What is the Bronze Starlight ransomware operation and how does it use HUI Loader?

The Bronze Starlight ransomware operation leverages HUI Loader, a custom DLL loader, to deploy encrypted payloads via legitimate programs vulnerable to DLL search order hijacking. HUI Loader decrypts and loads malware such as SodaMaster, PlugX, Cobalt Strike, and QuasarRAT, enabling threat actors to conduct intellectual property theft and ransomware attacks. CTU researchers have linked HUI Loader activity to ransomware families including LockFile, AtomSilo, Rook, Night Sky, and Pandora. (Source: Original Webpage)

Which ransomware families are associated with HUI Loader?

HUI Loader has been linked to LockFile, AtomSilo, Rook, Night Sky, and Pandora ransomware activity. CTU researchers observed HUI Loader loading Cobalt Strike Beacon samples configured specifically for these ransomware families. (Source: Original Webpage)

What is DLL search order hijacking and how is it exploited in these attacks?

DLL search order hijacking is a technique where attackers exploit legitimate programs that load DLLs from directories in a specific order. By placing a malicious DLL in a directory searched before the legitimate one, attackers can execute their payload. HUI Loader uses this method to load encrypted malware via vulnerable executables. (Source: Original Webpage)

What is the significance of the Cobalt Strike Beacon configuration observed in these attacks?

The Cobalt Strike Beacon samples loaded by HUI Loader were configured with an uncommon HTTP POST URI beginning with /rest/2/meetings and a watermark value of 0. This configuration is unique to Beacons associated with AtomSilo, Night Sky, and Pandora ransomware, suggesting a shared threat group. (Source: Original Webpage)

How did CTU researchers link HUI Loader activity to ransomware campaigns?

CTU researchers analyzed malware samples, Cobalt Strike Beacon configurations, C2 infrastructure, and code overlap to link HUI Loader activity to LockFile, AtomSilo, Rook, Night Sky, and Pandora ransomware campaigns. Timeline analysis and VirusTotal data further supported these associations. (Source: Original Webpage)

What vulnerabilities were exploited in the observed attacks?

Threat actors exploited an authentication bypass vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus to deploy Meterpreter reverse shells and HUI Loader samples. (Source: Original Webpage)

What is the role of legitimate executables in these attacks?

Legitimate executables, such as Microsoft Defender and VMwareXferlogs.exe, are used as carriers for malicious DLLs via DLL search order hijacking. This allows attackers to sideload HUI Loader and encrypted payloads without raising suspicion. (Source: Original Webpage)

How do attackers use C2 infrastructure in these campaigns?

Attackers use C2 servers to host legitimate executables and malicious DLLs, enabling remote control and deployment of ransomware payloads. Passive DNS and VirusTotal data reveal links between C2 domains and ransomware activity. (Source: Original Webpage)

What is the impact of these ransomware operations on targeted organizations?

These ransomware operations can lead to intellectual property theft, business disruption, data encryption, reputational damage, and financial loss. The use of advanced techniques like HUI Loader and Cobalt Strike increases the risk and complexity of attacks. (Source: Original Webpage)

How does Cymulate help organizations defend against ransomware threats like Bronze Starlight?

Cymulate provides continuous threat validation, simulating real-world ransomware attacks to test and improve defenses. Its platform validates security controls, identifies exploitable exposures, and offers actionable remediation guidance to reduce risk. (Source: Knowledge Base)

What are Cymulate's featured resources for learning about ransomware and threat validation?

Cymulate offers blogs, demos, and case studies such as 'Validate What Matters: Simulate Real-World Identity and Privilege Attacks in AD and Entra ID' and 'From Vulnerability to Validation.' These resources help organizations understand and address modern threats. (Source: Original Webpage)

How does Cymulate's platform validate exposures and prioritize remediation?

Cymulate's Exposure Management Platform automates real-world attack simulations, validates exposures, and prioritizes remediation based on exploitability and business impact. This helps organizations focus on the most critical vulnerabilities. (Source: Original Webpage, Knowledge Base)

What is Cymulate's Attack Path Discovery and how does it help?

Attack Path Discovery automates testing for lateral movement and privilege escalation, helping organizations identify and mitigate threats related to network segmentation and access controls. (Source: Original Webpage, Knowledge Base)

How does Cymulate integrate with other security tools?

