⚠️ Overview

ONHAT is a sophisticated information-stealing malware family first documented by Kaspersky in September 2021 during campaigns targeting government and diplomatic entities across Eastern Europe and Central Asia. Operated by the APT group Gamaredon (aka Primitive Bear, UNC530, tracked as APT28-associated by some open sources), ONHAT functions primarily as a download trojan and stealer, delivering second-stage payloads and exfiltrating sensitive documents from infected Windows systems.

🔧 Technical Capabilities

ONHAT propagates via phishing emails containing malicious RTF or LNK attachments that exploit CVE-2017-11882 (Microsoft Office Equation Editor) and CVE-2021-26411 (Internet Explorer VBScript) for initial access. The malware uses TCP-based command-and-control (C2) over ports 443 and 8080, communicating with hardcoded IP addresses via HTTP POST requests containing Base64-encoded victim data. It achieves persistence by creating scheduled tasks named "MicrosoftEdgeUpdateTaskMachine" or dropping a VBS script into the Windows Startup folder. For evasion, ONHAT employs API hammering to bypass user-mode hooks and uses encrypted strings with a single-byte XOR key (0x7F) to obfuscate its configuration. The malware can enumerate files, capture screenshots, log keystrokes, and steal credentials stored in web browsers (Chrome, Firefox, Edge) as well as from Outlook and Windows Credential Manager.

📜 History & Notable Incidents

ONHAT gained prominence in 2022 when Kaspersky linked it to a spear-phishing campaign that compromised the Ukrainian Ministry of Foreign Affairs and several Polish government agencies in January 2022, just prior to the Russian invasion of Ukraine. No specific CVE is directly attributed to the malware itself, but it exploits the legacy CVEs listed above. Law enforcement has not publicly targeted the group; however, the Ukrainian CERT-UA (CERT-UA#7245) published detailed indicators of compromise (IOCs) in March 2022.

🔍 Detection Indicators

Known file hashes include SHA256 2a9b3c8d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a (sample analyzed by VirusTotal) and MD5 e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6. Network IOCs include C2 IPs 185.130.5.231 and 91.121.87.123 (Port 8080), with User-Agent strings such as Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0. Persistence is indicated by the scheduled task name "MicrosoftEdgeUpdateTaskMachine" and the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunONHAT.

☠️ Risk & Impact

ONHAT poses a high risk due to its ability to exfiltrate classified documents, diplomatic cables, and authentication credentials from targeted government systems. Financial losses from associated intelligence leakage are immeasurable, but the malware is specifically designed for cyber-espionage against state actors, with affected sectors including defense, foreign affairs, and energy. The impact is compounded by Gamaredon's use of ONHAT as a first-stage reconnaissance tool for lateral movement and subsequent deployment of the Pterodo backdoor.

🛡️ Mitigation

Defenders should apply patches for CVE-2017-11882 and CVE-2021-26411, enable Office macro blocking, and deploy YARA signatures from Kaspersky's public repository (e.g., rule "ONHAT_v1"). Network monitoring should flag HTTP POST requests to ports 443/8080 with Base64 payloads and the hardcoded User-Agent string. Endpoint detection solutions like Microsoft Defender for Endpoint (MDE) can detect persistence via scheduled tasks. Regular training against spear-phishing remains critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.