Downloader Malware Written in JPHP Interpreter

April 17, 2025, 7:39 p.m.

Description

A newly discovered malware utilizes JPHP, a PHP interpreter running on Java Virtual Machine, to create a downloader. The malware is distributed in a ZIP file containing Java Runtime Environment and libraries, enabling execution without a separate Java environment. It communicates with a C2 server, disables Windows Defender's behavior monitoring, and uses Telegram for additional C2 connections. The malware can download and execute additional payloads, potentially including data breach-type malware like Strrat and Danabot. This case highlights how threat actors exploit lesser-known technologies like JPHP for malware distribution, emphasizing the importance of scrutinizing executable files and scripts from various sources.

Date

  • Created: April 17, 2025, 4:34 p.m.
  • Published: April 17, 2025, 4:34 p.m.
  • Modified: April 17, 2025, 7:39 p.m.

Indicators

  • e4d7f08ef085428cd9d32b325774cfbcaf44bec61e6ad37b5d82d09b1b92b065
  • 0997201124780f11a16662a0d718b1a3ef3202c5153191f93511d7ecd0de4d8d
  • 4b50e7fba5e33bac30b98494361d5ab725022c38271b3eb89b9c4aab457dca78
  • 89.23.96.126

Attack Patterns

  • Strrat
  • Danabot