{
	"id": "e71a5ec0-9f19-452f-a3c6-8982e626a58c",
	"created_at": "2026-04-06T00:17:34.815167Z",
	"updated_at": "2026-04-10T13:13:00.760385Z",
	"deleted_at": null,
	"sha1_hash": "3d9a2e7f33d013567267abcef3ce54761fc054d6",
	"title": "Adversary Playbook: JavaScript RAT Looking for that Government Cheese | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2061585,
	"plain_text": "Adversary Playbook: JavaScript RAT Looking for that\r\nGovernment Cheese | FortiGuard Labs\r\nPublished: 2020-12-16 · Archived: 2026-04-05 20:07:31 UTC\r\nAn Adversary Playbook by FortiGuard Labs\r\nAdversary Playbooks provide detailed threat research on specific malicious campaigns or threat actors so\r\norganizations may better understand the threats they face and align their defenses accordingly.\r\nIntroduction\r\nFortiGuards Labs recently discovered a malicious campaign targeting verticals in the governmental monetary and\r\nfinancial sectors in Asia. This campaign poses as a central bank of an Asian nation to compel a victim to open a\r\ncompressed attachment containing a malicious HTA file. Once the HTA file is executed, it contains heavily\r\nobfuscated JavaScript that ultimately installs and runs a remote access trojan or RAT. What makes this unique\r\nfrom other attacks in this space is that it utilizes JsOutProx.\r\nThe attacker has also been careful to ensure that the campaign goes undiscovered. This playbook highlights the\r\nobserved campaigns, the attack infrastructure, as well as provide new updates about this unique threat.\r\nBackground\r\nThe world continues to shift towards working from home, with the pandemic accelerating this shift. As a result,\r\nhybrid communications between corporate and home environments have seen an uptick, becoming the norm for\r\nmany organizations. Before the pandemic, it was estimated that 3 percent of the United States workforce was\r\nworking from home. That number is now forecast to be around 30 percent after 2021.i\r\nBecause of this radical shift, attackers now have a greater attack surface to target than ever before, including\r\nremote workers, personal devices, and home networks. Naturally, this includes the use of email, via spearphishing\r\nattacks. Scouring our feeds, were able to locate an interesting spearphishing attack and decided to investigate\r\nfurther, eventually leading us to identify a newly updated JsOutProx campaign. \r\nJsOutProx is a fully functional JavaScript remote access trojan (RAT) first discovered in December of 2019. The\r\ntactics, techniques, and procedures (TTPS) of the attackers behind JsOutprox indicate that these are experienced\r\nand sophisticated threat actors. Such indicators include the time and effort the attackers have taken to create this\r\nRAT, as well as regular updates that have made it more powerful. The actors also use specially-crafted social\r\nengineering campaigns that leverage specific technical jargon unique to the verticals being targeted in their\r\nspearphishing efforts.\r\nJsOutProx also incorporates heavily obfuscated code and the use of Powershell to further along their endeavours.\r\nThis playbook highlights updates not noted elsewhere for this relatively new malware family, as well as\r\nobeservations from FortiGuard Labs on the reuse of the infrastructure in other historical campaigns.