Tag: javascript

39 Attack Reports | 0 Vulnerabilities

Attack reports

Cooking up trouble: How TamperedChef uses signed apps to deliver stealthy payloads

The TamperedChef campaign is a global malvertising and SEO operation that distributes seemingly legitimate software with valid code signing to trick users into executing malicious installers. These fake applications mimic common software and establish persistence through scheduled tasks, delivering…
social engineering
malvertising
persistence
javascript
remote access
scheduled tasks
seo
code-signing
javascript payload
2025-11-20
shell companies
2025-11-26
code-signing certificates
signed applications
Published: November 26, 2025
Downloadable IOCs: 0

The Tsundere botnet uses the Ethereum blockchain to infect its targets

The Tsundere botnet, discovered in mid-2025, is an active threat targeting Windows users. It utilizes the Ethereum blockchain to retrieve C2 addresses and employs Node.js for its operations. The botnet spreads through MSI installers and PowerShell scripts, often disguised as popular games. It uses …
powershell
javascript
node.js
botnet
msi
ethereum
websocket
2025-11-20
123 stealer
aes-256
tsundere bot
koneko
tsundere
Published: November 20, 2025
Downloadable IOCs: 21

Gootloader Returns: What Goodies Did They Bring?

Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses…
obfuscation
ransomware
seo poisoning
blackcat
alphv
javascript
gootloader
lateral movement
noberus
rhysida
2025-11-06
vanilla tempest
quantum locker
wordpress exploitation
zeppelin
supper socks5 backdoor
Published: November 6, 2025
Downloadable IOCs: 136

XWorm V6: Exploring Pivotal Plugins

Since the release of XWorm V6.0 on June 4, 2025, we have noted a surge in samples identified as XWorm V6.0 on VirusTotal, reflecting its rapid adoption by threat actors. One prominent campaign illustrates its delivery: a malicious JavaScript (JS) file initiates a PowerShell (PS1) script, which depl…
xworm
rat
phishing
powershell
javascript
remote desktop
amsi bypass
2025-10-06
file manager
Published: October 6, 2025
Downloadable IOCs: 22

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence …
cobalt strike
javascript
latrodectus
data-exfiltration
lateral-movement
brute ratel c4
backconnect
credential-harvesting
cobalt-strike
2025-09-29
Published: September 29, 2025
Downloadable IOCs: 0

Artificial Intelligence Exposes the Homoglyph Hustle

A seemingly harmless desktop application named calendaromatic.exe was discovered to be a sophisticated malware utilizing NeutralinoJS, Unicode homoglyphs, and hidden payloads. The malware, distributed through an aggressive ad campaign, exploited NeutralinoJS's native APIs to interact directly with …
javascript
unicode
2025-09-23
calendaromatic.exe
covert channel
desktop application
homoglyphs
ai-assisted investigation
neutralinojs
Published: September 23, 2025
Downloadable IOCs: 4

"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

A widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem has been discovered, involving a novel self-replicating worm called "Shai-Hulud". The worm has compromised over 180 software packages, including widely used libraries. It operates by harvesting credentials,…
phishing
supply chain
worm
javascript
credential harvesting
npm
self-replicating
shai-hulud
2025-09-18
Published: September 18, 2025
Downloadable IOCs: 1

New malware campaign discovered via ManualFinder

A global malware infection of Windows computers has been uncovered, stemming from software users installed themselves. The malware, disguised as legitimate PDF editors and manual finders, turns infected systems into residential proxies for malicious actors. The infection chain starts with deceptive…
windows
javascript
certificate abuse
residential proxy
2025-09-03
onestart browser
pdf-editor
manualfinder
trojan:win64/infostealer!msr
trojan:win32/malgent!msr
Published: September 3, 2025
Downloadable IOCs: 41

Proxyware Malware Being Distributed on YouTube Video Download Site

A malicious campaign is targeting users through fake YouTube video download sites, distributing Proxyware malware. The attack involves a downloader disguised as WinMemoryCleaner, which installs NodeJS and runs malicious JavaScript. This script then installs various Proxyware programs, including Dig…
malware
javascript
youtube
downloader
c&c
digitalpulse
proxyware
task scheduler
nodejs
2025-08-22
honeygain
bandwidth
infatica
Published: August 22, 2025
Downloadable IOCs: 0

