The Hancitor trojan, also known as Chanitor, is a downloader first observed in 2014. It distributes its payload via a Word document email attachment with embedded malicious macros. The most recent version of Hancitor contains the encoded shellcode within the macro and uses native API calls within Visual Basic (VB) code to pass execution, and carves out and decrypts the embedded malware in the attachment. Once executed, Hancitor drops an additional payload to download the Pony DLL and Vawtrak malware executables, which steals data and connects to a C2 server. In January 2017, SANS Internet Storm Center researchers identified a recent increase in Hancitor activity. The campaign sends phishing emails claiming to be a parking ticket notification. The message requests the recipient to click the link to pay their ticket and directs the victim to a Microsoft Word document containing a malicious VB macro to install Hancitor.


  • January 2015: Chanitor downloader actively installing Vawtrak. (Zscaler)
  • May 2016: Hancitor reappears to infect victims with Pony downloader and new Vawtrak variant. (Proofpoint)
  • September 2016: Hancitor observed using multiple methods of attack. (FireEye)
  • January 2017: Hancitor is spread via parking ticket phishing emails linking to a Word document containing a malicious macro. (Threatpost)
  • March 2017: The trojan is spreading via a spam campaign with the subject header RE: divorce papers. (Malware-Traffic-Analysis)
  • April 2017: The trojan is being spread through fake emails purportedly from a company specializing in filing claims against the federal trade commission (FTC), luring users to open an attached .doc file that, when downloaded, installs malware with password and banking information stealing capabilities. The subject of the email is “RE: RE: ftc refund.” (TechHelpList)
  • October 2017: Threat actors are spreading Hancitor by exploiting DDE. (Malwarebytes)

Technical Details

  • Microsoft Malware Protection Center provides technical details on the Hancitor/Chanitor trojan, here.

Hancitor order of infection. Image Source: Threatpost