\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 1 of 20\n\nNot much is known of JsOutProx campaigns as occurrences of this family have been few and far between. First\r\ndiscovered by the YOROI team in December 2019, this malware family again resurfaced in another campaign\r\nspotted by the ZScaler team in May 2020. ZScaler observed that JsOutProx was infecting both governmental and\r\nfinancial institutions in India. Based on our findings, this latest run follows the same exact model. \r\nThe names of the files containing malicious content attached to this most recent spearphishing campaign are\r\ncalled:\r\nPilipina_Anti-Money_Laundering_Council_Resolution_pdf.hta\r\nSHA256 – [c10ea9b5aade9e98b7c87a6926fed6356d903440a17590c519aec7a54e1e5165]\r\nInformation_on_Compliance_officer_xlsx.hta\r\nSHA256 - [f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a]\r\nThe first file was sent to users in the Philippines  working in the finance sector. It is specific to anti-money\r\nlaundering and countermeasures. This is consistent with a similar campaign we found that used a forged email\r\nclaiming to originate from an Asian government that offered training in this specific vertical as well.\r\nWhy is this important?\r\nRATs are usually portable executable (PE) files. JavaScript RATs are not common, mostly because JavaScript\r\nsimply does not offer as much flexibility as a PE file does. However, as JavaScript is used by many websites, it\r\nappears to most users as benign, as individuals with basic security knowledge are taught to avoid opening\r\nattachments that end in .exe. Also, because JavaScript code can be obfuscated, it easily bypasses antivirus\r\ndetection, allowing it to filter through undetected.\r\nThe attackers in this case are most likely familiar with their targets. You can see this in the findings reported by\r\nYOROI (including the capability to intercept the one time password (OTP) token of a well known security\r\nvendor), the specially crafted emails from the Indian campaign observed by Zscaler, and from the usage of terms\r\nspecific to a niche sector (Anti Money Laundering/FINTECH). At the very least, they’ve done their homework.\r\nThey are not blindly sending emails to random organizations but have taken the time to hone their spearphishing\r\nefforts to compel unsuspecting victims into opening the malicious attachment. \r\nIn this playbook, we will present our findings on not only the latest campaigns, but also newly discovered updates\r\nmade to JsOutProx and its infrastructure. For a list of detailed indicators of compromise, please visit our Playbook\r\nViewer.\r\nTechnical Details\r\nIn this latest example, the attackers are using an Asian government entity as a lure for their spearphishing\r\ntactics. It appears that the attackers are able to bypass spam filters by spoofing the email headers. A cursory\r\nanalysis of the domains indicate that they originated from a well-known webhosting company with a large subnet.\r\nInvestigating the headers, we see the attackers are utilizing the SMTP service of the webhosting company.\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 2 of 20\n\nFigure 1. Spearphishing email\r\nIn keeping with their previous government and financial themes, this email was allegedly sent from the central\r\nbank of a country in Asia. The appeal of the email’s request for information relies on the fact that with more\r\npeople coming back to work, it is not unheard of to want more information about prospective employees and\r\nemployee training. At the very least, the email appears to have been custom-tailored to increase the effectiveness\r\nof this attack—not just in a technical sense, but also with the verbiage used in the spearphishing email. It contains\r\nterms, such as AML/CFT, which is the abbreviation for Anti Money Laundering/Countering Financial Terrorismii\r\nthat would be familiar to receipients.