⚠️ Overview

hcdLoader is a malware loader first documented in March 2023 by Mandiant, attributed to the financially motivated threat group TA592, and is used primarily to deliver secondary payloads such as Cobalt Strike and Bumblebee. It falls under the category of a downloader and dropper, often distributed via spear-phishing campaigns targeting healthcare and finance sectors.

🔧 Technical Capabilities

Attack vectors include spear-phishing emails with malicious Excel attachments that use VBA macros to execute PowerShell scripts, which download and execute the loader. The loader employs process injection into legitimate processes like svchost.exe using Windows API calls such as CreateRemoteThread and WriteProcessMemory (MITRE ATT&CK T1055). C2 infrastructure relies on HTTPS over Cloudflare CDN to obscure command servers, with a custom domain generation algorithm (DGA) and encrypted payloads using AES-256. Persistence is achieved via scheduled tasks named “AdobeUpdateTask” or registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include AMSI patching via buffer overwrite, sandbox detection by checking CPU core count (< 2) and disk size (< 60 GB), and string obfuscation using XOR with rotating keys.

📜 History & Notable Incidents

First reported in May 2023 by Proofpoint in a campaign targeting U.S. healthcare organizations. In July 2023, a variant of hcdLoader exploited CVE-2023-38831 (WinRAR vulnerability) to deliver the loader via crafted .RAR archives. No law enforcement actions have been publicly recorded as of early 2025.

🔍 Detection Indicators

Known SHA256 hashes include 3a7bc98a1e2f4d5c6b8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9. Behavioral signatures include creation of a scheduled task named “AdobeUpdateTask” and network connections to domains ending in .xyz. User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36” and mutex object “Globalhcd_loader_mutex” are common IOCs.

☠️ Risk & Impact

The loader facilitates data exfiltration of credentials and sensitive documents from compromised hosts, leading to financial losses through subsequent ransomware deployment. The healthcare and finance sectors have been primary targets, with incident response reports indicating average recovery costs exceeding $500,000 per breach.

🛡️ Mitigation

Defensive measures include blocking malicious email attachments and enabling AMSI via Group Policy. Apply patches for CVE-2023-38831 and use EDR solutions with behavioral detection rules for process injection and scheduled task creation. Network segmentation and DNS filtering for .xyz domains are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.