{
	"id": "78974d4b-dcf2-46d5-9e49-b845a5fc642b",
	"created_at": "2026-04-06T00:17:44.406591Z",
	"updated_at": "2026-04-10T03:22:09.520872Z",
	"deleted_at": null,
	"sha1_hash": "24d14cb20bee2eca8e3cb1f7580888f9269cb64d",
	"title": "RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild | HP Wolf Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 816614,
	"plain_text": "RATDispenser: Stealthy JavaScript Loader Dispensing RATs into\r\nthe Wild | HP Wolf Security\r\nBy Patrick Schläpfer\r\nPublished: 2021-11-23 · Archived: 2026-04-02 12:45:11 UTC\r\nThreat actors are always looking for stealthy ways of delivering malware without being detected. In this article,\r\nwe describe how attackers are using an evasive JavaScript loader, that we call RATDispenser, to distribute remote\r\naccess Trojans (RATs) and information stealers. With an 11% detection rate, RATDispenser appears to be effective\r\nat evading security controls and delivering malware. In total, we identified eight malware families distributed\r\nusing this malware during 2021. All the payloads were RATs, designed to steal information and give attackers\r\ncontrol over victim devices.\r\nAs with most attacks involving JavaScript malware, RATDispenser is used to gain an initial foothold on a system\r\nbefore launching secondary malware that establishes control over the compromised device. Interestingly, our\r\ninvestigation found that RATDispenser is predominantly being used as a dropper (in 94% of samples analyzed),\r\nmeaning the malware doesn’t communicate over the network to deliver a malicious payload. The variety in\r\nmalware families, many of which can be purchased or downloaded freely from underground marketplaces, and the\r\npreference of malware operators to drop their payloads, suggest that the authors of RATDispenser may be\r\noperating under a malware-as-a-service business model.\r\nIn this report we:\r\nAnalyze the infection chain of RATDispenser and suggest detection opportunities for detecting and\r\nblocking the malware\r\nDescribe how RATDispenser is obfuscated\r\nDiscuss the malware families distributed by RATDispenser\r\nShare a YARA rule and a Python extraction script so that network defenders can detect and analyze this\r\nmalware\r\nInfection Chain\r\nhttps://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/\r\nPage 1 of 8\n\nFigure 1 – Email delivering RATDispenser as an attachment.\r\nThe infection chain begins with a user receiving an email containing a malicious attachment. For example, Figure\r\n1 shows a JavaScript file (.js) masquerading as a text file, supposedly containing information about an order. The\r\nuser simply needs to double-click the file to run the malware.\r\nNetwork defenders can prevent infection by blocking executable email attachment file types from passing through\r\ntheir email gateways, for example JavaScript or VBScript. Defenders can also interrupt the execution of the\r\nmalware by changing the default file handler for JavaScript files, only allowing digitally signed scripts to run, or\r\ndisabling Windows Script Host (WSH).\r\nWhen the malware runs, the JavaScript decodes itself at runtime and writes a VBScript file to the %TEMP%\r\nfolder using cmd.exe. To do this, the cmd.exe process is passed a long, chained argument, parts of which are\r\nwritten to the new file using the echo function.\r\nFigure 2 – Process execution graph showing chained command line argument.\r\nhttps://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/\r\nPage 2 of 8\n\nAfterwards, the VBScript file runs, which in turn downloads the malware payload. If it was downloaded\r\nsuccessfully, it is executed, and the VBScript file is deleted.\r\nObfuscation\r\nThe initial JavaScript downloader is obfuscated and contains several eval functions. One of the eval calls is a\r\nfunction that returns a long string, which is decoded by another function.\r\nFigure 3 – Snippet from obfuscated JavaScript downloader.