{ "id": "92c9e2b9-6d8d-4e4b-9678-da31b7925753", "created_at": "2026-04-06T00:19:30.868855Z", "updated_at": "2026-04-10T03:35:53.119817Z", "deleted_at": null, "sha1_hash": "23bc5f45a33694195818ca1baba711d4d155d951", "title": "Understanding the Windows JavaScript Threat Landscape | Deep Instinct", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1328430, "plain_text": "Understanding the Windows JavaScript Threat Landscape | Deep\r\nInstinct\r\nBy Shaul Vilkomir-PreismanThreat Intelligence Researcher\r\nPublished: 2021-11-04 · Archived: 2026-04-02 12:29:57 UTC\r\nScript-based attacks have become a significant threat in recent years, with some estimates putting these attacks at\r\n40 percent or more of all global cyberattacks. A script can be anything from a sequence of simple commands used\r\nfor system configuration, task automation, and other general purposes, to much more advanced, multi-layered, and\r\noften obfuscated code. Among the most commonly used scripting languages are PowerShell, VBScript, and\r\nJavaScript.\r\nWhile PowerShell attacks are most commonly used, Windows JavaScript is also used by malicious threat actors\r\nfor many of the same purposes. Outside of a browser — which executes JavaScript in an encapsulated fashion,\r\ngreatly limiting that code’s interaction with the operating system — Windows provides facilities for JavaScript\r\nexecution with Windows Script Host (WSH), which executes JavaScript (and other Windows-supported scripting\r\nlanguages) under the wscript.exe and cscript.exe Windows processes, providing an attack surface for adversaries\r\nto exploit.\r\nJavaScript malware can range from a simple dropper intended to deliver additional malware to being fully-featured, multi-purpose pieces of malware in their own right.\r\nIn this blog we will provide an overview of five prominent malware strains in the JavaScript landscape, with an\r\nemphasis on several “pure” JavaScript malware which often challenge static detection signatures through heavy\r\ncode obfuscation and not employing compiled binaries. Please note that this will not be an in-depth analysis of the\r\ndifferent malware, but a higher-level review of each malware.\r\nVJw0rm\r\n“Vengeance Justice Worm” was first discovered in 2016 and is a highly multifunctional, modular, publicly\r\navailable “commodity malware”, i.e., it can be purchased by those interested through various cybercrime and\r\nhacking related forums and channels.\r\nVJwOrm is a JavaScript-based malware and combines characteristics of Worm, Information Stealer, Remote-Access Trojan (RAT), Denial-of-Service (DOS) malware, and spam-bot.\r\nVJw0rm is propagated primarily by malicious email attachments and by infecting removeable storage devices.\r\nOnce executed by the victim, the very heavily obfuscated VJw0rm will enumerate installed drives and, if a\r\nremoveable drive is found, VJwOrm will infect it if configured to do so.\r\nIt will continue to gather victim information such as operating system details, user’s details, installed anti-virus\r\nproduct details, stored browser cookies, the presence of vbc.exe on the system (Microsoft’s .NET Visual Basic\r\nhttps://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape\r\nPage 1 of 8\n\nCompiler, this indicates that .NET is installed on the system and can affect the actor’s choice of additional\r\nmalware delivery), and whether the system has been previously infected.\r\nVJw0rm will then report this information back to its command-and-control server and await further commands,\r\nsuch as downloading and executing additional malware or employing any of its other numerous capabilities.\r\nFinally, VJw0rm establishes persistency in the form of registry auto-runs, system startup folders, a scheduled-task,\r\nor any combination of these methods.