Malicious JavaScript Injects Fullscreen Iframe On a WordPress Website

A JavaScript-based malware campaign has been discovered affecting compromised WordPress websites. The malware injects a fullscreen iframe that loads content from suspicious external domains, aiming to force users to view unsolicited content for ad fraud, traffic generation, or social engineering. T…
javascript
wordpress
fake captcha
anti-debugging
2025-08-14
iframe injection
wpcode plugin
powershell exploitation
fullscreen overlay
Published: August 14, 2025
Downloadable IOCs: 6

Unmasking the SVG Threat: How Hackers Use Vector Graphics for Phishing Attacks

Attackers are exploiting Scalable Vector Graphics (SVG) files to execute sophisticated phishing attacks. SVGs, typically used for scalable images, can contain embedded JavaScript that executes when opened in a browser. The attack chain involves sending SVG attachments via spear-phishing emails or c…
phishing
javascript
credential theft
captcha
svg
email attachments
2025-08-07
cloud storage
browser execution
Published: August 7, 2025
Downloadable IOCs: 2

SVG Smuggling - Image Embedded JavaScript Redirect Attacks

Threat actors are increasingly using Scalable Vector Graphics (SVG) files to deliver JavaScript-based redirect attacks. These SVGs contain embedded, obfuscated JavaScript that initiates browser redirects to attacker-controlled infrastructure. The campaign uses email spoofing and impersonation to de…
obfuscation
phishing
javascript
email spoofing
xor encryption
svg
redirect
2025-07-17
Published: July 17, 2025
Downloadable IOCs: 0

Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks

The Trustwave SpiderLabs Email Security team has identified a significant increase in SVG image-based attacks, where seemingly harmless graphics are used to conceal dangerous links. Cybercriminals are exploiting the ability of SVG files to embed JavaScript, which can execute automatically upon open…
obfuscation
phishing
social engineering
phaas
javascript
cybersecurity
email security
svg
2025-05-16
ursnif
tycoon2fa
Published: May 16, 2025
Downloadable IOCs: 4

Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation

Iranian cyber actors have been identified impersonating a German model agency in a suspected espionage operation. The attackers created a fraudulent website mimicking the authentic agency's branding and content, which triggers obfuscated JavaScript to capture detailed visitor information. This data…
espionage
phishing
social engineering
javascript
2025-05-07
data collection
Published: May 7, 2025
Downloadable IOCs: 3

Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims

Arctic Wolf Labs discovered a new campaign by Venom Spider targeting corporate HR departments with fake resumes containing the More_eggs backdoor. The financially motivated threat group uses spear-phishing emails and abuses legitimate job platforms to apply for real jobs. The backdoor can steal cre…
backdoor
evasion
javascript
spear-phishing
more_eggs
lnk files
2025-05-03
polymorphism
Published: May 3, 2025
Downloadable IOCs: 3

Gootloader Returns: Malware Hidden in Google Ads for Legal Documents

The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they a…
social engineering
powershell
javascript
google ads
gootloader
scheduled tasks
2025-04-03
email phishing
wordpress blogs
legal templates
Published: April 3, 2025
Downloadable IOCs: 0

Over 150K websites hit by full-page hijack linking to Chinese gambling sites

In February, C/Side uncovered a threat actor targeting over 35,000 websites with a malicious full-page hijack injection. C/Side continued to monitor this actor’s activities and have identified new tactics and techniques. They’ve scaled up their operations significantly, as we now estimate that appr…
javascript
cyber
chinese
credit card skimmer
supply chain attack
magecart
2025-03-27
february
blog
c/side
client-side
web
development
client/side
cyber security
security
pci dss v4
browser attack
formjacking
website vulnerability scanner
data breaches
content security policies
tag manager
browser side script
javascript security
html entity
uiux changesthe
bet365
english
williamhill
id parameter
css position
Published: March 27, 2025
Downloadable IOCs: 15

