Hackers Weaponize Compiled HTML Help to Deliver Malicious Payload

A malicious Microsoft Compiled HTML Help (CHM) file uploaded from Poland on 30 June 2025 has shown how a legacy documentation format can be repurposed into a potent delivery vehicle for modern malware.

Named “deklaracja.chm,” the archive masquerades as a bank‐transfer declaration and opens with a benign receipt image, lulling victims into a false sense of security while concealing a sophisticated multistage payload.

The attack begins the moment Windows Help executable (hh.exe) processes the CHM. Buried inside is an obfuscated index.htm whose JavaScript decodes a lengthy hexadecimal blob, dynamically writes HTML, and silently downloads a disguised cabinet archive (desktop.mp3) via the deprecated “ tag.

This archive contains the true downloader DLL, yet never betrays itself in the user interface.

dmpdump analysts noted that the script also instantiates the HTML Help ActiveX control (adb880a6-d8ff-11cf-9377-00aa003b7a11) to execute a hidden command chain, leveraging the legitimate Windows binary forfiles.exe to avoid suspicious parent-child correlations.

The tactic reflects a trend in living-off-the-land (LotL) abuse, permitting attackers to sidestep many behavioral defenses while achieving code execution on fully patched systems.

While reports attribute the infrastructure to the Belarus-linked FrostyNeighbor/UNC1151 cluster, the campaign’s practical danger lies in its stealth.

Targeting Polish entities, it shows how a seemingly obsolete file type can pierce contemporary endpoint defenses, paving the way for credential theft, espionage, or destructive follow-on operations.

Infection Mechanism in Focus

Once the ActiveX control runs, it programmatically clicks a crafted button that spawns a minimized command prompt.

The following one-liner—decompressed from multiple layers of encoding—illustrates the heart of the intrusion:-

cmd /min /c forfiles /p %temp% /m *.tmp /c "cmd /c if @fsize==180738 expand @file %temp%uNT32.dll & rundll32 %temp%uNT32.dll,#1"

Here, forfiles hunts for the freshly downloaded .tmp (exactly 180,738 bytes). When found, Windows’ native expand utility unpacks uNT32.dll from the cabinet, and rundll32 calls its export #1, launching the C++ downloader.

This DLL decrypts embedded strings with a 128-byte rotating XOR key, then uses WinHTTP to fetch hxxps://rustyquill[.]top/shw/the-magnus-protoco1.jpg.

If the JPEG exceeds 289,109 bytes, everything beyond that mark is XOR-decrypted into net32.dll, stored in %LocalAppData%TaskSync and registered as a scheduled task—providing automatic persistence without registry writes.

if(payload_size > 0x46835){
    decrypt(buffer + 0x46835, key, decrypted);
    SaveAndExecute(decrypted, "TaskSync\net32.dll");
}

Through this elegantly simple chain, legacy help files become Trojan horses, blending user interface tricks, trusted Windows binaries, and subtle network traffic to achieve a foothold that many security tools still underestimate.

Detect malware in a live environment Analyze suspicious files & URLs in ANY.RUN’s Sandbox -> Try for Free