{
	"id": "4245c4ff-5307-44e3-810e-8e0381320ad1",
	"created_at": "2026-04-06T00:18:32.851768Z",
	"updated_at": "2026-04-10T03:20:45.986885Z",
	"deleted_at": null,
	"sha1_hash": "462f7170cfda1f1882ec01f50fe26edf7d34d7ed",
	"title": "Malware Campaign Lures Users With Fake W2 Form",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3356558,
	"plain_text": "Malware Campaign Lures Users With Fake W2 Form\r\nBy Tom Elkins\r\nPublished: 2024-07-24 · Archived: 2026-04-05 22:03:53 UTC\r\nThe following analysts contributed to the research: Evan McCann, Matt Smith, Ipek Solak, Jake McMahon\r\nRapid7 has recently observed an campaign targeting users searching for W2 forms using the Microsoft search engine Bing.\r\nUsers are subsequently directed to a fake IRS website, enticing them to download their W2 form that ultimately downloads a\r\nmalicious JavaScript (JS) file instead. The JS file, when executed, downloads and executes a Microsoft Software Installer\r\n(MSI) package which in turn drops and executes a Dynamic Link Library (DLL) containing the Brute Ratel Badger.\r\nIn this blog, we will detail the attack chain and offer preventative measures to help protect users.\r\nOverview:\r\nStarting on June 21, 2024, Rapid7 observed two separate incidents in which users downloaded and executed suspicious\r\nJavaScript (JS) files linked to the URL hxxps://grupotefex[.]com/forms-pubs/about-form-w-2/. Following execution of the\r\nJS files, Rapid7 observed the download and execution of an MSI file that was responsible for dropping a suspicious DLL\r\ninto the user's AppData/Roaming/ profile. Upon further analysis, Rapid7 determined that the suspicious DLL contained a\r\nBrute Ratel Badger. Brute Ratel is a command and control framework used for red team and adversary simulation.\r\nWhen executed successfully, the Brute Ratel Badger will subsequently download and inject the Latrodectus malware.\r\nLatrodectus is a stealthy backdoor used by threat actors to query information about the compromised machine, execute\r\nremote commands, and download and execute additional payloads.\r\nOn June 23, Zscaler ThreatLabz issued a tweet indicating that the initial access broker behind the deployment of the\r\nmalware family known as Latrodectus was using Brute Ratel as a stager.\r\nOn June 24, a blog was released by reveng.ai, outlining an identical attack chain that we observed. From the posts, we noted\r\noverlapping indicators of compromise (IOC), indicating that the behavior observed was related.\r\nInitial Access:\r\nDuring analysis of the incidents, Rapid7 observed that users queried the search engine Bing containing the key words W2\r\nform. They subsequently navigated to the domain appointopia[.]com, which re-directed the browser to the URL\r\nhxxps://grupotefex[.]com/forms-pubs/about-form-w-2/.\r\nAfter replicating the incident in a controlled environment, we observed that following the query for w2 form 2024 using\r\nBing, the top result is a link to the domain appointopia[.]com which claims to have W2 forms available for download.\r\nAfter clicking the link, the browser is directed to the URL hxxps://grupotefex[.]com/forms-pubs/about-form-w-2/, which\r\npresents users with a fake IRS site, luring users into downloading their W2 form.\r\nhttps://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/\r\nPage 1 of 8\n\nWhile interacting with the hyperlinks present on the website, we observed that each time, a CAPTCHA would appear, luring\r\nthe users to solve it.\r\nUpon closer examination, users were presented with a CAPTCHA system, seemingly designed to verify human activity.\r\nHowever, this CAPTCHA was part of a malicious scheme. Once answered successfully, the CAPTCHA would download a\r\nmalicious JavaScript file named form_ver, appending the file name with the UTC time of access, such as Form_Ver-14-00-\r\n21. The source of the downloaded JS file came from a Google Firebase URL,\r\nhxxps://firebasestorage.googleapis[.]com/v0/b/namo-426715.appspot.com/o/KB9NQzOsws/Form_Ver-14-00-21.js?