Chinese Hackers use .chm files to Hijack Execution Chain and Deploy Malware

The Chinese state-backed group TAG-74 is known for conducting intelligence collection on organizations in the following countries:-

  • South Korea
  • Japan
  • Russia

The TAG-74 utilizes .chm files to trigger a DLL search order hijack execution chain and deploy malware for loading a customized ReVBShell VBScript backdoor.

Cybersecurity analysts at Recorded Future’s Insikt Group recently analyzed a Chinese state-sponsored cyber-espionage campaign, attributed to TAG-74, targeting South Korean academic, political, and government bodies, primarily linked to Chinese military intelligence.

This complete assessment primarily relies on the past targeting behavior and PLA Northern Theater Command-aligned actors’ usual areas of operation.

FREE Webinar

Live DDoS Attack Simulation

Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.

Infection Chain

TAG-74’s infection chain, observed since 2020, relies on spearphishing via .chm files containing three main components. 

Here below, we have mentioned those three key components of .chm files:-

  • An embedded legitimate executable.
  • A malicious DLL.
  • An HTML file.

The HTML file initiates a DLL search order hijack chain by executing hh.exe and vias.exe via bitmap shortcut objects; simulating mouse clicks on the objects in sequence.

Chinese Hackers use .chm Files
Infection Chain (Source – Recorded Future)

The loaded malicious DLL generates and runs a customized ReVBShell VBscript backdoor in %TEMP%.

TAG-74 employs South Korean VPS infrastructure from various providers and dynamic DNS domains for C2, often impersonating South Korean organizations.

IPs used

Here below, we have mentioned all the IP addresses observed in use by TAG-74:-

  • 45.133.194[.]135
  • 92.38.135[.]92
  • 141.164.60[.]28
  • 158.247.223[.]50
  • 158.247.234[.]163

Technical Analysis

TAG-74 uses a modified ReVBShell backdoor that sleeps for a set duration after a C2 server NOOP response. TAG-74 typically alters the sleep time from 5 seconds to 5 minutes, with added C2 command capability for adjusting the interval.

Chinese Hackers use .chm Files
Additional functions present in customized ReVBShell (Source – Recorded Future)

Insikt Group spotted Bisonal samples communicating with TAG-74’s C2 infrastructure, suggesting it’s a follow-on malware family with enhanced features beyond ReVBShell. 

Bisonal is an exclusive Chinese state-sponsored backdoor that has been active since 2010 in the following countries:-

  • Japan
  • South Korea
  • Russia

Spoofed Domains

Here below, we have mentioned all the domains that TAG-74 spoofs:-

  • attachdaum.servecounterstrike[.]com
  • attachmaildaum.servecounterstrike[.]com
  • attachmaildaum.serveblog[.]net
  • logindaums.ddnsking[.]com
  • loginsdaum.viewdns[.]net
  • bizmeka.viewdns[.]net
  • hamonsoft.serveblog[.]net
  • hanseo1.hopto[.]org
  • hometax.onthewifi[.]com
  • mailplug.ddnsking[.]com
  • minjoo2.servehttp[.]com
  • necgo.serveblog[.]net
  • pixoneer.myvnc[.]com
  • puacgo1.servemp3[.]com
  • satreci.bounceme[.]net
  • sejonglog.hopto[.]org
  • unipedu.servebeer[.]com


Here below, we have mentioned all the mitigations offered by the cybersecurity researchers-

  • Set up your IDS, IPS, or network defense systems to alert and potentially block connections to/from the listed external IP addresses and domains.
  • Block .chm and similar file attachments at email gateways and in application deny lists to mitigate potential abuse due to their limited legitimate use.
  • Recorded Future identifies malicious server configurations in the Command and Control Security Control Feed, so, the clients are advised to alert and block these C2 servers for intrusion detection and remediation.
  • Make sure to block and log all TCP/UDP network traffic related to DDNS subdomains, as state-sponsored and financially motivated threat groups frequently use them for network intrusions.
  • Use the Brand Intelligence modules to detect domain abuse, including typosquat domains mimicking your organization.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.