Microsoft Defender Antivirus detects and removes this threat.

Hancitor, also known as Chanitor, is a malware designed to install other malware on targeted devices. Hancitor has been active since 2013, and was typically delivered as an attachment through spear-phishing emails with varying lure themes. However, from 2020 onwards, threat actors have been using DocuSign-themed lures to entice target users into opening links in emails, which then lead to another link that downloads a document with a malicious macro that contains the main Hancitor payload.

Once on the target device, Hancitor performs initial reconnaissance, connects to the attackers' command-and-control (C2) server, and downloads additional malware, including banking trojans like Zloader and Vawtrak, and information stealers like Pony and Ficker. In some campaigns, attackers have also used Hancitor to install Cobalt Strike or exploit CVE-2020-1472. In all these infections, Hancitor uses these tools to perform various malicious activities, including lateral movement, credential theft, and data exfiltration.