Malware found on npm infecting local package with reverse shell

A sophisticated malware campaign targeting npm packages has been discovered, involving two malicious packages: ethers-provider2 and ethers-providerz. These packages act as downloaders, hiding their malicious payload cleverly. Upon installation, they patch the legitimate locally-installed npm packag…
persistence
javascript
npm
reverse-shell
2025-03-26
ethers-provider2
package-infection
ethers-providerz
Published: March 26, 2025
Downloadable IOCs: 1

ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through drive-by downloads. Threat Actors compromise legitimate websites, injecting malicious JavaScript code that redirects users to convincing fake update pages for browsers like Chrome and Edge. Th…
javascript
clearfake
blockchain
2025-03-18
browserupdate
wateringhole
Published: March 18, 2025
Downloadable IOCs: 30

Credit Card Skimmer and Backdoor on WordPress E-commerce Site

A sophisticated malware attack targeting WordPress WooCommerce sites was discovered, involving multiple components: a credit card skimmer, a hidden backdoor file manager, and a reconnaissance script. The attack focused on financial gain and long-term control. The skimmer, injected into the checkout…
backdoor
obfuscation
javascript
wordpress
reconnaissance
php
credit card skimmer
e-commerce
2025-03-15
woocommerce
Published: March 15, 2025
Downloadable IOCs: 0

SocGholish's Intrusion Techniques Facilitate Distribution of RansomHub Ransomware

SocGholish, a malware-as-a-service framework, is being used to deploy RansomHub ransomware. It compromises legitimate websites, redirecting visitors to fake browser updates that deliver malicious payloads. The highly obfuscated JavaScript loader evades detection and executes various tasks, includin…
backdoor
ransomware
javascript
socgholish
credential theft
ransomhub
compromised websites
2025-03-14
keitaro tds
Published: March 14, 2025
Downloadable IOCs: 0

SideWinder targets the maritime and nuclear sectors with an updated toolset

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Bac…
apt
javascript
africa
CVE-2017-11882
maritime
spear-phishing
south asia
stealerbot
rtf exploit
nuclear
2025-03-10
downloader module
backdoor loader
module installer
Published: March 10, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 38

GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine's Largest State-Owned Bank

UAC-0006, a financially motivated cyber threat group, has resurfaced with a sophisticated phishing campaign targeting customers of Ukraine’s largest state-owned bank, PrivatBank.
powershell
ukraine
javascript
black basta
vbscript
smokeloader
uac-0006
carbanak
anunak
defense evasion
sha256
2025-02-10
fin7
uac0006
privatbank
bank
model
demo
Published: February 10, 2025
Downloadable IOCs: 62

Proxyware Being Distributed Through Ad Pages

Security researchers have confirmed the unauthorized installation of proxyware on systems through advertisement pages from freeware software sites. The proxyware, identified as DigitalPulse, allows threat actors to share a portion of the system's Internet bandwidth for financial gain without user c…
powershell
lummac2
javascript
adware
downloader
2025-01-21
digitalpulse
proxyware
autoclicker
Published: January 21, 2025
Downloadable IOCs: 3

A Look Back: The Evolution of Latin American eCrime Malware in 2024

Latin American cybercrime continues to evolve as adversaries refine their tactics and techniques. Key developments in 2024 include the adoption of Rust for improved evasion, consistent use of multi-stage infection chains and malspam campaigns, and evidence of collaboration among threat actors. Nota…
phishing
javascript
rust
banking trojan
information stealer
2024-12-18
nirsoft
Published: December 18, 2024
Downloadable IOCs: 32

Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console to Deliver Backdoor Payloads

The FLUX#CONSOLE campaign involves a sophisticated tax-themed phishing attack that exploits Microsoft Management Console (MSC) files to deliver a stealthy backdoor payload. Threat actors use tax-related lures to trick users into executing malicious code. The attack leverages MSC files, which are no…
javascript
dll sideloading
lnk files
2024-12-18
dismcore.dll
xmlhttp
Published: December 18, 2024
Downloadable IOCs: 5

Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign

A new Gootloader variant has been discovered using search engine optimization (SEO) poisoning to target Australian Bengal cat enthusiasts. The campaign uses Google search results for 'Are Bengal Cats legal in Australia?' to deliver malicious payloads. When users click on compromised links, a zip fi…
powershell
seo poisoning
javascript
gootloader
scheduled task
initial access
2024-11-06
gootkit
Published: November 6, 2024
Downloadable IOCs: 14

