Security analysts identified a new wave of malware targeting users in Poland, leveraging an old but effective technique: Microsoft Compiled HTML Help (CHM) files.
The sample in question, “deklaracja.chm,” was uploaded to VirusTotal and quickly linked to an advanced multi-stage attack chain that ultimately drops a stealthy C++ downloader.
The discovered campaign demonstrates how attackers are blending legacy file formats, native Windows tools, and clever obfuscation to evade detection and persist on targeted systems.
Initial analysis revealed “deklaracja.chm” masquerading as a bank receipt, displaying a decoy image associated with PKO Bank a well-known Polish financial institution.
Underneath this benign facade, the attackers packed the file with standard CHM system files, an obfuscated JavaScript dropper, and a cabinet archive named “desktop.mp3,” which covertly contains the downloader DLL.
When launched, Windows’ default CHM handler (hh.exe) executes the file, rendering the decoy image while kicking off a complex infection sequence invisible to the user.
Obfuscated JavaScript Triggers Native LOLBins
Central to the infection chain is “index.htm,” carrying a heavily obfuscated script, typically using the “obfuscator.io” pattern.
Once decoded, the script dynamically loads HTML components that display the decoy, while leveraging deprecated tags such as <bgsound> to ensure the CAB file containing the payload is downloaded and staged for execution as a temporary file.
compressed filesThis phase exploits Internet Explorer’s idiosyncratic behavior and legacy support for ActiveX controls.
By instantiating the HTML Help ActiveX Control (CLSID: adb880a6-d8ff-11cf-9377-00aa003b7a11), the script auto-generates a command button, programmatically clicks it, and initiates a chain of command-line actions.
The malware adopts a “Living off the Land” approach by using “forfiles.exe” a legitimate Windows binary to hunt for .tmp files matching the CAB’s known size.
Upon finding a match, it uses “expand.exe” to extract “uNT32.dll,” the malicious DLL, and executes it through “rundll32.exe,” specifically calling the exported function at ordinal #1.
Stealthy Downloader Connects to Themed C2 Infrastructure
Technical dissection of “uNT32.dll” reveals it is a C++ downloader laden with XOR-encrypted strings, employing a 128-byte rotating key buffer.
The core of the downloader utilizes Windows WinHTTP APIs to retrieve further malicious payloads from the command-and-control domain “rustyquill[.]top,” specifically targeting a seemingly innocuous JPEG file, “the-magnus-protoco1.jpg.”
Notably, the downloader checks if the fetched “image” exceeds 289,109 bytes the same as copies found online without appended payloads then strips the legitimate header and decrypts any appended data.
If a new embedded payload is found, the DLL writes it to a secluded directory within the user profile and schedules its execution using Windows Task Scheduler via COM interfaces.
Investigators quickly linked this campaign to a series of attacks orchestrated by the threat actor known as FrostyNeighbor (UNC1151), a group previously attributed to Belarus and recognized for targeting Eastern European political, governmental, and financial entities.
Notably, earlier activity using similar CHM lure files and the same command-and-control domain was reported in April 2025, further cementing the attribution.
Despite attempts to retrieve active payloads appended to the themed image files via custom YARA rules, analysts were unable to identify live samples suggesting the attacker may deliver payloads selectively, possibly based on geolocation or target profiling.
This tradecraft, alongside the reliance on native Windows binaries, legacy formats, and obfuscated delivery, underscores the persistent evolution of state-aligned threat actors, who continue to blend old techniques with new evasion methods to bypass enterprise defenses.
Indicators of Compromise (IOCs)
| Artifact | SHA256 / Details |
|---|---|
| deklaracja.chm | 0d3dbaa764acb2b87ae075aa2f5f924378991b39587b0c5e67a93b10db39ddd9 |
| index.htm | 156ad4975e834355b2140d3c8fe62798fe6883364b8af1a1713f8b76c7b33947 |
| desktop.mp3 (CAB) | be5a40b5622d21b46cbc87fd6c3f8ebcb536ec8480491a651c1625ee03ae2c6f |
| deklaracja.png | f55e06a87e2a20989ddb76d9f2e3ebb303659ad306ba54e3ed7f8dcc4456d71b |
| Payload URL | hxxps://rustyquill[.]top/shw/the-magnus-protoco1.jpg |
| Prior CHM sample | 0631696f484633f4aeb8f817af2a668806ab4dca70f006dc56fc9cd9dcda4dbe |
| Prior ZIP container | 4d09fad2630ec33ab6bb45b85455c6a6ac7b52f8dae9b90736db4a5f00f72ea9 |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
