UAC-0184 Malware Chain Uses bitsadmin and HTA Files for Gated Payload Delivery
Cybersecurity NewsArchived May 20, 2026✓ Full text saved
A newly documented attack chain linked to the threat group UAC-0184 has been observed using Windows’ built-in bitsadmin tool and HTA files to sneak malicious payloads onto targeted systems. The campaign is primarily aimed at Ukraine, with clear indicators pointing toward military-related targets, including individuals connected to the Ukrainian Defence Forces. The level of craft […] The post UAC-0184 Malware Chain Uses bitsadmin and HTA Files for Gated Payload Delivery appeared first on Cyber Se
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
UAC-0184 Malware Chain Uses bitsadmin and HTA Files for Gated Payload Delivery
By Tushar Subhra Dutta
May 19, 2026
A newly documented attack chain linked to the threat group UAC-0184 has been observed using Windows’ built-in bitsadmin tool and HTA files to sneak malicious payloads onto targeted systems.
The campaign is primarily aimed at Ukraine, with clear indicators pointing toward military-related targets, including individuals connected to the Ukrainian Defence Forces.
The level of craft and patience displayed across every stage of this infection chain sets it apart from noisier, less disciplined campaigns that have surfaced recently.
The attackers use social engineering lures built around topics like criminal proceedings, combat videos, and personal contact requests to trick victims into opening malicious files.
Once a victim opens the booby-trapped document, whether it appears as a PDF, a Word file, or an Excel spreadsheet, bitsadmin quietly fetches an HTA file from an attacker-controlled remote server in the background.
That HTA file is then executed using mshta.exe, pushing the infection forward without raising any immediate alarms on the compromised machine.
Analysts at Synaptic Security said in a report shared with Cyber Security News (CSN) that the delivery mechanism appears gated, meaning the payload is only served to systems that pass certain filtering criteria, which likely helps screen out sandboxes and security researcher environments.
An operation (Source – Synaptic Security)
This kind of conditional delivery makes the malware significantly harder to study and allows the attackers to remain active without drawing unwanted attention for extended stretches of time.
The HTA file, once executed, runs a hidden PowerShell command that downloads a ZIP archive named dctrprraclus.zip from the attacker-controlled server at IP address 169.40.135.35.
UAC-0184 Malware Chain
The archive unpacks into a folder inside the AppData directory and launches two files side by side, a music visualizer application called Cluster-Overlay64.exe along with a decoy PDF named Scan_001.pdf.
The PDF is shown to the victim as a distraction while the real infection continues quietly and undetected in the background on their machine.
The broader toolset that UAC-0184 deploys reveals considerable operational sophistication. The final stage of the infection chain involves PassMark BurnInTest network components being repurposed as a covert command-and-control channel, listening on UDP port 31339 for multicast peer discovery traffic.
This abuse of a legitimate, Microsoft-signed software stack gives the attacker a convincing cover identity deep inside a trusted process tree.
The use of bitsadmin for downloading files is not new, but pairing it with HTA file execution is a deliberate technique that helps the attacker blend in with normal Windows background activity.
kernel-diag.lib appears only in openvr_api.dll (Source – Synaptic Security)
Bitsadmin is a native Windows command-line tool originally built for background file transfers, and its abuse by threat actors often goes unnoticed by both everyday users and many endpoint security products.
Once the HTA file executes, it drops a layered package containing Cluster-Overlay64.exe, openvr_api.dll, filter.bin, and kernel-diag.lib inside the ApplicationData32 folder. The actual malicious code is not sitting inside the main executable.
Instead it is buried inside DLL files and encoded local blobs, decrypted at runtime through a multi-stage process combining XOR operations with LZNT1 decompression.
The final payload is then side-loaded into VSLauncher.exe, a legitimate Microsoft-signed Visual Studio binary that wraps it in a trustworthy digital identity.
Signed Software Repurposed as a Cover Identity
One of the most striking aspects of this campaign is how aggressively the threat actor leans on legitimate, signed software to mask malicious behavior from defenders.
PassMark Endpoint, a genuine commercial network testing utility, becomes the final network-facing component, carrying capabilities including process memory dumping via MiniDumpWriteDump and peer data transfer over TCP port 31339.