\r\nThe attached archive contains the following Microsoft .HTA file:\r\nInformation_on_Compliance_officer_xlsx.hta\r\nSHA256 - [f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a]\r\nOnce run, it communicates with the following command and control server using dynamic DNS (DDNS):\r\nhxxp://myabiggeojs.myftp[.]biz:9895\r\n185.195.79[.]210\r\nIt then launches the malicious JsOutProx JavaScript, which is a fully developed and functional remote access\r\ntrojan (RAT). \r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 3 of 20\n\nVariations on a Theme\r\nThis next section provides an analysis of the changes to JsOutProx that we have observed in this latest version\r\nversus the December and May variants. JsOutProx’s encoding and encryption routines largely remain similar to\r\npast variants.\r\nFigure 2. Obfuscation contains 5,000 lines\r\nThe attackers went to great lengths to make sure that their tradecraft would not be easily understood. For example,\r\nwe observed that the sample has over 5000 lines of obfuscated code. Because of this, FortiGuard Labs had to\r\ndevelop a custom tool to de-obfuscate the JavaScript to help us analyze the file, which saved us a great amount of\r\ntime.\r\nFor example, when we ran our tool against the following sample\r\nInformation_on_Compliance_officer_xlsx.hta\r\nSHA256 - [f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a]\r\nit took over five hours to de-obfuscate and provide us with human readable strings for later analysis.\r\nStandard JavaScript engines and emulators may not necessarily be able to display the relevant strings. A decryptor\r\nmust be used to figure out what this threat does. Depending on resources, it may take several hours to decrypt the\r\nscript. In the end, however, it becomes more readable.\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 4 of 20\n\nFigure 3. Connecting to C2 along with hiding window size to 0x0\r\nOne of the first things we noticed is that this RAT can be executed both as a JavaScript file on the command line,\r\nor as a .HTA file inside a window (in this case, inside mshta.exe). If it is inside a window, the threat tries to hide\r\nthe window by resizing it to a height of zero pixels and a width of 0 pixels. Moreover, it gets moved to outside of\r\nthe user’s viewable desktop for further evasion. \r\nNew Additions to JsOutProx\r\nLooking at the capabilities of this RAT, we see that it supports several commands. Newer commands have been\r\nhighlighted in GREEN and commands that have been deprecated are highlighted in RED.\r\nCommand Action\r\nupd Update the implant\r\nrmz Set zone identifier\r\nrst Restart the implant\r\nl32 Start another process with the same script\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 5 of 20\n\nl64 Start another process with the same script\r\ndcn Kill the implant\r\nrbt Reboot the machine\r\nshd Shutdown the machine\r\nlgf Log off\r\nejs Evaluate Javascript code\r\nepg ??\r\nevb Execute VisualBasic code\r\nidn ??\r\nsdn Load a .NET dll\r\nuis Uninstall the implant\r\nins Install the implant\r\nint.g Send the sleep time to C2\r\nint.s Update the sleep time\r\nFigure 4. Table of changes. \r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 6 of 20\n\nThis new version accepts a new command called ‘rmz’ that modifies the zone identifier contained in the alternate\r\ndata stream of downloaded files.\r\nFigure 5.\r\nThe malware may have had issues in the past with executing downloaded files. This newly added functionality\r\nhelps fix that problem by attempting to move the downloaded files across different security zones.\r\nJsOutProx can also use plugins. This allows the threat to be more modular and easier to update and maintain.\r\nOnce again, new plugin commands are in GREEN while the deprecated plugin commands are in RED.