Cymulate integrates with a wide range of technology partners across network, cloud, endpoint, and SIEM domains, including Akamai Guardicore, AWS GuardDuty, CrowdStrike Falcon, and Check Point CloudGuard. For a complete list, visit Cymulate's Partnerships and Integrations page. (Source: Knowledge Base)

What certifications and compliance standards does Cymulate meet?

Cymulate is SOC2 Type II certified and complies with ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. It also adheres to GDPR and employs robust data center and application security practices. (Source: Knowledge Base)

How easy is it to implement Cymulate and start using its features?

Cymulate is designed for quick, agentless deployment with minimal resources required. Customers can start running simulations almost immediately and benefit from comprehensive support, including email, chat, webinars, and an AI chatbot. (Source: Knowledge Base)

What are the key capabilities of Cymulate's platform?

Cymulate offers continuous threat validation, attack path discovery, automated mitigation, detection engineering, complete kill chain coverage, and an extensive threat library with daily updates. (Source: Knowledge Base)

How does Cymulate's Threat Validation solution differ from manual pen tests and traditional BAS?

Cymulate's Exposure Validation provides automated, continuous security testing with a library of over 100,000 attack actions aligned to MITRE ATT&CK and daily threat intelligence. It integrates easily with security controls and offers automated mitigation, unlike infrequent manual tests or traditional BAS tools. (Source: Knowledge Base)

What is Cymulate's Threat (IoC) updates feature and how does it improve threat resilience?

The Threat (IoC) updates feature provides recommended Indicators of Compromise that can be exported and applied directly to security controls, improving threat resilience by enabling rapid defense against new threats. (Source: Knowledge Base)

How does Cymulate Exposure Validation support a threat-informed defense strategy?

Cymulate Exposure Validation continuously validates security controls against the latest threats and attack techniques, ensuring defenses are prepared for current and emerging adversarial methods. (Source: Knowledge Base)

Who can benefit from Cymulate's platform?

Cymulate is designed for CISOs, Security Leaders, SecOps teams, Red Teams, and Vulnerability Management teams across industries such as finance, healthcare, retail, media, transportation, and manufacturing. (Source: Knowledge Base)

What business impact can customers expect from using Cymulate?

Customers report an 81% reduction in cyber risk within four months, a 60% increase in operational efficiency, 40X faster threat validation, 30% improvement in threat prevention, and a 52% reduction in critical exposures. (Source: Knowledge Base, Hertz Israel Case Study)

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its user-friendly and intuitive platform. Testimonials highlight its easy implementation, actionable insights, and accessible support. (Source: Knowledge Base)

What core problems does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers. It provides continuous threat validation, prioritization, improved resilience, collaboration, automation, and validated exposure scoring. (Source: Knowledge Base)

How does Cymulate address pain points for different security personas?

CISOs benefit from clear metrics and investment justification; SecOps teams gain operational efficiency and visibility; Red Teams get automated offensive testing; Vulnerability Management teams receive prioritized exposure insights. (Source: Knowledge Base)

How does Cymulate compare to AttackIQ?

AttackIQ offers automated security validation but lacks Cymulate's innovation, threat coverage, and ease of use. Cymulate provides the industry's leading threat scenario library and AI-powered capabilities. Read more. (Source: Knowledge Base)

How does Cymulate compare to Mandiant Security Validation?

Mandiant is an original BAS platform but has seen little innovation recently. Cymulate continually innovates with AI and automation, expanding into exposure management as a grid leader. Read more. (Source: Knowledge Base)

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks Cymulate's depth for full defense assessment. Cymulate offers comprehensive exposure validation, covering the full kill chain and providing cloud control validation. Read more. (Source: Knowledge Base)

How does Cymulate compare to Picus Security?

Picus is suitable for on-premise BAS needs but lacks Cymulate's complete exposure validation platform. Cymulate covers the full kill chain and includes cloud control validation. Read more. (Source: Knowledge Base)

How does Cymulate compare to SafeBreach?

