HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups includingCinnamon Tempest andmenuPass to deploy malware on compromised hosts.HUI Loader has been observed in campaigns loadingSodaMaster,PlugX,Cobalt Strike,Komplex, and several strains of ransomware.[1]
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | HUI Loader can decrypt and load files containing malicious payloads.[1] | |
| Enterprise | T1574 | .001 | Hijack Execution Flow:DLL | HUI Loader can be deployed to targeted systems via legitimate programs that are vulnerable to DLL search order hijacking.[1] |
| Enterprise | T1562 | .006 | Impair Defenses:Indicator Blocking | HUI Loader has the ability to disable Windows Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI) functions.[1] |