\r\nCommand Plugin\r\npr ProcessPlugin\r\ncl ClipboardPlugin\r\nfi FilePlugin\r\nlb LibraryPlugin\r\ndo DownloadPlugin\r\nsc ScreenPlugin\r\naut LogPlugin\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 7 of 20\n\ncm CommandPlugin\r\ndn DownloaderPlugin\r\nfm FilemanagerPlugin\r\nst StartupPlugin\r\nou OutlookPlugin\r\npx ProxyPlugin\r\nsp ScreenPShellPlugin\r\ncn ShellPlugin\r\ntk TokensPlugin\r\nIn InfoPlugin\r\nds DnsPlugin\r\npm PromptPlugin\r\nln.t Exit execution\r\nLn.rst Restart execution\r\nFigure 6. Table of plugins\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 8 of 20\n\nLooking at the two previous tables, several commands and plugins have been removed. While this may initially\r\nindicate that the malware is less powerful, the addition of the PowerShell plugin actually makes the malware more\r\nextensible, requires less overhead to maintain, and enables it to remain under the radar – aka “living off the land.”\r\nThe following screenshot displays some of the capabilities of this new plugin:\r\nFigure 7. New capabilities added that allow for remote control/monitoring\r\nIts ’capture’ function can take a screenshot of the user’s desktop in order to monitor what the user is seeing. The\r\nplugin also allows the attacker to operate the infected machine using a virtual keyboard and mouse. Previously,\r\nattackers could execute shell commands and file manager functionality such as copy and execute. With this new\r\nplugin however, the attacker is virtually sitting in front of the infected machine. Interestingly enough, the\r\nscreenshell plugin also lumps in the option to execute either .HTA files or java (.jar) files, as seen in the screenshot\r\nbelow.\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 9 of 20\n\nFigure 8. Ability to execute either HTA or Jar files\r\nConnecting the Dots - JsOutProx Infrastructure – Same IP addresses, Different\r\nDDNS Domains\r\nExample #1\r\nThe following sample\r\nPilipina_Anti-Money_Laundering_Council_Resolution_pdf.hta\r\n[SHA256- c10ea9b5aade9e98b7c87a6926fed6356d903440a17590c519aec7a54e1e5165]  \r\nwas calling back to a C2 server at: hxxp://afghphae.gotdns[.]ch:9060 (185.19.85[.]156). Historical DNS queries\r\nfor this IP address yield two additional DDNS C2 servers that resolve to the same IP address at:\r\nhxxp://dirhaeednotrtup.hopto[.]org:9097\r\nhxxp://martinluther[.]tk\r\nhxxp://bushaka009.duckdns[.]org\r\nAssociated file:\r\nDomain/Port of File\r\nAnalyzed\r\nIP\r\nOther Domains Discovered Sharing\r\nSame IP address\r\nFile Type\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 10 of 20\n\nafghphae.gotdns[.]ch:9060 185.19.85[.]156 dirhaeednotrtup.hopto[.]org:9097 JSOutProx\r\n“” bushaka009.duckdns[.]org\r\nJSOutProx\r\nand Others\r\n“” Martinluther[.]tk\r\nNone\r\nObserved\r\nFigure 9. Domains resolving to 185.19.85[.]156\r\nFurther investigation into this domain [dirhaeednotrtup.hopto[.]org:9097] yielded no results. The domain\r\nmartinluther[.]tk doesn’t have a historical DNS entry, nor is any of the malware being run associated with it that\r\nwe can see. \r\n[On a side note of interest, the Dot TK domain extension can be registered free of charge, making it a favorite of\r\nphishers and attackers alike. Please reference our blog from 2019 that highlights our findings on the abuse of\r\nthese free services.]