SafeBreach offers breach and attack simulation but lacks Cymulate's innovation, precision, and automation. Cymulate leads with AI-powered BAS, the largest attack library, and a full CTEM solution. Read more. (Source: Knowledge Base)

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams but lacks Cymulate's focus on actionable remediation and automated mitigation. Cymulate provides a complete exposure validation platform with daily threat updates, no-code workflows, and vendor-specific remediation guidance. Read more. (Source: Knowledge Base)

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. The subscription fee is non-refundable. For a detailed quote, schedule a demo with Cymulate's team. (Source: Knowledge Base)

Bronze starlight Ransomware Operations Use HUI Loader

June 27, 2022

HUI Loader is a custom DLL loader whose name is derived from a string in the loader. The malware is loaded by legitimate programs that are vulnerable to DLL search order hijacking. HUI Loader decrypts and loads a third file containing an encrypted payload that is also deployed to the compromised host. CTU researchers have observed HUI Loader loading RATs such as SodaMaster, PlugX, Cobalt Strike, and QuasarRAT. CTU researchers observed threat actors deploying HUI Loader in a cluster of activity associated with intellectual property theft. This A41APT campaign primarily targets Japanese organizations and uses HUI Loader to load the SodaMaster RAT. The victimology and tactics, techniques, and procedures (TTPs) in this campaign align with BRONZE RIVERSIDE activity. HUI Loader samples that load Cobalt Strike Beacon have been linked to LockFile, AtomSilo, Rook, Night Sky, and Pandora ransomware activity. CTU researchers analyzed an updated version of HUI Loader that uses the RC4 cipher to decrypt the payload. The malware sample also attempts to circumvent host-based detection and protection measures by disabling Windows Event Tracing for Windows (ETW), disabling Antimalware Scan Interface (AMSI) functions, and hooking Windows API calls. Analysis of the Cobalt Strike Beacon samples loaded by HUI Loader revealed a link between AtomSilo, Night Sky, and Pandora ransomware. The Cobalt Strike Beacons were configured with an uncommon HTTP POST URI beginning with /rest/2/meetings and a watermark value of 0. As of this publication, CTU researchers have only observed this configuration in Cobalt Strike Beacons associated with these ransomware families. The configuration of these Cobalt Strike payloads is likely based on a modified version of a public C2 malleable profile that configures the HTTP GET request URI as '/functionalstatus' and the HTTP POST URI as '/rest/2/meetings'. Secureworks incident response (IR) engagement, CTU researchers observed a threat actor compromising a ManageEngine ADSelfService Plus server. The threat actor exploited an authentication bypass vulnerability (CVE-2021-40539) and deployed a Meterpreter reverse shell that communicated with a C2 IP address (172 . 105 . 229 . 30). They then deployed three files to the compromised host: a legitimate Microsoft Defender executable vulnerable to DLL search order hijacking, a HUI Loader sample (mpclient.dll) that is loaded by the executable, and an encrypted Cobalt Strike Beacon (dlp.ini). CTU researchers did not observe follow-on activity. The C2 server also hosted a legitimate VMware executable (VMwareXferlogs.exe) vulnerable to DLL search order hijacking. This executable loads a DLL (glib-2.0.dll) from the same directory. CTU researchers were unable to obtain glib-2.0.dll from this C2 server but identified other glib-2.0.dll HUI Loader samples that could be sideloaded by VMwareXferlogs.exe. The VirusTotal analysis service revealed URLs indicating the presence of glib-2.0.dll files on two servers (45 . 32 . 101 . 191 and 45 . 61 . 139 . 38). Passive DNS data shows that 45 . 61 . 139 . 38 hosted sc . microsofts . net, which is a C2 domain that third-party reporting links to LockFile ransomware activity. The 45 . 32 . 101 . 191 IP address hosted api . openssl-digicert. xyz, which has sibling domain (peek . openssl-digicert . xyz) that is linked to Pandora ransomware. While CTU researchers do not have access to these servers, timeline analysis suggests that two HUI Loader samples uploaded to VirusTotal may have been hosted on these servers. Both samples have compile timestamps that are the close to the 'URL first seen' timestamp listed on VirusTotal. The use of HUI Loader to load Cobalt Strike Beacon, the Cobalt Strike Beacon configuration information, the C2 infrastructure, and the code overlap suggest that the same threat group is associated with these five ransomware families. It is likely that BRONZE STARLIGHT is responsible for LockFile, AtomSilo, Rook, Night Sky, and Pandora intrusion activity. Secureworks incident response engagement revealed that BRONZE STARLIGHT compromised a server running ManageEngine ADSelfService Plus and deployed HUI Loader with a Cobalt Strike Beacon.

Featured Resources

View More Resources

blog

Exposure Validation: Continuous Testing Should Drive Continuous Improvement

What’s your end goal? How exactly does this security project make you more secure? Like any technology initiative, those two

Report

2026 Gartner® Market Guide for Adversarial Exposure Validation

The guide covers AEV use cases, key features, and market trends to improve threat exposure visibility and defenses.

Learn More