Inside the Latrodectus Malware Campaign

The Latrodectus malware campaign employs a combination of traditional phishing techniques and innovative payload delivery methods to target financial, automotive, and healthcare sectors. The attack chain begins with compromised emails containing malicious PDF or HTML attachments, which redirect use…
obfuscation
phishing
icedid
javascript
healthcare
latrodectus
financial
2024-10-21
msi
dll
automotive
activex
rundll32
Published: October 21, 2024
Downloadable IOCs: 20

North Korea Still Attacking Developers via npm

Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
malware
obfuscation
python
cryptocurrency
exfiltration
persistence
javascript
moonstone sleet
npm
2024-09-30
contagious interview
multi-stage attack
Published: September 30, 2024
Downloadable IOCs: 12

AppDomainManager Injection Technique Used to Execute Malware on Windows

Cybersecurity specialists have observed an escalation in attacks employing the AppDomainManager Injection technique, which exploits the .NET Framework's version redirection feature to manipulate legitimate EXE files and load malicious DLLs. These attacks commonly begin with a ZIP file containing a …
windows
javascript
2024-08-26
msc
remote execution
appdomainmanager
Published: August 26, 2024
Downloadable IOCs: 9

Decoding the Stealthy Memory-Only Malware

This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
malware
obfuscation
powershell
infostealer
cryptbot
javascript
2024-08-23
lummac.v2
shadowladder
Published: August 23, 2024
Downloadable IOCs: 23

Rivers of Phish: Sophisticated Phishing Targets Russia's Perceived Enemies Around the Globe

An extensive investigation uncovered an elaborate phishing campaign conducted by a Russia-based threat actor known as COLDRIVER, attributed to Russia's Federal Security Service. The campaign employed personalized social engineering tactics to target civil society groups, NGOs, journalists, and gove…
phishing
javascript
pdf
2024-08-14
coldwastrel
captcha
Published: August 14, 2024
Downloadable IOCs: 28

SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea

BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and …
espionage
phishing
vulnerability
nation-state
javascript
targeted
CVE-2017-0199
CVE-2017-11882
2024-07-30
infrastructure
maritime
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 47

Dissecting GootLoader With Node.js

This article demonstrates how to circumvent anti-analysis techniques employed by GootLoader malware while utilizing Node.js debugging in Visual Studio Code. GootLoader JavaScript files employ an evasion technique that can pose a formidable challenge for sandboxes attempting to analyze the malware. …
evasion
anti-analysis
javascript
gootloader
2024-07-04
deobfuscation
Published: July 4, 2024
Downloadable IOCs: 2

StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe

Recent observations indicate a surge in JavaScript spreading StrelaStealer, a credential stealer specifically targeting Outlook and Thunderbird email credentials. While the infection chain resembles previous versions, additional checks have been implemented to avoid compromising systems in Russia. …
obfuscation
stealer
javascript
2024-06-25
strelastealer
Published: June 25, 2024
Downloadable IOCs: 5

Wineloader - Analysis of the Infection Chain

The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
backdoor
obfuscation
wineloader
persistence
javascript
2024-06-06
sideloading
Published: June 6, 2024
Downloadable IOCs: 9

Gootloader walkthrough

The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
social engineering
powershell
seo poisoning
javascript
2024-05-24
gootloader
Published: May 24, 2024
Downloadable IOCs: 12

Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin

A recent surge of malicious JavaScript code has been observed targeting websites using vulnerable versions of the LiteSpeed Cache plugin for WordPress. The malware injects code into critical WordPress files or the database, creating unauthorized admin users like 'wpsupp-user.' It exploits the vulne…
vulnerability
javascript
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
wordpress
litespeed
plugin
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 6

Distribution of Infostealer Made With Electron

AhnLab Security Intelligence Center (ASEC) has discovered an Infostealer malware strain developed using the Electron framework, which allows the creation of applications using JavaScript, HTML, and CSS. The malware is distributed through Nullsoft Scriptable Install System (NSIS) installer format. O…
infostealer
javascript
node.js
electron
Published: April 30, 2024
Downloadable IOCs: 1
Click here to see more Attack Reports