\r\nFigure 1: Obfuscated VJw0rm snippet\r\nFigure 2: VJw0rm check if previously infected\r\nFigure 3: VJw0rm Command-and-Control contact\r\nFigure 4: VJw0rm establishes persistency\r\nWSHRat\r\nWSHRat, also known as Houdini, H-worm, Dunihi, and several other aliases, is another “commodity malware”\r\nand can trace its roots to 2013 when it was originally developed in VBS. The WSHRat variant, itself, emerged in\r\n2019 as a JavaScript-based version of the previously known Houdini/H-Worm, which was written in VBS.\r\nAs with all Remote-Access Trojans (RATs), WSHRat’s primary purpose is to maintain access to the machine,\r\nexecuting remote commands, and downloading additional malware.\r\nhttps://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape\r\nPage 2 of 8\n\nWSHRat is propagated primarily by malicious email attachments and is also capable of infecting removable\r\nstorage drives.\r\nOnce executed by the victim, the very heavily obfuscated WSHRat will follow a course similar to that of the\r\nabove described VJw0rm – gather operating system and user’s details, installed anti-virus product details, report\r\nthis back it’s command-and-control, perform removeable storage drive infection if configured to do so and await\r\nfurther commands.\r\n“Houdini” VBS based variants of the malware are known to have been involved in a recently reported, very\r\nprotracted, espionage campaign that targeted the aviation industry.\r\nNJrat/Bladabindi and Remcos RAT are two common follow-up payloads of Houdini/WSHRat.\r\nFigure 5: Obfuscated WSHRat snippet\r\nFigure 6:WSHRat Command-and-Control contact\r\nFigure 7: WSHRat establishes persistency\r\nSTRRAT\r\nSTRRAT is a Java-based RAT with a JavaScript wrapper/dropper that was discovered in 2020. Its core payload (a\r\n.JAR file) is contained under several layers of obfuscation and encoding inside the JavaScript wrapper/dropper.\r\nSTRRAT is propagated by malicious email attachments. Its capabilities include standard RAT functionalities\r\n(remote access, remote command execution), browser and email-client credential harvesting, and a unique\r\nransomware-like functionality – if instructed, it will add a “.crimson” extension to files on the device, rendering\r\nthem inoperable (though they can be easily recovered because their content is not modified).\r\nUnlike many Java-based malware, STRRAT does not require Java to be installed on the infected system in order\r\nto operate. When the JavaScript wrapper/dropper is executed, if a suitable Java runtime installation is not found,\r\none will be downloaded and installed in order to assure the contained Java payload can execute.\r\nhttps://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape\r\nPage 3 of 8\n\nFigure 8: STRRAT core payload snippet, encoded and obfuscated\r\nFigure 9:STRRAT \"bring your own JRE\" function\r\nFigure 10: STRRAT deploys and runs payload\r\nBlackByte Ransomware\r\nBlackByte is recently discovered Ransomware with a .NET DLL core payload wrapped in JavaScript. It employs\r\nheavy obfuscation both in its JavaScript wrapper and .NET DLL core.\r\nOnce the JavaScript wrapper is executed, the malware will de-obfuscate the core payload and execute it in\r\nmemory. The core .DLL is loaded and BlackByte will check the installed operating system language and terminate\r\nif an eastern European language is found.\r\nIt will proceed to check for the presence of several anti-virus and sandbox-related .DLLs, attempt to bypass\r\nAMSI, delete system shadow-copies in order to hinder system recovery, and modify several other system services\r\n(including Windows Firewall) in order to “prep” the system for encryption. Once the system is “ready” for\r\nencryption, it will download a symmetric key-file which will be used to encrypt files on the system. If this file is\r\nnot found, the malware will terminate.\r\nUnlike most Ransomware today, BlackByte uses a single symmetric encryption key, and does not generate a\r\nunique encryption key for each victim system, meaning the same key can be used to decrypt all files encrypted by\r\nhttps://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape\r\nPage 4 of 8\n\nthe malware.\r\nThis makes for substantially easier key-management for the actors behind BlackByte at the cost of a weaker\r\nencryption scheme and easier victim system recovery (as there is only a single online point with a single key to\r\nmaintain).