HH.EXE CHM File Decompilation

Rule Info

Name
HH.EXE CHM File Decompilation
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of hh.exe with the -decompile (-d) flag to extract contents of a CHM file. Threat actors abuse this technique to drop and execute malicious payloads embedded in CHM files.
Reference
https://dmpdump.github.io/posts/TelegramRat/
Date
2026-05-08 00:00:00
Modified
None
Id
b9f3e2a1-5c74-4d8f-9b12-3e6f7a0c8d45
Tags
attack.stealth attack.t1218.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022