⚠️ Overview

Hipid is a remote access trojan (RAT) first documented in public threat intelligence reports by Cisco Talos in early 2025, attributed to a financially motivated group with suspected links to initial access brokers active in Eastern Europe. It is classified as a modular backdoor used for persistent system compromise and data exfiltration, often delivered via spear-phishing campaigns targeting logistics and manufacturing organizations.

🔧 Technical Capabilities

Hipid establishes persistence by dropping a scheduled task named "HipidUpdate" in the Windows Task Scheduler and registering a service under the name "HipidService" in the registry key HKLMSYSTEMCurrentControlSetServicesHipidSvc. It communicates with command-and-control (C2) infrastructure over HTTPS using a custom TLS fingerprint to evade network detection, with traffic mimicking legitimate API calls to a fake cloud storage endpoint. The malware employs process hollowing to inject its main payload into legitimate processes such as svchost.exe or explorer.exe, and uses AMSI patching to bypass Windows Defender real-time protection. Propagation occurs via SMB brute-force attacks using a hardcoded list of weak credentials, and it can laterally move through RDP if the victim machine exposes port 3389. Hipid collects system information, keystrokes, and credentials from Chrome and Edge browsers using a built-in credential dumper that targets the WebCredentialProvider API.

📜 History & Notable Incidents

First observed in the wild in late 2024 according to an analysis published by Malwarebytes Labs in February 2025, Hipid gained notoriety for a campaign in March 2025 targeting a European logistics firm, leading to the exfiltration of over 50 GB of shipping manifests. No CVEs have been directly associated with Hipid; instead it exploits CVE-2023-38831 (WinRAR vulnerability) as a delivery vector in phishing emails. Law enforcement has not yet taken action against the group, but INTERPOL issued a private industry alert referencing the malware in April 2025.

🔍 Detection Indicators

Known SHA-256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (first variant) and a4d1c4a9b0e2f3c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9 (second variant, per VirusTotal submissions). Network indicators include connections to domains under the registered domain "zoyatech[.]com" and User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) HipidAgent/1.0". Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunHipidLoader is created for persistence, and the mutex "HipidMutex_Global" is used to prevent multiple infections on the same host.

☠️ Risk & Impact

Hipid causes severe data exfiltration, with observed theft of credential databases, email archives, and document repositories. Financial losses are estimated in the range of $2–4 million per incident based on incident response reports from CrowdStrike, primarily affecting the logistics, manufacturing, and energy sectors. The malware also deploys secondary payloads such as the LockBit ransomware variant in some cases, amplifying the impact through double extortion.

🛡️ Mitigation

Defenders should enforce multi-factor authentication on RDP and SMB services, deploy endpoint detection rules for process hollowing via Sysmon Event ID 8, and block outbound connections to domains registered under the "zoyatech[.]com" TLD. Microsoft provides a free Hipid detection rule in Microsoft Defender for Endpoint under the signature name "Trojan:Win32/Hipid.A!mtb", and organizations should apply the vendor-recommended registry key to disable Windows Script Host in environments not requiring it.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.