typeentityconfidencehighcreated2026-05-31updated2026-06-16malware-familyloaderpecompilerobfuscationevasionsigningc2anti-debugdefense-evasion

hippamsascom

Overview

Windows x64 self-loading dropper / payload decryptor cluster. Shares compiler, runtime API resolution, export obfuscation, and fraudulent Authenticode practices with sunwukong. Rotates masquerade identity per campaign (Emard LLC / "JBOD monitor" vs. Hane Group / "redundant alarm" vs. Littel LLC / "wireless sensor" vs. Olson Group / "AI feed"). Co-labeled sunwukong by OpenCTI/MalwareBazaar; treat as the same family under rotating campaign branding.

Build Stack

Language / Toolchain: MSVC 14.50 (VS 2022), pure C, x64 Release ^[sample 0c9e772d/rabin2-info.txt]
Arch: PE32+ x86-64, Windows GUI subsystem ^[sample 0c9e772d/file.txt]
IAT: Empty (IMAGE_DIRECTORY_ENTRY_IMPORT VA = 0) ^[sample 0c9e772d/pefile.txt:223]
API resolution: PEB-walking export hash lookup (DJB2-like) ^[raw/analyses/0c9e772d8730204dd850797827745a27bde599983d1ee070d0b61ea5faeaf535/r2:fcn.14002ecb0]
Signing: Authenticode PKCS#7, fabricated intermediate CA, DigiCert cross-signed root. Emard LLC leaf with alt-names across multiple .digital / .tech / .io domains ^[sample 0c9e772d/binwalk.txt], ^[sample 0c9e772d/strings.txt]
Obfuscation: Semantic export obfuscation (330+ names → 19 unique RVAs) ^[sample 9a3c18be/pefile.txt:338+]
Payload: Custom stream-cipher encrypted PE in .data section (entropy 7.97), decrypted at runtime into RWX memory and manually mapped ^[raw/analyses/9a3c18be39571b479c7ee37d32f6000725a282abdf04643a1edfec460876762b/r2:fcn.140031b00], ^[raw/analyses/9a3c18be39571b479c7ee37d32f6000725a282abdf04643a1edfec460876762b/r2:fcn.1400332d0], ^[raw/analyses/9a3c18be39571b479c7ee37d32f6000725a282abdf04643a1edfec460876762b/r2:fcn.1400349e0]

Fourth sibling — Olson Group campaign

Masquerade: Version info claims "AI feed Enterprise Manager" by Olson Group, OriginalFilename: AIfeed_client.exe ^[sample c20bbb80/exiftool.json]
Secondary masquerade: VS_VERSIONINFO StringFileInfo block also claims "Purdy - Green B.V." / "AI feed - Dutch Version" ^[sample c20bbb80/pefile.txt:321+]
Signing: Fabricated intermediate CA "Olson Group Intermediate CA 1" (CN = "Olson - Schmeler LLC") with SANs olsongroup.group, *.olsongroup.group, www.olsongroup.group, olsongroup-blaise.io, *.olsongroup-blaise.io, cross-signed to DigiCert Assured ID Root CA and DigiCert Trusted Root G4 ^[sample c20bbb80/strings.txt:10370+], ^[sample c20bbb80/binwalk.txt]
Export count: 502 named exports across 19 unique RVAs, a superset of the 330-export sibling ^[sample c20bbb80/pefile.txt], ^[ghidra:export-table]
Embedded resource: PNG icon 256x256 in .rsrc at 0x12E900 ^[sample c20bbb80/binwalk.txt]

Capabilities

authenticode-fake-identity
empty-iat-runtime-api-resolution
peb-walking-hash-lookup
semantic-jargon-export-obfuscation
parent-process-sandbox-gate
debugger-detection-system-information
version-info-masquerade
custom-stream-cipher-payload-decryption
self-loader-in-memory-pe-mapping
com-and-shell-api-resolution
fabricated-digicert-intermediate-ca
clipboard-harvest-openclipboard-getclipboarddata
screenshot-bitblt-getdibits
com-automation-cocreateinstance-coinitializesecurity
stripped-no-masquerade-variant
standard-iat-stealer-import-profile
no-encrypted-payload-direct-execution

Deploy / TTPs

Technique	ID	Evidence
Masquerading	T1036.002	"JBOD monitor" by Emard LLC ^[sample 0c9e772d/exiftool.json]
Masquerading	T1036.002	"AI feed Enterprise Manager" by Olson Group ^[sample c20bbb80/exiftool.json]
Obfuscated Files or Information	T1027	Semantic export name flooding ^[sample 0c9e772d/pefile.txt]
Software Packing	T1027.002	Custom cipher + in-memory PE mapping ^[raw/analyses/0c9e772d8730204dd850797827745a27bde599983d1ee070d0b61ea5faeaf535/r2:fcn.14002f0e0]
Native API	T1106	PEB-walking hash resolver ^[raw/analyses/0c9e772d8730204dd850797827745a27bde599983d1ee070d0b61ea5faeaf535/r2:fcn.14002ecb0]
Code Signing	T1553.002	Fabricated Emard LLC / Olson Group intermediate CA ^[sample 0c9e772d/strings.txt], ^[sample c20bbb80/strings.txt]
Evade Detection	T1497	Hash-based sandbox/parent gate at entry ^[raw/analyses/0c9e772d8730204dd850797827745a27bde599983d1ee070d0b61ea5faeaf535/r2:fcn.14002efe0]
Process Injection (inferred)	T1055	Self-loader maps decrypted PE; ShellExecuteA/W resolved for child process ^[sample 0c9e772d/strings.txt]

