Hancitor Downloader has seen many campaigns this year. Malware-Traffic-Analysis, a security research blog operated by Brad Duncan, has published over 40 related articles since the beginning of 2017. Each article covers malspam delivering the downloader, with no sign of the campaigns' wavering.

In May 2017, DocuSign reported another campaign targeting its customers. These phishing attempts spoofed DocuSign e-mails, with a hyperlink to a Microsoft Word document containing a malicious macro. The subject line of these emails followed this pattern:

  • "Please review your document Invoice <1234567> for <recipientdomain.com>”
  • “Completed <company name> – Accounting Invoice <number> Document Ready for Signature”

Once downloaded with the macro is enabled, the Hancitor downloader is delivered. Hancitor then downloads either Pony or Zloader malware. The malware operators falsify the emails’ source and imitate Google Docs and Dropbox themes, as shown:


Hancitor phishing email


To add protection against Hancitorwe recommend enabling the following targets:

  • Standard Mode
    • TS Curated - Core Tier 1 - IPs
    • TS Curated - Botnets Tier 1 - Domains
    • TS Curated - Botnets Tier 1 - IPs
  • Expert Mode (included in the curated targets for standard mode)
    • TS Originated - Core Threats - IPs 
    • TS Originated - Core Threats - Domains 

If you do not have a ThreatSTOP account, Sign up to try a demo.

If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Defense policies are available on the ThreatSTOP Documentation Hub. Or, contact our Support team.