HH.EXE CHM Decompilation With Non-CHM File Extension

Rule Info

Name
HH.EXE CHM Decompilation With Non-CHM File Extension
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of hh.exe with the -decompile (-d) flag where no .chm extension is present in the command line. Threat actors disguise CHM files with alternative extensions (e.g. .doc, .pdf) to evade detection, then pass them to hh.exe for decompilation and payload extraction.
Reference
https://dmpdump.github.io/posts/TelegramRat/
Date
2026-05-08 00:00:00
Modified
None
Id
c3a84f2e-6d91-4b7c-a0e5-8f2b1d9e4c67
Tags
attack.stealth attack.t1218.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022