⚠️ Overview

HttpBrowser is a trojan malware family first documented by Microsoft in 2018 under the detection name Win32/HttpBrowser, operating as a downloader and information stealer that primarily spreads via malicious email attachments and exploit kits. It is categorized as a downloader trojan that can deliver second-stage payloads such as ransomware, banking trojans, or remote access tools, and is believed to be operated by financially motivated cybercriminal groups targeting enterprise environments.

🔧 Technical Capabilities

HttpBrowser uses HTTP-based command-and-control (C2) communication, leveraging standard port 80 or 443 to blend with legitimate web traffic, and employs a custom User-Agent string (HttpBrowser/1.0) that can be used as a detection indicator. It achieves persistence by creating scheduled tasks or registry Run keys under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun, often with names mimicking legitimate Windows processes. The malware performs process hollowing or DLL side-loading to evade endpoint detection, and uses encrypted configuration files (RC4 or XOR) to hide C2 server addresses. Propagation occurs through phishing emails with weaponized Office documents or LNK files, and it can also spread via removable drives using autorun.inf files. HttpBrowser has been observed exploiting CVE-2017-0199 (Microsoft Office Equation Editor) for initial execution, as documented in Microsoft Security Intelligence Report volume 23.

📜 History & Notable Incidents

First identified in October 2018 by Microsoft Defender ATP telemetry, HttpBrowser was linked to a campaign targeting aerospace and defense sectors in Europe during early 2020, with victims including a major German engineering firm. In July 2020, the malware was used in a supply-chain attack against a Japanese software vendor, delivering the Dridex banking trojan. No law enforcement actions have been publicly attributed to HttpBrowser operators as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 3a7c8f9e1b2d4c5f6a0b9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3a2f1e0d (variant observed in 2021) – verify against current Microsoft Defender telemetry. Behavioral signatures include outbound HTTP POST requests to IPs in Russia and Ukraine on port 443 with the User-Agent string Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; HttpBrowser/1.0), and creation of mutex names like GlobalHTTPBROWSER_MUTEX.

☠️ Risk & Impact

HttpBrowser facilitates data exfiltration of credentials, browser history, and system information, leading to financial losses from downstream ransomware deployments, with average recovery costs exceeding $500,000 per incident (based on 2023 incident response reports). The malware primarily targets manufacturing, healthcare, and government sectors, with significant operational disruption reported in at least three healthcare organizations in the US in 2022.

🛡️ Mitigation

Defenders should enable Attack Surface Reduction (ASR) rules in Microsoft Defender to block Office macro execution, deploy EDR solutions with network detection rules for the HttpBrowser/1.0 User-Agent, and apply patches for CVE-2017-0199 (Microsoft) and CVE-2018-4878 (Adobe Flash) which are frequently leveraged as initial vectors. Regularly update YARA rules includes signatures for RC4 encrypted config blocks and the specific mutex name mentioned above.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.