S1097: HUI Loader
HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups including Cinnamon Tempest and menuPass to deploy malware on compromised hosts. HUI Loader has been observed in campaigns loading SodaMaster, PlugX, Cobalt Strike, Komplex, and several strains of ransomware.[1]
Analyst context for executives and security teams
HUI Loader matters because it is a Windows custom DLL loader associated in ATT&CK with post-compromise malware deployment, including PlugX, SodaMaster, Cobalt Strike, Komplex, and ransomware strains. For leaders, the key issue is not the loader name alone; it is whether the organization can see suspicious DLL loading, decoding/deobfuscation activity, and possible security-tool impairment before a compromised host becomes a broader incident.
Executive priority
Prioritize this as a resilience and incident-readiness concern for Windows environments. ATT&CK provides no official detection logic, so executives should ask whether SOC and IR teams can prove visibility into DLL abuse, endpoint security health, and follow-on payload execution. This is also useful for control validation, audit evidence, and prioritizing endpoint hardening where business-critical Windows systems depend on timely detection and containment.
Technical view
HUI Loader is documented as a Windows malware loader and is related to T1574.001 DLL, T1140 Deobfuscate/Decode Files or Information, and T1685 Disable or Modify Tools. SOC teams should validate image/module-load telemetry, file creation and execution context for DLLs, suspicious parent-child process chains, decoding/deobfuscation indicators, and endpoint security service/logging health. Use the relationships to menuPass and Cinnamon Tempest, plus observed payloads, as threat-intelligence context for triage, not as standalone attribution.
Likely telemetry
- Windows process creation and command-line events
- DLL/image load telemetry, especially unusual DLLs loaded by legitimate processes
- File creation/modification events in application, user-writable, temporary, and startup-adjacent paths
- Code-signing, file reputation, and hash metadata for loaded DLLs and related executables
- Endpoint security, logging agent, and service health events relevant to tool impairment
Detection direction
- Because ATT&CK provides no official detection, validate coverage through environment-specific analytics rather than assuming tool coverage.
- Hunt for DLL sideloading or hijacking patterns: legitimate signed executables loading unexpected, unsigned, newly written, or user-writable-path DLLs.
- Correlate DLL load events with recent file writes, archive extraction, decoding/deobfuscation behavior, and new network or process activity.
- Tune carefully for legitimate software updaters, installers, and enterprise applications that load DLLs from non-standard paths.
- Monitor for attempts to stop, degrade, or modify security tools, while noting that the supplied T1685 relationship has platform context broader than the Windows platform listed for HUI Loader.
Mitigation priorities
- Harden Windows application directories and DLL search behavior by limiting write access and enforcing least privilege.
- Use application control, allow-listing, and code-signing policy where operationally feasible to reduce unauthorized DLL execution.
- Maintain endpoint detection/logging resilience and alert on security-tool tampering or unexpected sensor health loss.
- Ensure IR playbooks cover rapid host isolation, payload identification, memory/file collection, and scoping for follow-on malware.
- Prioritize testing on high-value Windows servers and workstations where loader-driven payload deployment would create material business disruption.
Analyst notes and limits
The strongest defensive value is in validating DLL-load visibility and post-compromise containment readiness. HUI Loader is a loader, so investigations should focus on what it loaded, how it was invoked, whether defenses were impaired, and whether additional hosts share related artifacts.
The supplied ATT&CK object has no official detection text, no specified tactics, and limited relationship context. Claims about current exploitation, customer exposure, actor attribution, or guaranteed detection require local telemetry and additional intelligence beyond the provided fields.
HUI Loader
HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups including Cinnamon Tempest and menuPass to deploy malware on compromised hosts. HUI Loader has been observed in campaigns loading SodaMaster, PlugX, Cobalt Strike, Komplex, and several strains of ransomware.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | HUI Loader can decrypt and load files containing malicious payloads.CitationSecureWorks BRONZE STARLIGHT Ransomware Operations June 2022 |
| Enterprise | T1685 | Disable or Modify Tools | HUI Loader has the ability to disable Windows Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI) functions.CitationSecureWorks BRONZE STARLIGHT Ransomware Operations June 2022 |
| Enterprise | T1574.001 | DLL Sub-technique | HUI Loader can be deployed to targeted systems via legitimate programs that are vulnerable to DLL search order hijacking.CitationSecureWorks BRONZE STARLIGHT Ransomware Operations June 2022 |
Groups, software, and campaigns
G1021: Cinnamon Tempest
Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.[1][2][3][4]
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 669de576c7d6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022
Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.
Open source URL -
[2]
mitre-attack S1097Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.