skip to Main Content

Cybercrime, new wave of the Hancitor campaign via DocuSign

 Technical analysis by the Malware Hunter JAMESWT

The Hancitor campaign is back via DocuSign. The email doc attachment is downloaded each time from a different url and contains a dll with the malware. However, the final payalod is unknown

New wave of the Hancitor campaign via fake mail notification from DocuSign. The message contains a doc attachment, which can be downloaded by opening the link in the text (the yellow button).

This contacts a different url each time and downloads a document that varies with each operation. Inside there is a dll with Hancitor (aka Chanitor). It is unknown, however, what the downloader downloads once installed on the victim’s machine. In the latest cybercrime campaigns, the final payload was FickerStealer, an info-stealer which targets PCs with Windows operating systems, from XP to 10.

Malware samples

Malware C2s

Back To Top