HTTPBrowser
HTTPBrowser is a remote access trojan (RAT) believed to have Chinese origins and reported as used by certain Chinese intrusion groups. It has been associated in the provided content with BRONZE UNION / Emissary Panda / APT27 and with Wekby / APT18 / Dynamite Panda. Reported capabilities include keystroke capture and spawning a reverse shell on victim systems. HTTPBrowser has used HTTP and HTTPS for command-and-control, and at least one Wekby campaign used an obfuscated variant that communicated via DNS TXT records as a covert control channel; in that campaign the actors referred to the malware as "Token Control." Infection and execution methods described in the content include strategic web compromises, phishing lures themed as IT helpdesk VPN/Citrix upgrades, and DLL side-loading / DLL search-order hijacking. One documented installer dropped a malicious DLL named navlu.dll, masquerading as a legitimate Symantec DLL, to decrypt and run the RAT; the malware also deleted its original installer after installation. In the Wekby campaign, installers downloaded from phishing URLs installed the malware as %APPDATA%\wdm.exe and established persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run using a value such as wdm; previous samples reportedly used a Run value for 360v. Typical HTTPBrowser traffic was described as using HTTP with the user-agent string HTTPBrowser/1.0. Observed DNS-based C2 domains in the cited campaign included glb.it-desktop.com, local.it-desktop.com, and hi.getgo2.com. Related phishing URLs included hXXp://it-desktop[.]com/vpn/cisco/vpnclient.exe and hXXp://wangke99[.]tgk[.]delldns[.]com/tools.exe. Referenced sample hashes included d0f79de7bd194c1843e7411c473e4288, e5414c5215c9305feeebbe0dbee43567, and 985eba97e12c3e5bce9221631fb66d68.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
BRONZE UNION previously used this technique to enable execution of PlugX and HttpBrowser tools in a way that is challenging for network defenders to detect.
"...either the well-known ‘PlugX’ or ‘HttpBrowser’ RAT, a tool which is believed to have Chinese origins and to be used only by certain Chinese hacking groups."
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
3 techniques
Execution
The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.
Persistence
1 technique
Persistence
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
1 technique
Privilege Escalation
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
5 techniques
Stealth
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
Discovery
1 technique
Discovery
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Command and Control
4 techniques
Command and Control
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Chinese-origin remote access trojan referenced as a common payload for Emissary Panda; the newly described in-development tool is assessed to share code/ties with HttpBrowser developers.
A malware tool used by BRONZE UNION and executed via DLL side-loading to evade detection.
A tool used by BRONZE UNION to maintain access and facilitate operations within victim environments; the content does not provide deeper technical detail.
Backdoor/RAT used by Wekby that is delivered via phishing lures (e.g., fake VPN/Citrix upgrades). It installs to %APPDATA%\wdm.exe, establishes persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and in this campaign uses DNS TXT records as a covert C2 channel (instead of its more typical HTTP communications with user-agent HTTPBrowser/1.0). The sample also uses heavy obfuscation including ROP-based control-flow manipulation and many NOP-like functions to hinder analysis.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.