\r\nThe function that decodes the string is located further down in the script. At first sight it looks complicated, but it\r\nis a simple replacement function. First, the passed arguments are stored in a new variable. It is done this way to\r\nwork correctly with an arbitrary number of arguments. Next, the replacement operation runs on the initial string.\r\nThe second argument of the replace function in JavaScript is another function which returns the replacement\r\nstring. In this case, the second argument to this inline function is the capturing group which matches the regular\r\nexpression {\\d+}. Since the capturing group is a decimal number, it is used as an index for the arguments array\r\nwhich is returned as a replacement string. In case of an index out of bounds exception, the function returns the\r\nwhole matching string, which was most likely implemented to handle mismatches.\r\nFigure 4 – Deobfuscation function using regular expression replacement.\r\nTo decode the string shown in Figure 3, three arguments (A, u, F) are passed to the function. The decoded string is\r\nBase64 encoded which can simply be decoded to analyze it in more detail. By creating and writing an ActiveX\r\nData Stream Object this sequence is decoded and executed using an eval statement. The newly decoded second\r\nstage code looks as follows (Figure 5).\r\nhttps://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/\r\nPage 3 of 8\n\nFigure 5 – Decoded JavaScript downloader string.\r\nThe most notable part of this sequence are the hex characters stored in a nested array, which is used as another\r\nlayer of obfuscation. Using an ActiveX object, a shell application instance is created, passing a long, chained\r\nargument. By simply adding line breaks after the \u0026 characters, we can reformat the command line argument into a\r\nreadable format.\r\nhttps://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/\r\nPage 4 of 8\n\nFigure\r\n6 – Command line arguments passed to cmd.exe.\r\nThe first parts of the command line argument are used to write lines to a VBScript file using an echo function.\r\nThis file is then executed, resulting in a download through an XMLHTTP object. The response to the GET request\r\n– the malware payload – is written to a file called YVC.JAR. The VBScript file is then deleted. Afterwards, the\r\ncmd.exe process waits 12 seconds, before running the payload.\r\nMalware Payloads\r\nWe have seen RATDispenser distribute eight malware families. In the example above, it delivered Formbook, a\r\nkeylogger and information stealer. To analyze which malware families the loader is spreading, we wrote a\r\nsignature to track sightings in the wild. Its obfuscation made this task more complicated than usual. The malware\r\nsplits strings using the replace function, stores them in nested arrays, and interprets and executes commands using\r\neval functions, so it is difficult to find consistent patterns in them. Nevertheless, we wrote a YARA rule (Figure 7)\r\nto understand the dispersion of malware families.\r\nhttps://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/\r\nPage 5 of 8\n\nrule js_RATDispenser : downloader\r\n{\r\n meta:\r\n description = \"JavaScript downloader resp. dropper delivering various RATs\"\r\n author = \"HP Threat Research @HPSecurity\"\r\n filetype = \"JavaScript\"\r\n maltype = \"Downloader\"\r\n date = \"2021-05-27\"\r\n strings:\r\n $a = /{(\\d)}/\r\n $c1 = \"/{(\\\\d+)}/g\"\r\n $c2 = \"eval\"\r\n $c3 = \"prototype\"\r\n $d1 = \"\\\\x61\\\\x64\\\\x6F\\\\x64\\\\x62\\\\x2E\"\r\n $d2 = \"\\\\x43\\\\x68\\\\x61\\\\x72\\\\x53\\\\x65\\\\x74\"\r\n $d3 = \"\\\\x54\\\\x79\\\\x70\\\\x65\"\r\n $e1 = \"adodb.\"\r\n $e2 = \"CharSet\"\r\n $e3 = \"Type\"\r\n $f1 = \"arguments\"\r\n $f2 = \"this.replace\"\r\n condition:\r\n #a \u003e 50 and all of ($c*) and (any of ($d*) or any of ($e*)) and all of ($f*) and filesize \u003c 2MB\r\n}\r\nFigure 7 – YARA rule to detect RATDispenser.\r\nRunning a retrohunt over the last three months with this YARA rule identified 155 RATDispenser samples. Within\r\nthose samples we noticed three variants. One of the variants we described above. The two other variants are a\r\nPowerShell downloader and a dropper which stores the payload as a Base64-encoded string and therefore does not\r\nperform any network requests.