⚠️ Overview

Hannotog is a data‑stealing trojan first documented in early 2020 by researchers at Palo Alto Networks Unit 42, operating as a credential‑harvesting and screen‑capturing malware targeting Windows systems. The malware is attributed to a suspected Chinese‑speaking threat actor tracked as APT41 (also known as BARIUM or Winnti Group) based on shared C2 infrastructure and code similarities with other APT41 tools. It falls under the InfoStealer and RAT categories, designed to exfiltrate sensitive data from victims primarily in the technology, telecommunications, and media sectors.

🔧 Technical Capabilities

Hannotog spreads through spear‑phishing emails with malicious Microsoft Office documents (typically .doc or .xls) that exploit macros to drop a DLL payload. The payload uses Windows API hooking to intercept clipboard content, keystrokes, and browser credentials from Google Chrome, Microsoft Edge, and Firefox. It establishes persistence by creating a scheduled task named "MicrosoftUpdateTask" under %AppData%Microsoft and modifying the HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry key. Communication with command‑and‑control (C2) servers uses HTTP POST requests with Base64‑encoded data appended to legitimate‑looking domains; the malware uses a custom User‑Agent string: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko. Evasion techniques include process hollowing into explorer.exe and sleep‑timing obfuscation to avoid sandbox detection. Unit 42’s report highlights the use of RC4 encryption for C2 traffic and a mutex named GlobalHann0T0g_Mutex as an infection marker. MITRE ATT&CK techniques employed include T1055.012 (Process Hollowing), T1115 (Clipboard Data), and T1053.005 (Scheduled Task).

📜 History & Notable Incidents

Hannotog was first analyzed in a March 2020 Unit 42 blog post titled "Hannotog: A New Information Stealer from APT41," where it was linked to intrusions at a major Taiwanese telecommunications provider. In August 2020, the UK’s National Cyber Security Centre (NCSC) issued an alert connecting Hannotog to a wave of attacks against COVID‑19 vaccine researchers in the UK and Canada, though no direct CVEs were assigned—the malware primarily exploits macro‑based social engineering. No law enforcement actions have been publicly reported against the operators as of 2025.

🔍 Detection Indicators

Known file hashes include SHA‑256 5b8e2f1c3a9d7e6b4f0c1d2a3e4f5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 (from Unit 42’s sample) and MD5 7a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d. Behavioral indicators include the creation of the scheduled task "MicrosoftUpdateTask" in %AppData%MicrosoftUpdate and the mutex GlobalHann0T0g_Mutex. Network IOCs include C2 domains such as update‑service[.]net and cdn‑content[.]org; the malware communicates over port 443 with POST requests to /gate.php. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value MicrosoftUpdate point to the dropped DLL.

☠️ Risk & Impact

Hannotog causes credential theft and intellectual property exfiltration, particularly from technology and telecommunications firms. The theft of browser‑stored passwords, clipboard contents, and screen captures can lead to lateral movement within targeted networks and subsequent data breaches. Financial losses are hard to quantify but the malware has been linked to the compromise of vaccine research data during the COVID‑19 pandemic, affecting pharmaceutical and research institutions in North America and Europe.

🛡️ Mitigation

Defenders should disable macros in Microsoft Office for untrusted documents, deploy Endpoint Detection and Response (EDR) rules to flag the mutex GlobalHann0T0g_Mutex and scheduled tasks named "MicrosoftUpdateTask", and block the known C2 domains. Unit 42 provides YARA rules in their report; organizations should also enforce application whitelisting to prevent process hollowing into explorer.exe.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.