Analysis of HUI Loader

To conceal malware’s features, attackers sometimes encode the malware and decode it only when they execute it. In such cases, the encoded malware is loaded and executed by a program called loader. In this way, an attacker can split the malware into a loader and encoded malware. Minimizing the loader’s features and hiding important features of the malware make detection on infected hosts more difficult. Among such loaders, this article discusses HUI Loader, which has been used since around 2015.

Overview of HUI Loader

At JSAC2022, it was pointed out that several attack groups use HUI Loader [1], and JPCERT/CC has also confirmed attacks using this loader since around 2015. Figure 1 shows the changes in HUI Loader as well as the attack groups using it.

Changes in HUI Loader
Figure 1. Changes in HUI Loader

HUI Loader was first identified around January 2015. It was confirmed that APT10 attack group had been using it. Around April 2015, Blue Termite also started using it. These attack groups used the following 3 types of encoded malware loaded into the HUI Loader. Note that Poison Ivy and Quasar were customized by the attackers from the original.

  • PlugX
  • Poison Ivy [2]
  • Quasar [3]

Since 2016, we have seen continuous use by the APT10 attack group; since June 2020, attack group A41APT has also started using it [1]. Additionally, since August 2021, the DEV-0401 attack group has also started using it [4]. The method of encoding the malware body has not changed since the beginning and can be decoded as follows.

for i in range(len(enc_data)):
    data = ord(enc_data[i]) ^ 0x20 ^ ord(key[i % len(key)])

In the following sections, we will describe the following HUI Loader feature changes that have been made so far.

  • Persistence
  • Password randomization
  • Disabling security features
  • Removal of characteristic strings


There are two types of HUI Loader: those with persistence functionality and those without it. 3 patterns of persistence functionality have been identified:

  • Service
  • Registry (Run key)
  • Startup folder

Many HUI Loader samples register a service and start it upon restart. The service name and other details vary from sample to sample. The type that starts from the registry was identified around 2015, but it has not been seen in recent samples. The type that starts from the startup folder creates an LNK file in the startup folder and starts via a shortcut file, as shown in Figure 2.

Code to create LNK file in the startup folder
Figure 2. Code to create LNK file in the startup folder

Password randomization

HUI Loader which was identified around 2015 decoded the malware body using a regular string of characters as a password. As a result, the same password was often used in multiple samples. Since 2016, passwords have been randomized to use different values for each sample.

Table 1. Examples of passwords used by HUI Loader
sha256 creation time password
8efcecc00763ce9269a01d2b5918873144746c4b203be28c92459f5301927961 2015-05-21 08:54:24 qwe123#@!4567890
421e11a96e810c834dd6b14b515ad7a5401813caa0555ddfb3490c3d82336e3d 2015-07-14 02:07:10 qwe123#@!4567890
beb77e277510c4ff2797a314494606335f158a722cf6533fad62ba5d5789e2d3 2015-07-16 11:17:04 qwe123#@!4567890
074075eda7dde4396fb8aa441031cf88873b969273a9541f25b15fc35ec5ee49 2017-05-24 11:50:56 etweq0sH8zV6ggqRaBe
af223370ff0da3c9a9314dc6bf9cb9d9c3a12e2e3c835643edeedad4b4f908fa 2017-09-07 09:51:04 sdh7h327ogd28632fgd3f7fhn
c3cb9d0650fcca22a61760fa072336a036a8a5e8eaa61cb72bc4b553a84aedd1 2017-09-19 05:03:45 gef798w6g6f523fif5d3sdad

Disabling security features

Some HUI Loader samples have code that aims to bypass the Windows OS security features, Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI). Figures 3 and 4 show a part of the code that bypasses those features.

Example of code to bypass ETW
Figure 3: Example of code to bypass ETW

Example of code to bypass AMSI
Figure 4. Example of code to bypass AMSI

The beginning of AmsiScanBuffer function and ETWEventWrite function are changed to RETN command.

Delete characteristic strings

HUI Loader samples used to contain a characteristic string (HUIHWASDIHWEIUDHDSFSFFEFWEFEWFDSGEFERWGWEEFWFWEWD). However, since December 2021, samples without this string have also been identified. Figure 5 compares samples with and without the characteristic string.

left: Sample without characteristic string, right: Sample with characteristic string
Figure 5. left: Sample without characteristic string, right: Sample with characteristic string

In closing

HUI Loader has been used for a long time being updated little by little since about 2015. It is expected that attack groups continue to use it in the future. The IoC of HUI Loader introduced in this article is available on Github. Please use it as needed.

Shusei Tomonaga
(Translated by Takumi Nakano)


[1] JSAC2022: What we can do to the chaotic A41APT campaign

[2] JPCERT/CC Eyes: PoisonIvy adapts to communicate through Authentication Proxies

[3] JPCERT/CC Eyes: Attack Activities by Quasar Family

[4] Symantec Enterprise Blogs: LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers