{
	"id": "fc301a51-d7d0-4d87-adb2-02bcee56536a",
	"created_at": "2026-04-06T01:30:31.311732Z",
	"updated_at": "2026-04-10T03:21:43.660695Z",
	"deleted_at": null,
	"sha1_hash": "12be6a4988d9340d8636edaa8bc76c4aae461c4e",
	"title": "Multi-Staged JSOutProx RAT Targets Indian Co-operative Banks and Finance Companies - Home",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 468383,
	"plain_text": "Multi-Staged JSOutProx RAT Targets Indian Co-operative Banks\r\nand Finance Companies - Home\r\nBy Sameer Patil\r\nPublished: 2021-10-21 · Archived: 2026-04-06 00:59:26 UTC\r\nQuick Heal Security Labs has been monitoring various attack campaigns using JSOutProx RAT against different\r\nSMBs in the BFSI sector since January 2021. We have found multiple payloads being dropped at different stages\r\nof its operations. Although the RAT campaigns have also been previously reported on other countries, those\r\ntargeting Indian companies are operated through separate C2 domains. Let’s dig deeper into the working of this\r\ntargeted attack.\r\nJSOutProx is a modular JScript-based RAT delivered to the user as a .hta file and first executed by the mshta.exe\r\nprocess. The initial attack vector is a spear-phishing email with a compressed attachment having a “.hta” file with\r\na file name related to a financial transaction. The attachments have a double-extension-like format, for example\r\n“_pdf.zip”, “_xlsx.7z”, “_xls.zip”, “_docx.zip”, “_eml.zip”, “_jpeg.zip”, “_txt.zip” etc.\r\nStages\r\nThe RAT is delivered in 2 stages. In the first stage, a minimal version is provided with some functionalities\r\nstripped. In the second stage, a bigger version of the sample is delivered, which, apart from the existing\r\nfunctionalities of the first stage rat, has support for additional functions and plugins as well.\r\nInitial Infection Vector\r\nSpear Phishing emails are sent to targeted individuals who are employees of small finance banks from India. We\r\nbelieve the threat actor adds more targets to his list by stealing the email contacts of its victims. We have observed\r\nmultiple campaigns from Jan 2021 to June 2021 where emails were sent to hundreds of targets in a single day.\r\nSometimes, various emails with different attachment names are sent to a single target to increase the chances of\r\nthe user downloading and opening the attachment file.\r\nObfuscation\r\nThe RAT was first observed two years ago, in 2019. Since then, the RAT has upgraded with new commands, more\r\nfunctionality, and increased obfuscation. The recent JScript files consist of more than one MB of obfuscated code,\r\na vast array of base64-like strings, malware’s configuration data, and an rc4 string decryption function. The\r\nobfuscation pattern remains the same as the older samples and is the same for both stages of RAT samples.\r\nRAT Configuration Data\r\nOnce the configuration data is decrypted, we get a glimpse of the malware’s capabilities. The “BaseUrl” field\r\npoints to the C2 domain and port number it communicates using the HTTP protocol. “Password” field is used\r\nhttps://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/\r\nPage 1 of 8\n\nwhile downloading plugins and assemblies from C2. ”Tag” field contains campaign ID. The first samples, which\r\nwere reported two years back, had the tag name “JSOutProx,” and hence it was named as such. Below is a list of\r\ninitial fields present in the decrypted configuration data of one RAT sample.\r\nFig 1: RAT configuration fields\r\nFew new fields like “ViewOnly” were seen in the recent samples, which allows the controller to monitor the\r\nvictim to gather victim info and not write or execute anything on the machine. This ensures the malware is not\r\ncreating any noisy events until the attacker decides to initiate the attack. Most of the initial fields are common in\r\nboth stages.\r\nFirst Stage RAT\r\nThe first stage RAT is a .hta file and executed by the mshta.exe process. It can create entries in registry and\r\nstartup, create or terminate a process, perform file operations, download plugins, etc. It can also generate some\r\nmouse and keyboard operations using PowerShell scripts in the target machine through “ScreenPShell”\r\ncommands, as mentioned in the below screenshot.\r\nhttps://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/\r\nPage 2 of 8\n\nFig 2: Few RAT functions for screen operations and shellcode execution\r\nFollowing are the essential plugins supported and their functionalities:\r\nInfoPlugin -\u003e Collects and sends victim machine info to C2.\r\nFile plugin -\u003e Perform all file system operations.\r\nProcessPlugin -\u003e Collects process information, creates or terminates a process.\r\nScreenPShellPlugin -\u003e Perform mouse and keyboard operations using PowerShell scripts.\r\nShellPlugin -\u003e In this, the “ShellExecute” option uses the ShellExecute method present in the object of\r\nShell. Application. If the user has admin privileges, do call to ShellExecute method. If the command fails,\r\nthen it tries to disable AntiSPyware of Windows Defender from Registry. If the user is non-Admin, it tries\r\nShellExecute with elevated permissions using the ‘runas’ flag. The “get output” option uses the Run\r\nmethod present in the object of WScript.Shell. It saves the output in a local file. It also fetches the\r\nkeyboard language/codepage of the user to format the output correctly.\r\nOnce the malware is executed, it communicates with C2, which first responds with a PowerShell script to capture\r\nthe screenshot and save it in the temp directory. There are previous reports of the same PowerShell script being\r\nused in attacks against banks in the UK. Following is the PowerShell script:\r\nhttps://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/\r\nPage 3 of 8\n\nFig 3: PowerShell Script fetched from C2\r\nSecond Stage RAT\r\nThe second stage RAT is dropped as a “.js” file in a startup or as a “.tmp” file in the %temp% folder and is\r\nexecuted using wscript.exe. It also has a different C2 than the first stage sample. The size of these samples is\r\naround three MB and has additional plugins support. The inclusion of DotUtil functions enables it to download\r\nand execute .NET assemblies in memory. Following are some of the DotUtil functions:\r\nhttps://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/\r\nPage 4 of 8\n\nFig 4: DotUtil functions to perform various .NET based tasks\r\nFollowing are the additional plugins supported in the second stage:\r\nActivityPlugin -\u003e Enables the RAT to be in an Online or Offline state. When the state is online, it creates a\r\nadodb.stream object to save downloaded/collected data on disk.\r\nCensorMiniPlugin -\u003e Enables/disables proxy settings on user machine by modifying registry key\r\n“Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable”\r\nAdminConsolePlugin\r\nCensorPlugin\r\nClipboardPlugin -\u003e It is used to copy the clipboard data and send it to C2. It can also modify clipboard\r\ndata.\r\nDnsPlugin -\u003e Used to set DNS path. Add or modify new path in C:\\Windows\\System32\\drivers\\etc\\hosts.\r\nLibraryPlugin -\u003e Sends list of dotnet versions installed on the machine to C2.\r\nOutlookPlugin -\u003e It accesses the outlook account details and contacts list.\r\nPriviledgePlugin -\u003e In this, the option “UAC” allows to write in registry location\r\n“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\” by setting value 0 for keys\r\nEnableLUA and ConsentPromptBehaviorAdmin. The option “elevateScript” executes the script using\r\nwscript.exe with the batch mode option. The option “elevateCommand” executes the command using Wsh\r\nhttps://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/\r\nPage 5 of 8\n\nwith ‘runas’ flag. It also has options for using UAC bypass techniques like fodhelper.exe, Slui File Handler\r\nHijacking, CompMgmtLauncher, EventViewer.exe etc.\r\nPromptPlugin\r\nProxyPlugin -\u003e Sets DNS path. Add or modify new path in C:\\Windows\\System32\\drivers\\etc\\hosts.\r\nShortcutPlugin -\u003e Create a shortcut file for a given executable. Execute the shortcut file. Get the target of\r\na shortcut file or dump the content of the file.\r\nRecoveryPlugin\r\nTokensPlugin -\u003e Steal OTP received from SymantecVIP application.\r\nIn the second stage, RAT finally drops a C++-based Netwire RAT with again a different C2 address. Last year we\r\npublished our research about Java-based Adwind RAT (https://www.seqrite.com/blog/java-rat-campaign-targets-co-operative-banks-in-india/) in which jar file was the main component. It also targeted co-operative banks of\r\nIndia with Covid themed attachment names having a similar double-extension-like format. The various\r\ncommands, configuration fields, and user-agent strings are identical in JSOutProx and Adwind RATs. We believe\r\nthe same threat actor might be linked with JSOutProx RAT, where now they look to have changed their tactic to\r\ndrop similar jar files as end payload, rather than as initial infection vector, to evade detections.\r\nWith multiple stages of payloads dropped by the threat actor, he can execute remote commands through any of the\r\navailable stages, whichever can be seen as an attempt to evade antivirus detections.\r\nWe tracked the connections to the C2 domains to confirm if the exact fields are used in JSOutProx campaigns in\r\nother countries. But it turned out that only Indian IPs had connected to the C2 locations mentioned in the collected\r\nsamples, confirming our assumption that it’s a targeted attack on Indian BFSI companies only.\r\nWith JavaScript, Jscript, or java-based malware, attackers keep inventing new ways to bypass static detections\r\nusing different obfuscation techniques. But the behaviour-based detections are a suitable defence mechanism\r\nagainst such attacks. We continue to monitor such threats to protect our customers and mitigate the attacks at\r\ndifferent levels. At the same time, people working in the finance sector are advised to stay alert from such attack\r\ncampaigns as we expect more such attacks in the future as well.\r\nIOCs\r\nJSOutProx Stage 1\r\n              3c9f664193958e16c9c89423aefcb6c8\r\n              48adcbbc3ec003101b4a2bb0aa5a7e01\r\n              5D16911FE4BCC7D6A82C79B88E049AF2\r\n              0B9B2BF97CE805CA5930966FB4DA967A\r\n              5B2B4F989F684E265B03F8334576A20C\r\n              BEC6094A74E102A8D18630EE0EB053E3\r\n              988D384C68C95D28E67D6B8EDAF2EBE5\r\n              5111740D2EB8A8201231CB0E312DB88A\r\nJSOutProx Stage 2\r\nhttps://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/\r\nPage 6 of 8\n\n06396c2f1ac27f7a453d9461ad1af8a6\r\n              4876d3cc7b3b5990331a018c0b83ed03\r\nNetwire\r\n              98fdee365893782b0639878c502fcfef\r\nC2 Locations:\r\n              marcelbosgath.zapto.org:9790\r\n              ruppamoda.zapto.org:9099\r\n              apatee40rm.gotdns.ch:9897\r\n              mathepqo.serveftp.com:9059\r\n              protogoo.ddnsking.com:9081\r\n              riyaipopa.ddns.net:9098\r\n              dirrcharlirastrup.gotdns.ch:8037\r\n              uloibdrupain.hopto.org:8909\r\n              gensamogh.myq-see.com:9059\r\n              cccicpatooluma.hopto.org:5090\r\n              feednet.myftp.biz:6093\r\nList of Filenames used in email attachments:\r\n              CBS_applcation_details_xlsx.hta\r\n             ANNEXURE_III_Exceeding_MDP_xlsx.hta\r\n              Nodal_Police_Stations_furnished_MHA_GOI_New_Delhi_xlsx.hta\r\n              Letter_dated_28_01_2021_jpg.hta\r\n              rtgs-credited-wrong_account_pdf__ 4.hta\r\n              Transaction report for_0127012021_docx.hta\r\n              Slip_RTGS_IDBI_To_HDFC_pdf.hta\r\n              Firewall_cRF_Login_access_details_pdf.hta\r\n              Comm_Bank_CLWS_Issues_\u0026_Solutions_PDF.hta\r\n              Inspection_Compliance_pdf.hta\r\n              format-dist-wise-Cd_Ratio-pdf.hta\r\n              format_signatory_updation_PDO_138_docx__.hta\r\n              Information_regarding_CBS_details_update_xlsx.hta\r\n              Late_Return_docx.hta\r\n              Integrated_approach_brochure_pdf.hta\r\n              2685-Vishwambharlal_Kanahiyalal_Bhoot_Attachment_Order_pdf.hta\r\n              Pmay_infoletter_copy_of_houses-xlsx.hta\r\n              Annexure_Telangana_xlsx.hta\r\n              Compliances_Inspections_2020-pdf.hta\r\n              Circular-044_Introduction_Penalty_Charges_pdf.hta\r\nhttps://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/\r\nPage 7 of 8\n\nNPCI_Compliance_Form_pdf.hta\r\n              Raise_chargeback_POS_txn-Reg_docx.hta\r\n              Karnataka_Vikas_Grameena_Bank_xlsx.hta\r\n              NFS_OC_No_354_RRN_format_pdf.hta\r\n              Exchange_information_details_pdf.hta\r\n              Neft_amount_credited_twice_dtd_09_03_2021_pdf.hta\r\n              KYC_Circular_from_AO__03_March_2021_pdf.hta\r\n              State_wise_ATM_Count_xls.hta\r\n              Payment_confirmation_details_acc_00190_pdf.hta\r\n              SR698684494_Transaction_Status_PDF.hta\r\n              SCAN1000000049A_JPEG.hta\r\n              Bridger_Sheet_OCSI_2_pdf.hta\r\n              Rewarding_SLBCs_for_APY_Performance_Pdf.hta\r\n              1_Format_EDU_LOAN_Annex_SLBC_April_March_2021_xlsx.hta\r\n              Importance_RBI_advisory_pdf.hta\r\n              Transaction_Amount_215000_pdf.hta\r\n              Submission_Returns_Ext_time_pdf.hta\r\n              PMJJBY_and_PMSBY_pdf.hta\r\n              3162_200727190525_001_pdf.hta\r\n              ISSUER_TRANSACTION_DT_17062021_docx.hta\r\n              Wrong_creditation_details_202101706_pdf.hta\r\n              MIS_080914_27804790_txt.hta\r\n              ICICBANK_Transaction_06172021_009122021_pdf.hta\r\n              NEFT_FORMAT_docx.hta\r\n              ISSUER_TRANSACTION_DT_17062021.XML.hta\r\n              Transaction_0578976746474754656866_pdf.hta\r\n              RTGS_FORM_AUTHORITY_LETTER_PDF.hta\r\n              CRF_NEFT_pdf.hta\r\n              STATUS_ENQUIRY_M0813100421890_docx.hta\r\n              Double_Neft_transactionS_Part_1_2_3_eml.hta\r\n              REF_NO_N0092010323095704_PDF.hta\r\n              SCAN_202024110816_122827484_pdf.hta\r\n              Annex_pdf.hta\r\nSource: https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/\r\nhttps://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/"
	],
	"report_names": [
		"multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies"
	],
	"threat_actors": [],
	"ts_created_at": 1775439031,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/12be6a4988d9340d8636edaa8bc76c4aae461c4e.pdf",
		"text": "https://archive.orkl.eu/12be6a4988d9340d8636edaa8bc76c4aae461c4e.txt",
		"img": "https://archive.orkl.eu/12be6a4988d9340d8636edaa8bc76c4aae461c4e.jpg"
	}
}