Plane9Engine.dll loads openvr_api.dll (Source – Synaptic Security)
Defenders are advised to monitor for bitsadmin and mshta.exe being used together, especially when paired with suspicious temporary file name patterns like ~tmp(…).hta.
Network teams should watch for UDP traffic toward 224.0.0.255 on port 31339, which is the PassMark multicast discovery address that this campaign repurposes for its own communication.
The presence of VSLauncher.exe running outside a legitimate Visual Studio installation path, or any unexpected file creation events inside %APPDATA%\ApplicationData32, should be treated as serious warning signs that warrant immediate investigation by security teams.
Indicators of Compromise (IoCs):-
Type Indicator Description
IP Address 169.40.135.35 Attacker-controlled C2 server hosting HTA files and payload archive
URL hxxp://169.40.135.35/dctrpr/slippersuppity.hta HTA stage-1 payload URL (PDF lure variant)
URL hxxp://169.40.135.35/dctrpr/basketpast.hta HTA stage-1 payload URL (Word document lure variant)
URL hxxp://169.40.135.35/dctrpr/agentdiesel.hta HTA stage-1 payload URL (Excel lure variant)
URL hxxp://169.40.135.35/dctrprraclus.zip Payload ZIP archive download URL
SHA-256 81d93004a02a455af01b0f709e34d5134108ec350f9391dc0f91a00a54998590 ZIP archive (dctrprraclus.zip)
SHA-256 dc6cddc391b373b18f105f49a80ff83d53b430d8dea35c1f1576832fa9fbd2b3 kernel-diag.lib (encoded payload loader)
SHA-256 f5ca9c53d1537142889d7172c6643e886b2164233b91f0fc2d41ca010f035372 filter.bin (XOR-encrypted secondary payload)
SHA-256 df6942dc1a89226359adf1aac597c3b270f4a408214b4f7c2083f9524605e0f7 openvr_api.dll (DLL sideload component)
SHA-256 b811f28b844eff8c1f4f931639bed5bcc41113364fdfc44d7703259457839edb input.dll (PassMark Endpoint sideloaded payload)
SHA-256 33e44dea247eaa8b0fc8ed1f8ed575905f6ce0b7119337ddd29863bbb03288b3 PE_08 / SqlExpressChk.exe (bundled PE component)
File Path %APPDATA%\ApplicationData32\Cluster-Overlay64.exe Dropped music visualizer used as sideload host
File Path %APPDATA%\ApplicationData32\openvr_api.dll Dropped DLL containing loader logic
File Path %APPDATA%\ApplicationData32\filter.bin Dropped XOR-encrypted payload blob
File Path %APPDATA%\ApplicationData32\kernel-diag.lib Dropped DWORD-XOR encoded loader blob
File Path %windir%\SysWOW64\input.dll PassMark Endpoint DLL dropped for sideloading
File Path %windir%\SysWOW64\VSLauncher.exe Microsoft-signed sideload host (Visual Studio Version Selector)
Network 224.0.0.255:31339 (UDP) PassMark BurnInTest multicast discovery, repurposed for C2 peer discovery
Network 31339/tcp BurnInTest peer data channel, repurposed for C2 data transfer
File Name Pattern ~tmp(…).hta Temporary HTA file pattern written to %TEMP% during initial execution
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections
Kimsuky Hackers Use LNK and JSE Lures to Target Recruiters, Crypto Users, and Defense Officials
600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack
Windows DNS Client Vulnerability Enables Remote Code Execution Attacks
Packagist Urges Immediate Composer Update After GitHub Actions Token Leak
Latest News
Cyber Security News
The Gentlemen Ransomware Attacks Windows, Linux, NAS, BSD, and ESXi Attacks
Cyber Security News
Kimsuky Hackers Use LNK and JSE Lures to Target Recruiters, Crypto Users, and Defense Officials
Press Release
Criminal IP Returns to Infosecurity Europe 2026 with Advanced AI-Driven TI & ASM
Cyber Security News
Malware Campaign Uses JavaScript, PowerShell, and Shellcode to Deliver Crypto Clipper
Cyber Security News
DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released