\r\nWe also wrote a Python script that recovers the final payload and identifies the malware family and RATDispenser\r\nvariant. Analyzing the 155 malware samples with our script found:\r\n145 of the 155 samples (94%) were droppers. Only 10 samples were downloaders that communicate over\r\nthe network to download a secondary stage of malware\r\n8 malware families delivered as payloads\r\nAll the payloads were remote access Trojans (RATs), keyloggers and information stealers\r\nhttps://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/\r\nPage 6 of 8\n\nFigure\r\n8 – Malware families distributed by RATDispenser.\r\nBy far the most frequently observed malware families were STRRAT and WSHRAT, accounting for 81% of the\r\nsamples we analyzed. First seen in mid-2020, STRRAT is a Java RAT that has remote access, credential stealing\r\nand keylogging features. WSHRAT, also known as Houdini, is a VBS RAT first seen in 2013 that also has typical\r\nRAT capabilities. Slightly less common were AdWind, Formbook, Remcos and Panda Stealer.\r\nThe most interesting among them is Panda Stealer. First seen in April 2021, this is a new malware family that\r\ntargets cryptocurrency wallets. The Panda Stealer sample we analyzed were all fileless variants that download\r\nadditional payloads from a text storage site, paste.ee. The least common families were GuLoader and Ratty.\r\nGuLoader is a downloader known for downloading and running various RATs, while Ratty is an open-source RAT\r\nwritten in Java.\r\nFigure 9 shows the different variants and the malware families distributed through them. Certain malware families\r\nwere always downloaded – Panda Stealer and Formbook – rather than dropped. Because this JavaScript malware\r\ncan operate as a downloader or as a dropper, and distributes RATs exclusively, we refer to it internally as\r\nRATDispenser.\r\nhttps://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/\r\nPage 7 of 8\n\nFigure 9 – Overview of RATDispenser variants and the malware families they delivered.\r\nDetection\r\nAlthough JavaScript is a less common malware file format than Microsoft Office documents and archives, in\r\nmany cases it is more poorly detected. From our set of 155 RATDispenser samples, 77 were available on\r\nVirusTotal which allowed us to analyze their detection rates. Using each sample’s earliest scan result, on average\r\nthe RATDispenser samples were only detected by 11% of available anti-virus engines, or eight engines in absolute\r\nnumbers.\r\nIndicators of Compromise\r\nYou can find the full set of hashes, URLs, YARA rule and extraction script in the HP Threat Research GitHub\r\nrepository.\r\n00853f4f702bf8a3c82edbd1892c19aaa612f03d4541625068c01d0f56d4415b : RatLoader -\u003e Formbook\r\n026b19fdc75b76cd696be8a3447a5d23a944a7f99000e7fae1fa3f6148913ff3 : RatDropper -\u003e STRRAT\r\n0383ab1a08d615632f615aa3c3c49f3b745df5db1fbaba9f9911c1e30aabb0a5 : RatDropper -\u003e WSHRAT\r\n094ddd437277579bf1c6d593ce40012222d8cea094159081cb9d8dc28a928b5a : RatDropper -\u003e AdWind\r\n2f9a0a3e221a74f1829eb643c472c3cc81ddf2dc0bed6eb2795b4f5c0d444bc9 : RatDropper -\u003e RemcosRAT\r\n942224cb4b458681cd9d9566795499929b3cedb7b4e6634c2b24cd1bf233b19a : RatLoader -\u003e Panda Stealer\r\nb42c6b4dd02bc3542a96fffe21c0ab2ae21ddba4fef035a681b5a454607f6e92 : RatDropper -\u003e GuLoader\r\nSource: https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/\r\nhttps://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/"
	],
	"report_names": [
		"javascript-malware-dispensing-rats-into-the-wild"
	],
	"threat_actors": [],
	"ts_created_at": 1775434664,
	"ts_updated_at": 1775791329,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24d14cb20bee2eca8e3cb1f7580888f9269cb64d.pdf",
		"text": "https://archive.orkl.eu/24d14cb20bee2eca8e3cb1f7580888f9269cb64d.txt",
		"img": "https://archive.orkl.eu/24d14cb20bee2eca8e3cb1f7580888f9269cb64d.jpg"
	}
}