July 14, 2025 – In a striking example of how legacy technologies still pose modern threats, cybersecurity researchers have uncovered an advanced attack leveraging Microsoft’s Compiled HTML Help (CHM) format to deliver C++ malware into targeted Polish organizations stealthily.

The campaign, which uses a realistic bank payment decoy, is linked to a threat actor known as FrostyNeighbor (UNC1151), associated with earlier attacks against Eastern European entities.

From Online Help File to Infection Chain

The attack begins with a CHM file named “deklaracja.chm,” seemingly a benign document containing a transfer receipt from PKO Bank, a well-known Polish institution.

When a user opens the file, Windows executes it using hh.exe, rendering what appears to be a legitimate image. However, embedded within the file structure is something far more sinister.

Security analysts discovered that, beyond standard CHM components, the archive includes index.htm (with heavily obfuscated JavaScript), a file called desktop.mp3 (disguised as audio but a compressed Cabinet archive), and a decoy image.

The obfuscated JavaScript in index.htm contains a hex-decoded HTML payload that cleverly leverages legacy browser features and ActiveX controls to execute code without alerting most users or endpoint protection tools.

Threat Actors Use Sophisticated Hacking Tools to Destroy Organizations’ Critical Infrastructure.

Chained Exploits and LOLBins

The malicious script embedded in the HTML page first displays the bank receipt in an iframe to maintain the ruse.

Simultaneously, it uses the deprecated <bgsound> tag to download desktop.mp3 which, due to its extension and behavior, is not flagged by most scanners.

Using the HTML Help ActiveX Control (CLSID: adb880a6-d8ff-11cf-9377-00aa003b7a11), the script programmatically clicks a hidden button that executes a background command.

This command, using legitimate Microsoft-signed tools known as Living Off The Land Binaries (LOLBins), searches for the downloaded .tmp file in the %TEMP% directory, checks its exact file size to identify the malicious CAB archive, extracts the payload DLL (uNT32.dll), and then loads it with rundll32.exe.

Each step cleverly masks its intent, leveraging trusted Windows utilities (forfiles.exe, expand.exe) to avoid detection by behavior-based security systems.

Advanced Downloader and Steganographic Payload Delivery

The extracted uNT32.dll is a C++ downloader that decrypts its own communication strings with a custom XOR routine, further complicating detection. It connects to https://rustyquill.top/shw/the-magnus-protoco1.jpg using the WinHTTP API.

Here, the attackers employ a steganographic trick: the referenced file is a legitimate-looking JPEG image, but if the image file exceeds a specific size (289,109 bytes), the malware strips away the valid image content and decrypts the additional data appended after the standard JPEG end marker.

This yields a secondary malicious DLL, which is saved  net32.dll in the user’s AppData directory and scheduled for persistent execution using the Windows Task Scheduler API.

Such use of image-based payload carriers not only helps avoid detection by most security products but also allows attackers to selectively deliver either clean or weaponized images based on targeting or timing.

This evasive strategy thwarts many traditional incident response efforts.

Attribution and Regional Focus

This CHM campaign, together with infrastructure and code similarities to prior attacks, is attributed to FrostyNeighbor/UNC1151, a group believed to have ties to Belarus and a history of targeting Eastern European nations, especially Poland, Lithuania, Latvia, and Ukraine.

The attackers’ use of localized decoys, Polish-language filenames, and domain infrastructure strengthens the regional connection.

Defensive Recommendations

Experts urge organizations to block all inbound CHM attachments, disable or restrict the execution of hh.exe, and monitor for suspicious uses of LOLBins, such as forfiles.exe and expand.exe.

Outbound connections to known malicious infrastructure (like rustyquill.top) should be proactively blocked.

Further, security teams should employ content analysis capable of detecting oversized image files with appended suspicious data, a crucial step in catching steganographic payload delivery.

This campaign highlights the enduring risk posed by legacy file formats in the Windows ecosystem.

Despite increased security around modern Office macros, attackers are innovating by reviving and weaponizing formats like CHM, blending social engineering, steganography, and LOLBins to bypass defenses and deliver advanced malware into unsuspecting environments.

Organizations must update their controls and user awareness to defend against these resurgent threats.

IOCs

• deklaracja.chm: 0d3dbaa764acb2b87ae075aa2f5f924378991b39587b0c5e67a93b10db39ddd9
• index.htm: 156ad4975e834355b2140d3c8fe62798fe6883364b8af1a1713f8b76c7b33947
• desktop.mp3: be5a40b5622d21b46cbc87fd6c3f8ebcb536ec8480491a651c1625ee03ae2c6f