Analysis of Hancitor – When Boring Begets Beacon

Hancitor is a lightweight but fast-acting malware loader used to deliver Cobalt Strike Beacon and other payloads (FickerStealer, Sendsafe), notably leveraged by the Cuba ransomware group; the report details delivery via malicious Word documents, host profiling (BotID, external IP, domain trust), an RC4-encrypted built-in configuration, HTTP-based C2 check-ins and a five-command table that controls downloading, XOR+LZ decompression, and process-hollowing into svchost or the current process. The document includes sample C2 traffic and a Snort rule, outlines payload decryption and injection routines, and provides actionable detection recipes (KQL, CrowdStrike, Suricata) for network and endpoint defenders.