Cuba Ransomware partners with Hancitor for spam-fueled attacks By 05:00 AM The Cuba Ransomware gang has teamed up with the spam operators of the Hancitor malware to gain easier access to compromised corporate networks. The Hancitor (Chancitor) downloader has been in operation since 2016 when Zscaler saw it distributing the Vawtrak information-stealing Trojan. Since then, numerous campaigns have been seen over the years where Hancitor installs password-stealers, such as Pony, Ficker, and more recently, Cobalt Strike. Hancitor is usually distributed through malicious spam campaigns pretending to be DocuSign invoices, as shown below. Fake DocuSign spam pushing Hancitor When a recipient clicks on the 'Sign document' link, they will download a malicious Word document that tries to convince the target to disable protections.