\r\nalt=media\u0026token=dd7d4363-5441-4b14-af8c-1cb584f829c7. This JavaScript file would then be responsible for\r\ndownloading the next stage payload.\r\nTechnical analysis:\r\nWe acquired one of the JS files from the incidents that took place on June 21 and analyzed the contents in a controlled\r\nenvironment. We observed that the JS file contained code hidden between commented out lines. Threat actors employ this\r\ntechnique in order to inflate the size of their files and obfuscate their code with the goal of evading antivirus solutions and\r\nhindering reversing.\r\nIn addition, we observed that the JavaScript contained a valid Authenticode certificate issued to Brass Door Design Build\r\nInc. Threat actors will embed valid certificates in order to exploit trust mechanisms and make the scripts appear legitimate.\r\nhttps://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/\r\nPage 2 of 8\n\nWe analyzed the JS files and observed code resembling a technique used for extracting and executing hidden code within\r\ncomments. Specifically: The code defines a ScriptHandler class that can read in a script file, parse out any lines starting with\r\n//////, and store those lines of code in an extractedCode property as seen in Figure 5. The code then defines a method\r\nrunExtractedCode() that executes that extracted code using new Function(). It instantiates a ScriptHandler for the current\r\nscript file, extracts the hidden code, and executes it.\r\nThis allows hiding arbitrary code within comments in a script, which will then be extracted and executed when the script is\r\nrun. The comments provide a way to conceal the hidden code. This technique was used to hide malicious code within a\r\nscript file designed to make the user think it is benign. When the script is executed, the concealed code would be extracted\r\nand run without the user's knowledge.\r\nAfter cleaning up the script file, we observed that the purpose of the script was to download an MSI package from the URL\r\nhxxp://85.208.108[.]63/BST.msi and execute it.\r\nhttps://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/\r\nPage 3 of 8\n\nIn another related incident that occurred on June 25, we observed that the JS file was downloading the payload from a\r\nsimilar URL, hxxp://85.208.108[.]30/neuro.msi.\r\nMSI Analysis\r\nWe acquired the latest MSI file, neuro.msi, from hxxp://85.208.108[.]30/neuro.msi and analyzed the contents. We observed\r\nthat the contents of the MSI file contained a Cabinet (.cab) file named disk1.cab which stored a DLL, capisp.dll.\r\nWe also observed that the MSI package neuro.msi contained a custom action whose function was to drop the DLL,\r\ncapisp.dll, within AppData/Roaming/ folder and execute it using rundll32.exe with the export remi.\r\nhttps://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/\r\nPage 4 of 8\n\nWe obtained the DLL from the MSI installer and analyzed the contents.\r\nCapisp.dll Analysis\r\nDuring initial analysis, we observed the DLL was associated with the VLC media player. We also observed that the DLL\r\ncontained a suspicious resource named نالوقتمتأخر located at the offset of 0x00EB2C0. We determined that the resource name\r\nنالوقتمتأخر was Arabic and translates to ‘It is late’, referring to time.\r\nWhile analyzing the export function remi we observed that the function starts by storing a hardcoded string\r\n)5Nmw*CP\u003esC%dh!E(eT6d$vp\u003c), which is reserved for later use. The function then calculates the resource located at offset\r\n(0x00EB2C0) that marks the start of the encrypted data, which will be decrypted using an XOR decryption routine with the\r\npreviously stored string.