\r\nAs with most Ransomware today, BlackByte has worming capabilities and can infect additional endpoints on the\r\nsame network.\r\nFigure 11: A snippet of BlackByte's contained encoded .NET payload\r\nFigure 12: BlackByte AMSI bypass\r\nCarbanak/FIN7 JavaScript Backdoor\r\nCarbanak/FIN7 needs little introduction. Discovered in 2014, they are one of the most prolific and successful,\r\nfinancially-motivated threat actors in action today, responsible for an estimated $1 billion in losses to countless\r\nfinancial institutions worldwide.\r\nCarbanak/FIN7’s main means of spreading malware consists of highly targeted and highly effective spear-phishing emails.\r\nA recently discovered JavaScript based backdoor associated with the actor, however, appears to indicate a pivot in\r\ntheir activity — shifting from their mostly PowerShell-based malware to JavaScript, likely in an attempt to\r\nbecome less detectable to security vendors.\r\nOnce executed, the backdoor will initiate a two-minute delay in an effort to avoid automated sandbox detection\r\n(analysis timeout), and then will collect the infected machine’s IP and MAC addresses, DNS hostname, and report\r\nback to its Command-and-Control server and execute any code it receives back as response.\r\nCarbanak/FIN7 are known to employ Cobalt Strike as their post-breach follow-up malware.\r\nhttps://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape\r\nPage 5 of 8\n\nFigure 13: Obfuscated Carbanak Backdoor snippet\r\nFigure 14: Carbanak Backdoor delay function\r\nFigure 15: Carbanak Backdoor gathers victim information\r\nFigure 16: Carbanak Backdoor Command-and-Control URL \"constructor\" function\r\nhttps://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape\r\nPage 6 of 8\n\nFigure 17: Carbanak Backdoor Command-and-Control contact\r\nConclusion\r\nThe JavaScript landscape is rife with malware of all types and is highly dynamic. These are significant threats that\r\ncannot be disregarded.\r\nThreat actors around the world are developing and maintaining JavaScript-based malware that is on par in its\r\nfunctionality and sophistication with anything in the parallel landscapes of other Windows-supported scripting\r\nlanguages, all of which are gaining popularity as more and more threat actors are transitioning to the “no PE\r\nneeded” mentality.\r\nFor a demo of the world’s best malware-prevention solution, request a demo.\r\nIOCs of examined samples:\r\nVJw0rm\r\nSHA256: 080069323805f67a898f62517b17786d46cc51e9894cd490ee0ba789271e1d9c\r\nC2: 180.214.239.36:8050\r\nWSHRat\r\nSHA256: ec5d3e6da18db71027ea5a54ff0e4be63313b4986d3ef8b020a4a79ae3866571\r\nC2: jahblessrtd4ever.home-webserver.de:1604\r\nDrops Remcos RAT: 52cbc7b3e3c373b8857245207f0cfca50c35b6edc49255441f74fdf45a71ac46\r\n(Remcos employs same C2 as WSHRat)\r\nSTRRAT\r\nSHA256: 213c775b371b55c48308650f29ad041a889ef24bf58069d380b4be6e558b82e9\r\nSHA256 (JAR): 6b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b\r\n\"bring your own JRE” URL: wshsoft.company/jre7.zip\r\nhttps://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape\r\nPage 7 of 8\n\nC2: str-master.pw\r\nBlackByte Ransomware\r\nSHA256: 884e96a75dc568075e845ccac2d4b4ccec68017e6ef258c7c03da8c88a597534\r\nKey file URL: 45.9.148.114/forest.png\r\nCarbanak/FIN7 JavaScript Backdoor\r\nSHA256: caa7667bfdbcb04ceb9d81df93fe805dfe4ac8a04b9dd3eaab7b5f7c87c4fc9c\r\nC2: civilizationidium.com\r\nSource: https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape\r\nhttps://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape" ], "report_names": [ "understanding-the-windows-javascript-threat-landscape" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434770, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23bc5f45a33694195818ca1baba711d4d155d951.pdf", "text": "https://archive.orkl.eu/23bc5f45a33694195818ca1baba711d4d155d951.txt", "img": "https://archive.orkl.eu/23bc5f45a33694195818ca1baba711d4d155d951.jpg" } }