Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Radware Discovers New Trojan Keylogger Used in Targeted Attack

Radware Discovers “Admin.HLP” – A New Keylogger Used in Targeted Attack

Security researchers from Radware have discovered a new Trojan Key Logger named “Admin.HLP” that they say captures sensitive user information and attempts to export it to a server in a remote location.

Radware Discovers “Admin.HLP” – A New Keylogger Used in Targeted Attack

Security researchers from Radware have discovered a new Trojan Key Logger named “Admin.HLP” that they say captures sensitive user information and attempts to export it to a server in a remote location.

The malicious file came hidden within a standard Windows help file named Amministrazione.hlp, and has been used in targeted attacks, against at least one Radware customer, Ronen Kenig, Director, Product Marketing, Security Products at Radware told SecurityWeek.

Admin.HLP Used In Targeted AttackRadware would not disclose the industry vertical for the customer that had been targeted and infected with the malware.

“The file is being spread through email”, Kenig said. “The malware is attached to a Windows help file, and when a user attempts to open the help file, they will see the help menu, but it will also invoke the Trojan which installs itself on the victim’s computer.

The tactic to use Windows help files as the infection vector is rarely seen, unlike other common .exe files that even novice users know could be dangerous.

“The general population are not aware the help files can be malicious as well,” Kenig said.

“By using HLP-script language, the attacker is able to inject the encrypted malicious payload and execute the stub to decrypt the Trojan code,” a threat analysis document obtained by SecurityWeek explained.

According to Radware, Admin.HLP monitors keystrokes on the victim’s computer, collect user passwords, credit card numbers and other sensitive information.

Data captured via the Key Logger function is saved into a file called “UserData.dat” within the ‘Application Data’ directory, the note explained.

As of today the file was not identified as malicious by any anti-virus vendor on VirusTotal, Kenig said.

The Trojan does not make use of a Command and Control (C&C) server, but simply attempts to exfiltrate data via to a remote “drop” server via an HTTPS connection.

The location of the drop server isn’t currently available, as the domain is not currently resolving to a host IP. However, the Trojan is programmed to send the collected data to the host “”.

Interestingly, the domain ( is actually hosted on dynamic DNS service, indicating that the attacker would have the ability to move the drop server to different server locations in the event one server is noticed or shut down.

“The Admin.HLP Trojan is hidden within a standard Windows help file named Amministrazione.hlp and attaches itself to emails,” Radware’s Ziv Gadot explained in a blog post. “This standard help file does not trigger a response from anti-virus software that may be installed, and therefore it slips under the radar of standard security protection.”

“In order to remain a persistent threat, Admin.HLP creates a startup file in Windows, guaranteeing that the Trojan is invoked after every restart of the computer,” Gadot added.

Kenig did emphasize that this appears to be a targeted attack, but organizations should take note, and realize that the same malware or variants of it could be used in similar attacks.

For Radware customers, a signature has been created to block all network communication between infected organizations and the attackers’ remote servers.

Just as we suggested yesterday on the subject of a recent Java exploit, it is a good idea search logs for connections to or any other related IP or domain associated with this attack.

Even though does not currently resolve to a host, it’s a good idea to block connections to that host name as well. Such an approach should be taken by network security administrators any time they know of a malicious host that endpoints are connecting to.

Since Radware isn’t an anti-malware company, they aren’t necessarily making a tool to identify or remove it.

While AV vendors may not be able to identify the malware yet, it’s likely that they will in the days ahead.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.