procedure examples. Tactics are not specified on the malware object itself, so tactic framing is derived only from the supplied technique relationships. This take does not assert active exploitation, specific targeting, guaranteed detection, or impact beyond the official description and relationships.
Hancitor
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.002 | Malicious File Sub-technique | Hancitor has used malicious Microsoft Word documents, sent via email, which prompted the victim to enable macros.CitationFireEye Hancitor |
| Enterprise | T1218.012 | Verclsid Sub-technique | Hancitor has used verclsid.exe to download and execute a malicious script.CitationRed Canary Verclsid.exe |
| Enterprise | T1027.015 | Compression Sub-technique | Hancitor has delivered compressed payloads in ZIP files to victims.CitationFireEye Hancitor |
| Enterprise | T1105 | Ingress Tool Transfer | Hancitor has the ability to download additional files from C2.CitationThreatpost Hancitor |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Hancitor has relied upon users clicking on a malicious link delivered through phishing.CitationThreatpost Hancitor |
| Enterprise | T1106 | Native API | Hancitor has used |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Hancitor has been delivered via phishing emails with malicious attachments.CitationFireEye Hancitor |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Hancitor has added Registry Run keys to establish persistence.CitationFireEye Hancitor |
| Enterprise | T1059.001 | PowerShell Sub-technique | Hancitor has used PowerShell to execute commands.CitationFireEye Hancitor |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Hancitor has been delivered via phishing emails which contained malicious links.CitationThreatpost Hancitor |
| Enterprise | T1027 | Obfuscated Files or Information | Hancitor has used Base64 to encode malicious links.CitationThreatpost Hancitor |
| Enterprise | T1070.004 | File Deletion Sub-technique | Hancitor has deleted files using the VBA |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads.CitationFireEye Hancitor |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 94bbce7e57c3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Threatpost Hancitor
Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
Open source URL -
[2]
FireEye Hancitor
Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
Open source URL -
[3]
Chanitor
(Citation: FireEye Hancitor)
-
[4]
mitre-attack S0499Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.