\r\nHowever, as we dug deeper into our passive DNS records for the third DDNS domain\r\n[bushaka009.duckdns[.]org], we discovered a completely different campaign altogether, one that was leveraging\r\nmultiple samples utilizing shipment schemes and leveraging the likeness of an international shipping\r\ncompany. Campaigns began originating from this DDNS domain as early as June 2020, with the last one seen in\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 11 of 20\n\nAugust. In the June campaigns, we saw that the attackers used the same infrastructure to distribute the Netwire\r\nRAT:\r\nDocument Second Page.exe\r\nSHA256 [F17B89058372618DB540C2A8D16A13F59F21C88E21B651D196556207AB54E10C\r\nIn July, the following sample\r\nDhl Shipment Receipt.exe\r\nSHA256 [43192b0a36d887844309b79dafa88bb2493539093d17bf7296e4bda2fe72dc49]\r\ncommunicated with 185.19.85[.]156 under the same bushaka009.duckdns[.]org using the Formbook malware.\r\nAn expansion of this domain led us to this:\r\nFigure 10. Malware related to bushaka009.duckdns[.]org\r\nOur findings revealed 34 recent samples, from July to August of this year, which indicates that this is a recent\r\ncampaign. Our analysis revealed a variety of malware families being used, such as Netwire, Remcos, Formbook,\r\nand other backdoors—all pointing to the same domain but resolving to different IP addresses at the same time.\r\nActivity of [185.19.85[.]156] spans more than five years\r\nBecause of the multitude of samples and dynamic DNS domains tied to this one specific IP address\r\n[185.19.85[.]156], and to further satisfy our curiousity, we decided to investigate. As threat researchers, it is not\r\nunusual to research an attacker infrastructure to deduce any possible correlation to previous attacks. This can be a\r\ntime consuming and exhausting process, because there are a lot of data points to pivot off of. Sometimes we come\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 12 of 20\n\nto a dead end as well. However, we sometimes find items of interest that help “paint a picture” that identify\r\nprevious campaigns likely conducted by the same threat actor. Ultimately, this helps provide historical insight into\r\nthe attackers’ TTPs, or identify a webhosting company allowing this activity to occur for years on end,\r\nthereby  enabling multiple attackers without any repercussion. \r\nDespite being a recently discovered campaign, our further research in this case revealed that the infrastructure\r\nused by the attacker, [185.19.85[.]156], has been in operation for over five years (as noted in this Dynamoo Blog.)\r\nWe don’t know if this is the same group or if it is simply a bulletproof host catering to threat actors. The usage of\r\nRATs, the same DDNS services, and the same IP address 185.19.85[.]156 may be merely coincidental, but it raises\r\nsome suspicion. \r\nRegardless of whether there is an actual connection, one assumption can be made: Based on the specific language\r\ncontained in the spearphishing attacks, the infrastructure used, and the techniques seen in the evolving malware,\r\nthis JsOutProx campaign is not your run-of-the-mill cybercrime operation. It is highly sophisticated, and notably,\r\none that has significant resources available.\r\nExample #2\r\nFindings for this DDNS Domain were limited to the HTA files of JSOutProx and nothing else. We discovered\r\nduring passive DNS analysis from our own Central Threat System (CTS) that the [185.195.79[.]210] IP address is\r\nshared between the two DDNS domains shown in the table below. \r\nAssociated Files:\r\nSHA256: [f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a]\r\nSHA256: [8609210993F4EBC6AA5332B0E5EBE67720B8721E27FCEE79FC82A1C40B587A44]\r\nDomain/Port IP\r\nOther Domains Discovered Sharing\r\nSame IP address\r\nFile Type\r\nmyabiggeojs.myftp[.]biz:9895\r\n185.195.79[.]210\r\n[Turkey]\r\npanarmjsdrew.gotdns[.]ch:9089 JSOutProx\r\n“”\r\n151.106.60[.]163\r\n[France]\r\nJSOutProx\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 