{
	"id": "7205b3b0-780d-4a27-8bd7-629e85cfd162",
	"created_at": "2026-04-06T00:08:58.645072Z",
	"updated_at": "2026-04-10T03:21:53.485336Z",
	"deleted_at": null,
	"sha1_hash": "4d256cb1dfc3a5bb635abad35f8d513e23bcc7a8",
	"title": "VCURMS: A Simple and Functional Weapon | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2563964,
	"plain_text": "VCURMS: A Simple and Functional Weapon | FortiGuard Labs\r\nBy Yurren Wan\r\nPublished: 2024-03-12 · Archived: 2026-04-05 23:47:04 UTC\r\nAffected platforms: All platforms with Java installed\r\nImpacted parties: Any organization\r\nImpact: Attackers gain control of the infected systems\r\nSeverity level: High\r\nRecently, FortiGuard Labs uncovered a phishing campaign that entices users to download a malicious Java\r\ndownloader with the intention of spreading new VCURMS and STRRAT remote access trojans (RAT). The\r\nattackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a\r\ncommercial protector to avoid detection of the malware. The attacker attempts to use email as its command and\r\ncontrol throughout the attack campaign. The receiving endpoint utilizes Proton Mail, which offers email services\r\nthat include privacy protection. Figure 1 shows the attack chain.\r\nFigure 1: Attack flow\r\nThis blog describes how the malware is delivered and specifically examines the unusual VCURMS RAT that is\r\ninvolved in this campaign.\r\nInitial Access\r\nThe phishing email shown in Figure 2 is part of this attack campaign. It targets staff members, implying that a\r\npayment is underway and encourages them to click a button to verify payment information. Upon clicking the\r\nbutton, a harmful JAR file hosted on AWS is downloaded to the victim's computer.\r\nhttps://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon\r\nPage 1 of 11\n\nFigure 2: The phishing e-mail\r\nPayment-Advice.jar\r\nThe downloaded files resemble typical phishing attachments with spoofed names intended to lure people into\r\nopening them. When you look at the file with a JAR decompiler, many strings are obfuscated and one of the class\r\nnames “DownloadAndExecuteJarFiles.class” clearly indicates the intention of this program, as shown in Figure 3.\r\nThe program aims to download two JAR files to the attacker-provided path and executes them.\r\nFigure 3: Code to download and execute Jar Files\r\nAs shown in Figure 4, a class employed by the obfuscator is labeled \"sense loader\" in the debug data. The\r\nobfuscator selects the appropriate native loader module from the resources based on the current operating system\r\nduring the execution process.\r\nhttps://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon\r\nPage 2 of 11\n\nFigure 4: A class employed by the obfuscator\r\nAfter a specific date, running the malware causes a notification to appear regarding the expiration of the trial for\r\nprotected tools as shown in Figure 5.\r\nFigure 5: Expiration of the trial for Virbox Protector\r\nAdditionally, the code generated by the obfuscator closely resembles the code produced by a legitimate\r\nobfuscation tool known as \"Sense Shield Virbox Protector\" as shown in Figure 6.\r\nhttps://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon\r\nPage 3 of 11\n\nFigure 6: Virbox Protector GUI\r\nThe rest of the execution flow of the JAR file downloads two additional JAR files and runs them separately.\r\nWindows.jar\r\nWe observed an unusual RAT that communicates with its command and control through email. During the\r\ninitialization step, the program replicates itself into the Startup folder to ensure that it runs automatically when\r\nWindows starts. It then alerts the attacker that the victim is online and establishes a schedule to periodically check\r\nthe mailbox as shown in Figure 7.\r\nFigure 7: The main function of VCURMS RAT\r\nThe attacker identifies the victim using the computer name and Volume ID. When the malware needs to verify the\r\ncommand provided by the attacker, it first examines whether the subject of the email contains identifying\r\ninformation and then proceeds to check the command within the body of the email.\r\nhttps://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon\r\nPage 4 of 11\n\nFigure 8: Command of VCURMS RAT\r\nThe keylogger and password recovery malware are also hosted on AWS and disguised with a .jpg extension. They\r\nare downloaded using a PowerShell command.\r\nFigure 9: Download components using a PowerShell command\r\nIn addition to installing keyloggers and password recovery malware, the command provides various customizable\r\nfeatures such as the ability to execute shell commands and upload and download files as shown in Table 1.