T1218.001: Compiled HTML File
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. [1] CHM content is displayed using underlying components of the Internet Explorer browser [2] loaded by the HTML Help executable program (hh.exe). [3]
A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. [4] [5]
Analyst context for executives and security teams
Compiled HTML Help files (.chm) matter because they can turn a normal Windows help-file format and the trusted hh.exe program into a way to conceal and launch malicious content. For leaders, the key issue is not the file type alone; it is whether Windows endpoints, download controls, and application control policies treat hh.exe and CHM content as executable risk rather than harmless documentation.
Executive priority
Prioritize this where Windows endpoints handle downloaded files, email attachments, or legacy help content. The business decision is whether current execution prevention, web-content restrictions, and patch posture can prevent or surface abuse of trusted system binaries used for proxy execution. This also provides useful audit evidence for application control maturity and incident readiness around living-off-the-land behavior.
Technical view
This is a Windows sub-technique of System Binary Proxy Execution focused on .chm content rendered through Internet Explorer components and launched by hh.exe. SOC and IR teams should validate DET0342-style coverage for suspicious CHM execution via hh.exe, especially where hh.exe launches from user-writable or recently downloaded locations, opens CHM files from email/web delivery paths, or spawns unexpected child activity. Because ATT&CK provides no official detection text for this object, local tuning must distinguish legitimate help-file use from unusual execution chains.
Likely telemetry
- Windows process creation telemetry for hh.exe, including command line, parent process, child processes, user, and working directory
- File telemetry for creation, download, rename, or execution of .chm files, especially in user profile, browser download, temporary, or email attachment locations
- Web proxy, secure web gateway, or browser download logs for CHM delivery and unsafe download attempts
- Endpoint security or EDR events showing script, ActiveX, Java, JScript, VBA, or web-related content activity associated with CHM execution
- Application control, script blocking, or execution prevention logs showing allowed or blocked hh.exe and CHM-related activity
Detection direction
- Validate whether DET0342 or equivalent analytics are implemented for suspicious Compiled HTML File execution via hh.exe.
- Tune on context: legitimate hh.exe use may occur for installed help documentation, while higher-risk cases include CHM files opened from download, email, temporary, or other user-writable paths.
- Correlate hh.exe activity with parent processes, recent file acquisition, and unexpected child processes instead of alerting only on the presence of hh.exe.
- Review application control telemetry for gaps where signed or trusted binaries can execute embedded or proxied content.
- Account for blind spots where endpoint tools collect process names but not command line, file origin, or child-process relationships.
Mitigation priorities
- Apply Restrict Web-Based Content controls to reduce delivery of unsafe CHM files through web access, downloads, and browser-based content paths.
- Use Execution Prevention controls such as application control and script blocking to limit unauthorized code execution and constrain risky use of hh.exe and CHM content.
- Keep relevant Windows and Internet Explorer/HTML Help components patched, especially on older systems referenced by the technique description as potential bypass candidates.
- Review allowlists so trusted Microsoft-signed binaries are not implicitly allowed to proxy arbitrary or untrusted content without policy constraints.
- Document legitimate business use of CHM files before enforcing restrictions to reduce operational disruption.
Analyst notes and limits
ATT&CK relationships show this behavior is used by several named groups and by Astaroth software, and it is covered by a related detection strategy, DET0342. Those relationships support prioritizing validation, but they do not prove current activity against any specific organization. Treat this as a control-validation and telemetry-coverage item for Windows environments.
The supplied ATT&CK object has no official detection text, so detection logic must be derived from the technique description, the hh.exe/CHM execution model, and the DET0342 relationship. Local evidence is required to determine normal CHM usage, whether CHM files are allowed in business workflows, and whether application control or web filtering actually covers this behavior.
Compiled HTML File
Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. [1] CHM content is displayed using underlying components of the Internet Explorer browser [2] loaded by the HTML Help executable program (hh.exe). [3]
A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. [4] [5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1218 | System Binary Proxy Execution | This object subtechnique of System Binary Proxy Execution. |
| Enterprise | T1223 | Compiled HTML File | Compiled HTML File revoked by this object. |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
G0070: Dark Caracal
Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]
G0091: Silence
Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.[1][2]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G0082: APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
S0373: Astaroth
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 86cab2bf581b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft HTML Help May 2018
Microsoft. (2018, May 30). Microsoft HTML Help 1.4. Retrieved October 3, 2018.
Open source URL -
[2]
Microsoft HTML Help ActiveX
Microsoft. (n.d.). HTML Help ActiveX Control Overview. Retrieved October 3, 2018.
Open source URL -
[3]
Microsoft HTML Help Executable Program
Microsoft. (n.d.). About the HTML Help Executable Program. Retrieved October 3, 2018.
Open source URL -
[4]
MsitPros CHM Aug 2017
Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM – CVE-2017-8625. Retrieved October 3, 2018.
Open source URL -
[5]
Microsoft CVE-2017-8625 Aug 2017
Microsoft. (2017, August 8). CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability. Retrieved October 3, 2018.
Open source URL -
[6]
mitre-attack T1218.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.