\r\nAfter the data is decrypted, the function then utilizes the Windows API VirtualAlloc to allocate a new region of memory in\r\norder to copy and store the decrypted data.\r\nUsing that logic, we replicated the process in Cyberchef and observed that the decrypted data resembled another Windows\r\nbinary. While analyzing the new binary, we observed an interesting string, badge\\_x64_rtl.bin.packed.dll. We also observed\r\nthat the new binary contained yet another embedded binary.\r\nFurther analysis revealed that the purpose of the decrypted binary was to load and execute the embedded binary. We\r\nidentified the embedded binary as a Brute Ratel Badger (BRC4), a remote access agent in Brute Ratel. Upon successful\r\nexecution, the BRC4 program attempts to establish connections to three hard coded Command and Control (C2) domains:\r\nbibidj[.]biz\r\nbarsman[.]biz\r\nhttps://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/\r\nPage 5 of 8\n\ngarunt[.]biz\r\nIn previous versions of the attack, we observed the BRC4 program attempting to establish communication with the C2\r\ndomains barsen[.]monster and kurvabbr[.]pw.\r\nFollowing execution of the BRC4 program, we observed the download of Latrodectus which was subsequently injected into\r\nthe Explorer.exe process.\r\nWe observed that the Latrodectus malware attempts to contact the following URLs:\r\nhxxps://meakdgahup[.]com/live/\r\nhxxps://riscoarchez[.]com/live/\r\nhxxps://jucemaster[.]space/live/\r\nhxxps://finjuiceer[.]com/live/\r\nhxxps://trymeakafr[.]com/live/\r\nConclusion\r\nRapid7 has observed a recent campaign targeting users searching for W2 forms. The campaign lures users into downloading\r\nJS files masqueraded as supposed W2 forms from a fake IRS website. Once the JS files are executed, it downloads and\r\nexecutes MSI packages containing the Brute Ratel badger. Upon successful compromise, the threat actors follow up by\r\ndeploying the malware family known as Latrodectus, a malicious loader that is used by threat actors to gain a foothold on\r\ncompromised devices and deploy additional malware.\r\nMitigation guidance:\r\n➔ Provide user awareness training that's aimed at informing users on how to identify such threats.\r\n➔ Prevent execution of scripting files such as JavaScript and VisualBasic by changing the default ‘open-with’ settings to\r\nnotepad.exe.\r\n➔ Block or warn on uncategorized sites at the web proxy. Aside from blocking uncategorized sites, certain web proxies will\r\ndisplay a warning page, but allow the user to continue by clicking a link in the warning page. This will stop drive-by\r\nexploits and malware from being able to download further payloads.\r\nRapid7 customers:\r\nInsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive\r\nlibrary of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into\r\nsuspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will\r\nalert on behavior related to this malware campaign:\r\nSuspicious Process - WScript Runs JavaScript File from Temp Or Download Directory\r\nEndpoint Prevention - A process attempted 'Self Injection' technique\r\nMITRE ATT\u0026CK Techniques\r\nhttps://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/\r\nPage 6 of 8\n\nTactics Technique Description\r\nResource\r\nDevelopment\r\nSEO Poisoning (T1608.006)\r\nThreat Actor employed SEO poisoning, ensuring their\r\nadvertisement was listed first in search results\r\nInitial Access Drive-by Compromise (T1189)\r\nUpon successfully solving CAPTCHA, browser is\r\ndirected to download a JavaScript file from another URL\r\nExecution\r\nCommand and Scripting Interpreter:\r\nJavaScript (T1059.007)\r\nUser executes the downloaded JavaScript file\r\nDefense Evasion Embedded Payloads (T1027.009)\r\nBrute Ratel payload is embedded within decrypted\r\npayload\r\nDefense Evasion Command