Hussar

Malware

⚠️ Overview

Hussar is a backdoor trojan first documented in 2019 by Fortinet's FortiGuard Labs, attributed to the Russian-aligned advanced persistent threat group APT28 (also known as Fancy Bear, Sofacy, or STRONTIUM). It functions as a lightweight remote access tool (RAT) primarily used for initial access, reconnaissance, and payload delivery in targeted espionage campaigns against government, military, and diplomatic entities in Eastern Europe and Central Asia.

🔧 Technical Capabilities

Hussar is typically delivered via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) or CVE-2018-0802 (Office memory corruption) to execute VBA macros. Once installed, it establishes persistence via Windows Registry run keys or scheduled tasks, and communicates with command-and-control (C2) servers over HTTP using custom encrypted payloads. The backdoor performs system reconnaissance—enumerating drives, active processes, network connections, and installed security software—and can upload/download files, execute arbitrary commands, and capture screenshots. It employs anti-debugging techniques such as checking for sandbox environments and evades signature-based detection by using obfuscated strings and API hashing, as detailed in MITRE ATT&CK techniques T1055 (Process Injection) and T1027 (Obfuscated Files or Information).

📜 History & Notable Incidents

Hussar was first observed by Fortinet in July 2019 targeting an Eastern European defense ministry; later campaigns in 2020 hit Central Asian foreign ministries. The malware is often used as a first-stage dropper for more sophisticated payloads such as Zebrocy (a Delphi-based backdoor also linked to APT28). No CVEs are assigned exclusively to Hussar, but it leverages the known flaws CVE-2017-11882 and CVE-2018-0802. Law enforcement actions against APT28 have not specifically named Hussar, though the group remains under sanctions by the US and EU.

🔍 Detection Indicators

Known file hashes include SHA256: 3a4f5c6b7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4 (from Fortinet’s 2019 report). Behavioral indicators include the creation of mutex names such as "HussarMutex" and the addition of a Registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a randomly named .exe. Network IOCs include HTTP POST requests to IP addresses in the 185.165.29.x range (Russian hosting services) with a User-Agent string "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36".

☠️ Risk & Impact

Hussar enables data exfiltration of sensitive documents and credentials from compromised government networks, leading to long-term espionage intelligence collection. Affected sectors include defense, foreign affairs, and national security agencies; financial losses are indirect but can be significant due to breaches of classified information. Fortinet’s 2020 threat report notes that victims in Ukraine, Kyrgyzstan, and Kazakhstan were particularly targeted.

🛡️ Mitigation

Organizations should apply Microsoft security patches for CVE-2017-11882 (MS17-014) and CVE-2018-0802 (MS18-008), disable macros in Office documents from untrusted sources, and deploy endpoint detection rules that monitor for the Registry persistence key and network IOCs. Fortinet’s IPS signature "Malware.Hussar" and YARA rules matching the mutex and file hashes are recommended for proactive detection.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.