Variants / Aliases

hippamsascom — OpenCTI / MalwareBazaar label
hippamsas-com — raw OpenCTI label
sunwukong — co-labeled on MalwareBazaar; highly probable same cluster (see sunwukong)
Emard LLC / JBOD monitor — internal masquerade identity (0c9e772d)
Hane Group / redundant alarm — internal masquerade identity (8eddf076)
Littel LLC / wireless sensor — internal masquerade identity (9a3c18be)
Olson Group / AI feed Enterprise Manager — internal masquerade identity (c20bbb80)
Purdy - Green B.V. / AI feed - Dutch Version — secondary VS_VERSIONINFO block in same binary (c20bbb80)
Harvey - Abernathy / quantifying invoice Business Manager — internal masquerade identity (341165a4)
Mayer - Ondricka / CSS matrix Business Gateway — internal masquerade identity (1cf56da3)
vjsyqtvw.exe / stripped stealer variant — no masquerade, no masquerade, standard IAT, clipboard+screenshot+COM import profile (630202e6)
Bright.exe — sample filename

Known false-positive attributions

The following samples were co-labeled hippamsascom by OpenCTI / MalwareBazaar but diverge structurally from this cluster and are tracked separately:

0b6a849a68a48f7301c3459a7771378e458e2d5debce9376be350784c61b72b7 — see unclassified-pe32plus: 5.9 MB MSVC C++ PE32+, standard IAT, no masquerade, TLS callbacks, C++ STL, no exports, no static C2. Completely different build pattern. ^[/intel/analyses/0b6a849a68a48f7301c3459a7771378e458e2d5debce9376be350784c61b72b7.html]
177bfc84 — see netsupport-inno-dropper: Inno Setup installer bundling legitimate NetSupport Manager. (see prior deep-dive)

Notable Analyses

/intel/analyses/0c9e772d8730204dd850797827745a27bde599983d1ee070d0b61ea5faeaf535.html — 0c9e772d, MSVC x64, signed Emard LLC, semantic export obfuscation, self-loader, static-only
/intel/analyses/8eddf076bf8b47cfd10dc5fbbd05588bc9bd7d05739671f6bc32a2d717e88e2e.html — 8eddf076, Hane Group masquerade, fabricated Authenticode, same build pattern, static-only
/intel/analyses/9a3c18be39571b479c7ee37d32f6000725a282abdf04643a1edfec460876762b.html — 9a3c18be, Littel LLC / "wireless sensor" masquerade, signed intermediate CA, semantic export obfuscation, self-loader, static-only
/intel/analyses/c20bbb8043a930c2a02111ca8753d179ab1a2ce124ea3c58977906372055b1b5.html — c20bbb80, Olson Group / "AI feed" masquerade, 502-export semantic flood, dual VS_VERSIONINFO blocks, same self-loader build pattern, static-only
/intel/analyses/630202e6856062a04b0eb9bd7c5100339d4d007f1a0d25519ae86a7edc4a3e6c.html — 630202e6, stripped fifth sibling: standard IAT (34 imports), zero exports, no masquerade, no Authenticode, clipboard+screenshot+COM import profile suggestive of stealer behavior, .data entropy 3.83 (no encrypted payload), static-only, co-labeled remusstealer/sivaph-shop
/intel/analyses/341165a42115d7aec4fbff23f6ada1273fd55902721a005ac4b88575baa97a4a.html — 341165a4, Harvey - Abernathy / "quantifying invoice Business Manager" masquerade, 221 exports, fabricated Authenticode with Harvey - Abernathy Intermediate CA, self-loading encrypted payload, static-only
/intel/analyses/1cf56da38e5fe05fd2242ff49bafa4271c5ee0868887bf91dafb6f47d1e46ae9.html — 1cf56da3, Mayer - Ondricka / "CSS matrix Business Gateway" masquerade, 451 exports, fabricated Authenticode with Mayer - Ondricka Intermediate CA 3 (SANs across .com/.solutions/.global/.digital), same self-loader build pattern, static-only

sunwukong — same build cluster under different masquerade identity (Erdman Group / "1080p protocol")
semantic-jargon-export-obfuscation — specific build/RE technique
peb-walking-api-resolution — shared runtime API resolution technique
version-info-masquerade — shared social-engineering technique

> Family · hippamsascom_