Obfuscation (T1027.010)\r\nDownloaded JavaScript file contains commands broken\r\nup by commented lines to hinder analysis and anti-virus\r\nscanners\r\nDefense Evasion\r\nEncrypted/Encoded File\r\n(T1027.013)\r\nLatrodectus employs string decryption to hinder detection\r\nand analysis\r\nDefense Evasion\r\nDeobfuscate/Decode Files or\r\nInformation (T1140)\r\nDLL dropped by MSI package contains XOR routine to\r\ndecrypt the Brute Ratel payload\r\nPrivilege\r\nEscalation\r\nDynamic-link Library Injection\r\n(T1055.001)\r\nLatrodectus DLLs are injected into the Explorer.exe\r\nprocess\r\nCommand and\r\nControl\r\nWeb Protocols (T1071.001)\r\nBrute Ratel and Latrodectus communicate with their C2\r\nservers using HTTPS\r\nIndicators of compromise:\r\nHost Based Indicators (HBIs)\r\nIndicator File Hash Description\r\nForm_Ver-14-00-\r\n21.js\r\nF8121922AE3A189FBAE0B17C8F5E665E29E2E13B2E7144DABA4B382432B4949E\r\nJS File downloaded from URL\r\nhxxps://firebasestorage[.]googleapi\r\n426715.appspot.com/o/KB9NQzOs\r\n44-37.js?alt=media\u0026token=dd7d43\r\naf8c-1cb584f829c7\r\nBST.msi 5b18441926e832038099acbe4a90c9e1907c9487ac14bdf4925ac170dddc24b6\r\nMSI file downloaded from URL\r\nhxxp://85.208.108[.]63/BST.msi\r\nneuro.msi D71BFAB9CCA5DF6A28E12BA51FE5EAF0F9151514B3FD363264513347A8C5CF3A\r\nMSI file downloaded from URL\r\nhxxp://85.208.108[.]30/nuero.msi c\r\nJS file\r\nvpn.msi 4586250dbf8cbe579662d3492dd33fe0b3493323d4a060a0d391f20ecb28abf1\r\nMSI file downloaded from URL\r\nhxxp://193.32.177[.]192/vpn.msi co\r\nfile\r\naclui.dll 8484560C1526EE2E313A2B57F52EA5B31EDD05A0C9664BD7F60DA020871BFE6F DLL contained within MSI file BST\r\ncapisp.dll 9B7BDB4CB71E84C5CFF0923928BF7777A41CB5E0691810AE948304C151C0C1C5 DLL contained within MSI file neu\r\nBruteRatel\r\npayload\r\nAD4A8983EDFB0DBA81E3D0BAE1AB549B500FD8A07DAF601E616B7E721D0674C6\r\nBruteRatel decrypted payload conta\r\ncapisp.dll\r\nNetwork Based Indicators (NBIs)\r\nIndicator Description\r\nappointopia[.]com\r\nDomain used for SEO poisoning that redirects to URL\r\nhxxps://grupotefex[.]com/forms-pubs/about-form-w-2/\r\nhttps://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/\r\nPage 7 of 8\n\nIndicator Description\r\nhxxps://grupotefex[.]com/forms-pubs/about-form-w-2/URL containing fake IRS website, luring users into trying to download\r\nW2 form\r\n85.208.108[.]63 Domain hosting BST.msi\r\n193.32.177[.]192 Domain hosting vpn.msi\r\n85.208.108[.]30 Domain hosting neuro.msi\r\nkurvabbr[.]pw BruteRatel C2 - Payload contained within aclui.dll\r\nbarsen[.]monster BruteRatel C2 - Payload contained within aclui.dll\r\nbarsman[.]biz BruteRatel C2 - Payload contained within capisp.dll\r\nbibidj[.]biz BruteRatel C2 - Payload contained within capisp.dll\r\ngarunt[.]biz BruteRatel C2 - Payload contained within capisp.dll\r\nhxxps://meakdgahup[.]com/live/ Latrodectus C2\r\nhxxps://riscoarchez[.]com/live/ Latrodectus C2\r\nhxxps://jucemaster[.]space/live/ Latrodectus C2\r\nhxxps://finjuiceer[.]com/live/ Latrodectus C2\r\nhxxps://trymeakafr[.]com/live/ Latrodectus C2\r\nResources\r\nArticle URL\r\nZscaler ThreatLabz Post https://x.com/Threatlabz/status/1804918852528357791\r\nLatrodectus Affiliate Resumes Operations Using Brute Ratel\r\nC4 Post Operation Endgame\r\nhttps://blog.reveng.ai/latrodectus-distribution-via-brc4/\r\nSource: https://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/\r\nhttps://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/"
	],
	"report_names": [
		"malware-campaign-lures-users-with-fake-w2-form"
	],
	"threat_actors": [],
	"ts_created_at": 1775434712,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/462f7170cfda1f1882ec01f50fe26edf7d34d7ed.pdf",
		"text": "https://archive.orkl.eu/462f7170cfda1f1882ec01f50fe26edf7d34d7ed.txt",
		"img": "https://archive.orkl.eu/462f7170cfda1f1882ec01f50fe26edf7d34d7ed.jpg"
	}
}