13 of 20\n\nFigure 11. Domains resolving to 185.195.79[.]210\r\nFurther analysis identified another JSOutProx campaign that followedthe same financial naming convention from\r\nAugust:\r\nEASTERN-EX_Coverfund_Position-2020_xls.7z\r\nSHA256: [8609210993F4EBC6AA5332B0E5EBE67720B8721E27FCEE79FC82A1C40B587A44]\r\nOther than this, no other historical campaigns nor historical data could be found for either the domain or IP\r\naddress used in this attack. It could be surmised that the attacker may be switching back and forth between hosts\r\nand DDNS aliases to thwart further analysis. Regarding the 151.106.60[.]163 IP address,\r\nonly myabiggeojs.myftp[.]biz:9895 URLs were associated.\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 14 of 20\n\nFigure 12. Domains resolving to 151.106.60[.]163\r\nExample #3\r\nNo other historical campaigns nor historical data could be found for either the domain or IP address used in this\r\nattack. It could be surmised that the attacker may switch back and forth between hosts and DDNS aliases to thwart\r\nanalysis.\r\nAssociated File:\r\nSHA256 [03a80ceb3959f26b193175fc005bf418c4dc47b1e8d725e63a17a1418774b4b9]\r\nDomain/Port IP\r\nOther Domains Discovered Sharing Same IP\r\naddress\r\nFile Type\r\nposssdhm.ddns[.]net:9060 151.106.14[.]155 N/A jSOutProx\r\nIndicators of Compromise\r\nf1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a\r\nC2:hxxp://myabiggeojs.myftp[.]biz:9895/\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 15 of 20\n\nDetected as: JS/Agent.VAC!tr    \r\n03a80ceb3959f26b193175fc005bf418c4dc47b1e8d725e63a17a1418774b4b9\r\nC2: hxxp://posssdhm.ddns[.]net:9060/\r\nDetected as: JS/Agent.VAC!tr.dldr\r\nc10ea9b5aade9e98b7c87a6926fed6356d903440a17590c519aec7a54e1e5165\r\nC2: hxxp://afghphae.gotdns[.]ch:9060/\r\nDetected as: JS/Agent.VAC!tr    \r\n8609210993F4EBC6AA5332B0E5EBE67720B8721E27FCEE79FC82A1C40B587A44\r\nC2: hxxp://panarmjsdrew.gotdns[.]ch\r\nDetected as: JS/Agent.VAC!tr\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nT1566.001: Spearphishing attachment\r\nExecution\r\nT1059.001: Powershell\r\nT1059.003: Windows command Shell\r\nT1059.005: Visual Basic\r\nT1059.007: JavaScript\r\nPersistence\r\nT1547.001: Registry Run Keys / Startup Folder\r\nT1564.003: Hidden Window\r\nDefense Evasion\r\nT1202: Indirect Command Execution\r\nT1027: Obfuscated Files or Information\r\nDiscovery\r\nT1082: System Information Discovery\r\nCollection\r\nT1113: Screen Capture\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 16 of 20\n\nCommand and Control\r\nT1571: Non-Standard Port\r\nImpact\r\nT1529: System Shutdown/Reboot\r\nAdditional JSOutProx files\r\n83f2a34784c9c9abc2009b829e8345afb081817675bd0eb2799d2205d5ef69f9\r\nbbd835c18f2a5eb7a9c9eb967c9aab0c2eee67b03745a07c5cfa11ce272a559a\r\n3ad0b6e98e4415d7d4b319367aaee0930fbb8ef4f3dc8c29e93df3b906654b30\r\n6bf0d9a7ca91f27a708c793832b0c7b6e3bc4c3b511e8b30e3d1ca2e3e2b90a7\r\n7dd2d20bd40f45ecd74fef1c9238cdf3c9f446414fc82456d73f3148252adbd5\r\ne94521788a9b229dc9f583cc6ab2514b2cbe4acbee7a282d6167c1ce45416de3\r\n577a6b1294ec1386fd5d9058ad35296bfd74cd51ab8c1bd8f0b625bbb356f8d0\r\n92c02aa8d666c7b65f1cbb6c801f89bd47088129e899b352737258af28db0dba\r\nf7221949476533af9afe7b190db47697174cabc9af18c278022396e83e7b75cb\r\n0398d1b44bc8be3b56a1bb78c580e6eeee96464992b48599fceebd4d39321a57\r\n8da0526fe5cff2c56be399b9bef560fec6160d8ce0dd7c8517054198c73e6788\r\n96168c26e4c0ec1d84cdb2b912dadabdf2bb73ec14d758cc8a29fb39321b8bd6\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 17 of 