216.73.217.22

T1218.001: T1218.001

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 04/05/2026 16:32

Essential information

MITRE technique ID
T1218.001
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
04/05/2026 16:32
Author / Source
The MITRE Corporation

Aliases

Compiled HTML File

Platforms

windows

Description

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program) A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)

Kill chain phases

Kill chainPhase
mitre-attack defense-evasion

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (7)

  • Silence uses Whisper Spider
    The MITRE Corporation Confidence 100

    [Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • APT41 uses Wicked PandaBrass Typhoon
    The MITRE Corporation Confidence 100

    [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS
    The MITRE Corporation Confidence 100

    [Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 22/05/2026 04:12
  • STARDUST CHOLLIMA uses NICKEL GLADSTONEBeagleBoyz
    The MITRE Corporation Confidence 100

    [APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • OilRig uses COBALT GYPSYIRN2
    The MITRE Corporation Confidence 100

    [OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Dark Caracal uses
    The MITRE Corporation Confidence 100

    [Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • Bitter APT uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:42 · Modified 20/12/2025 23:42

Malware (18)

  • Amatera Stealer uses
    Family
    Published 09/03/2026 09:42 · Modified 09/03/2026 09:42
  • PlugX - S0013 uses
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • Guildma uses
    Family
    Published 19/05/2026 22:26 · Modified 19/05/2026 22:26
  • COBEACON uses
    Family
    Published 28/08/2025 14:51 · Modified 28/08/2025 14:51
  • Bughatch
  • SystemBC uses
    Family
    Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
  • Veaamp
  • Termite uses
    Family
    Published 21/05/2026 23:03 · Modified 21/05/2026 23:03
  • LOTUSLITE uses
    Family
    Published 22/04/2026 01:40 · Modified 22/04/2026 01:40
  • Burntcigar
  • Agent Tesla - S0331 uses
    Family
    Published 15/05/2026 15:23 · Modified 15/05/2026 15:23
  • Hancitor
  • CountLoader uses
    Family
    Published 26/09/2025 20:06 · Modified 26/09/2025 20:06
  • PureMiner uses
    Family
    Published 10/10/2025 08:25 · Modified 10/10/2025 08:25
  • Korplug uses
    The MITRE Corporation Confidence 100

    [PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 31/05/2017 23:32 · Modified 08/06/2026 10:23
  • RomCom uses
    Family
    Published 17/10/2024 16:16 · Modified 17/10/2024 16:16
  • Wedgecut
  • Patchwork

Reports (4)

Vulnerabilities (CVE) (3)

CVE-2022-1388 KEV

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …

Published
10/05/2022
Modified
20/12/2025
CVE-2021-40444 KEV

Microsoft MSHTML contains a unspecified vulnerability that allows for remote code execution.

Published
03/11/2021
Modified
27/05/2026
CVE-2025-55182 KEV
10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector
Network
Published
05/12/2025
Modified
29/05/2026
Analyzed

Attack patterns (MITRE) (1)

  • T1218 subtechnique-of
    System Binary Proxy Execution

Course Of Action (2)

  • Execution Prevention mitigates
  • Restrict Web-Based Content mitigates