Hematite

Category: trojan_generic · Aliases: None known · Sample count (EMBER 2018): 616 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Backdoor:Win32/Hematite is a stealthy, targeted Remote Access Trojan (RAT) often utilized in sustained espionage campaigns to establish deep persistence and exfiltrate sensitive data.

Understanding Hematite
To an end-user, Hematite operates completely invisibly. For threat intelligence analysts, Hematite represents a highly capable backdoor designed for long-term intelligence gathering. Unlike noisy, commercially available RATs, Hematite is often custom-compiled for specific targets, utilizing advanced obfuscation and encrypted C2 channels to evade detection by standard Endpoint Detection and Response (EDR) solutions.

Execution and Evasion Strategies
Hematite is typically delivered via highly tailored spearphishing campaigns containing weaponized Office documents or PDF exploits. Upon execution, it drops a malicious DLL into the %SystemRoot%\System32 or %AppData% directories. It establishes persistence by registering itself as a hidden Windows Service or via DLL Search Order Hijacking against legitimate system executables. Hematite communicates with its C2 infrastructure using custom encryption over HTTPS (Port 443) to blend in with normal corporate web traffic.

Indicators of Compromise & Impact
The impact of Hematite is a total compromise of confidentiality and endpoint control. The attacker can execute arbitrary commands, steal credentials, and pivot laterally across the network. Incident responders should hunt for anomalous, persistent HTTPS connections originating from legitimate processes (like svchost.exe) to unknown or newly registered IP addresses. Memory forensics is critical to extract the decrypted Hematite payload and identify the specific C2 domains.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1055.001Process Injection: Dynamic-link Library InjectionDefense Evasion
T1543.003Create or Modify System Process: Windows ServicePersistence
T1573.001Encrypted Channel: Symmetric CryptographyCommand and Control
T1056.001Input Capture: KeyloggingCollection
T1105Ingress Tool TransferCommand and Control

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_HEMATITE {
    meta:
        description = "Detects Hematite (trojan_generic)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "hematite" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Hematite Activity
id: 4b278b0860879c7c185eb860cddc4a09
status: experimental
description: Detects generic indicators of the hematite malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*hematite*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Immediately isolate the compromised endpoint from the network to sever the attacker's interactive, remote-control session.
  2. Capture a full forensic memory image of the machine to extract the decrypted Hematite payload and its C2 configuration.
  3. Identify the specific C2 IP address and implement immediate blocks at the perimeter firewall and proxy servers.
  4. Perform a clean OS rebuild and force password resets for all accounts that accessed the machine, assuming total endpoint compromise.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not leave the machine connected to the network during triage; the attacker has live access and will likely destroy evidence or move laterally.
  2. Avoid relying solely on static signatures to detect Hematite, as it is frequently re-packed and obfuscated for each targeted campaign.

References & External Analysis

Related Families (Category: trojan_generic)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/hematite.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.