20\n\n891211a8dffa0a4b0147b9c1572916108cb8aa1d6055aa1164f16cc42a3e2c0c\r\n64b402cbe3a2ae21ce2bfcf70acf927db714f5ae4eb3ba0ffb73455b731e6a50\r\ne9d605f9627072eee555b07e3c7797c4d61ded20c7292432565c098f183be9d2\r\ndec809c248f4610bae9d577c23279ffa5e95bdb8612fe941aac60fc1e699343b\r\na1ca1638f3d760789231fc1b567824485b40f4101d6ee9ad4208308d166b87bd\r\nefd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4\r\nfdc61d1ae7f5e53fb4710910bae574a992419e27329693d69236ec1704ac66a4\r\n169c13fd68f9d1b86d77a0e2865050a8eed8bdb9420c3c65ff4cd29574db3217\r\n8609210993f4ebc6aa5332b0e5ebe67720b8721e27fcee79fc82a1c40b587a44\r\ncd16052de2b6f37853935bad389f6018f9106aec873da0e7a2a92da8eb953fd8\r\n698ced4170469c3084afbb0e21778477360d2ac10fb93b33ee3011870c7ca089\r\nOther Associated Files and Campaigns Related to Threat Actor (Netwire, Tesla, etc.) 185.19.85[.]156\r\n34b2b2c0187ebc29239578d78f062d8ebd9aab4bede9c9b6dee323653d2b058c\r\n886fe15d546c595be2e130d98d33ee777d550af69f1def97fedbfae49e3a637e\r\n2ad94746fa52471bd0008285f2d03aab5afa2a8a75ee986ad4ec650aad43730c\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 18 of 20\n\n84ae04513a1e01e60dbc814cbd483ec397c9dba78cc5ba79a8e234ecc04b0ac3\r\na68fe77207210679a5129b17b797d06fc4d75d6ecac0711e67abcaf18ed42275\r\na22c763f9e222a8e039d39262f6ff30cce934c1181b0c1be9376b4f5f912e96a\r\n2cb5514d1720a32caa239e91ab6a7a3009a78fb1ce30246186ab6ec6e014041e\r\n75e0d9f86c4ebea64bc842bb5f87164372c4b2996680fde42d5113ebbbbae3ff\r\n459d04d2a7cb3399486dbe8095dac1f1e8132d514e4be631c3151f61e0d13506\r\nb9bb827450cf3233c89ef3cc8ee38824faec9afb1fe1f5c2ab0f1738e0e844d1\r\na72617c88b295c70ffcd652a569f5dd3b972a13a445936fed92f8d8eb018958a\r\n9aa914e87dda1c3d1c182ed9c08229d10853a5e29b0795accf2a96abdc5fde88\r\ndf3acaf4dcc70a20c485b492958a9d598f43acb9563e0875d8759de62b268789\r\n2936937ebeead6d1c9b62739331fd975248e2998fcf13c94ee817bbfe501a64b\r\nec83164a482f5f6c6f98fcc47e489bc4443554253a32ddbd2344b70b09002d1c\r\n531bdc59bdddaf57aa80e2bd2664ee2e6df138a2374519d14d100cab8d21b5c5\r\n4132f329b4cd47f4e4463963c40345f7a7bb04c5cb64887f3d78579028cb1474\r\n750a4be535f1870464548cda125665422d5a52d83953c44942dfe90c5a146ad9\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 19 of 20\n\n34c6c1a7a765441e5d01ffd8b839bb932fbee37b2d1a55d4cd7e77d61eebad6b\r\n43192b0a36d887844309b79dafa88bb2493539093d17bf7296e4bda2fe72dc49\r\nLearn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and\r\nServices portfolio. Sign up for the weekly Threat Brief from FortiGuard Labs. \r\nLearn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert\r\nprogram, Network Security Academy program, and FortiVet program.\r\niWork-At-Home After Covid-19—Our Forecast \r\nhttps://globalworkplaceanalytics.com/work-at-home-after-covid-19-our-forecast\r\niiFinTech AML Compliance Training \r\nhttps://baselgovernance.org/fintech-aml-compliance-training\r\nThis Adversary Playbook from FortiGuard Labs on the threat malware family known as “JsOutProx” was created\r\nfor our customers, as well as part of our role in the Cyber Threat Alliance. For more information regarding this\r\nseries of adversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook\r\nWhitepaper. Also view the FortiGuard Playbook Viewer detailing this campaign as mapped to MITRE’s\r\nAdversarial Tactics, Techniques, \u0026 Common Knowledge (ATT\u0026CK) model.\r\nSource: https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese"
	],
	"report_names": [
		"adversary-playbook-javascript-rat-looking-for-that-government-cheese"
	],
	"threat_actors": [],
	"ts_created_at": 1775434654,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d9a2e7f33d013567267abcef3ce54761fc054d6.pdf",
		"text": "https://archive.orkl.eu/3d9a2e7f33d013567267abcef3ce54761fc054d6.txt",
		"img": "https://archive.orkl.eu/3d9a2e7f33d013567267abcef3ce54761fc054d6.jpg"
	}
}