\r\nCommand Details\r\nget\r\ninformation\r\nRetrieve system details such as the operating system version, memory capacity, computer\r\nname, volume ID, username, country, and the files in the Desktop and Documents folders.\r\nhttps://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon\r\nPage 5 of 11\n\nshell\r\nObtain the command and execute it through cmd.exe /c; the result is sent back to the\r\nattacker via email.\r\nrecovery Download a recovery JAR file with a .jpg extension and execute it.\r\nstart\r\nkeylogger\r\nDownload a keylogger JAR file with a .jpg extension and execute it.\r\nget keylogger Attach the keylogger data and send it as an attachment.\r\nupload Compress the file at the specified location and then send it as an attachment.\r\ndownload Retrieve the attachment and only allow file extensions that are in .jpg format to be accepted.\r\nsearch Look for file names containing keywords specified by the attacker.\r\nTable 1: Commands\r\nMalware Protected with Commercial Obfuscator\r\nThe most downloaded malware in this campaign are obfuscated using the Branchlock obfuscator. Information\r\nabout this obfuscator is located at the end of the JAR file as shown in Figure 10.\r\nFigure 10: The obfuscator at the end of the file “stl2.jpg”\r\nThe Narumii/Deobfuscator plays a crucial role in partially supporting the deobfuscation of a program obfuscated\r\nwith Branchlock.\r\nhttps://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon\r\nPage 6 of 11\n\nFigure 11: Deobfuscation with Narumii\r\nInfostealer - Stl2.jpg\r\nWhen the command \"recovery\" is received, the program is downloaded and deployed into the\r\n%USERPROFILE%\\AppData\\cookie directory with the name st.jar. The primary purpose of the program is to\r\nsteal information, particularly system information, popular browsers, and apps.\r\nApps: Discord and Steam\r\nBrowsers: Brave, Chrome, Edge, Firefox, Opera, OperaGX, Vivaldi, and Yandex\r\nSystem information: Network information, computer information, hardware information, process lists and\r\nscreenshots.\r\nThe program gathers account information from apps and collects cookies, autofill data, browsing history, and\r\npasswords from browsers. The data collected is stored in the directory located at\r\n%USERPROFILE%/\u003cusername\u003e.\r\nhttps://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon\r\nPage 7 of 11\n\nFigure 12: The file structure of stl2.jpg and the collected data\r\nDespite the component similarities to Rude Stealer, a Java-based infostealer, this program adopts the name\r\nVCURMS. We also have observed a distinction in the method of transmitting the pilfered data. The attacker\r\nfollows the same path as the main program and sends the stolen information through the same email address.\r\nhttps://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon\r\nPage 8 of 11\n\nFigure 13: Code extracted from the SendFile module\r\nKeylogger - Kl.jpg\r\nThe downloaded keylogger will ultimately be stored in %USERPROFILE%\\AppData\\cookie\\klog.jar. This file is\r\nresponsible for recording keystrokes. Additional actions such as sending logs back to the attacker requires the\r\nmain JAR file \"windows.jar\" to execute the functions.\r\nSTRRAT\r\nSTRRAT is a RAT built using Java, which has a wide range of capabilities, such as serving as a keylogger and\r\nextracting credentials from browsers and applications.\r\nBy the end of 2023, it was discovered that STRRAT utilizes two string obfuscation techniques, namely \"Zelix\r\nKlassMaster (ZKM)\" and \"Allatori\" to avoid detection. However, the STRRAT observed in this attack campaign\r\nfollows the same convoluted process. It uses the Allatori Java obfuscator and includes the Branchlock obfuscator,\r\nwhich makes analysis more difficult.\r\nFigure 14: The Branchlock obfuscator the end of the file “explorer.jar” STRRAT\r\nFigure 15: A splash screen is displayed when trying to run explorer.jar\r\nhttps://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon\r\nPage 9 of 11\n\nThe configuration file still remains in the resource. By decoding it using Base64 and decrypting it with the AES\r\nAlgorithm using the passphrase \"strigoi,\" we can obtain information about the command and control server and ID\r\n“Khonsari.”\r\nFigure 16: The decrypted configuration file\r\nConclusion\r\nThis comprehensive attack operation deploys several malicious programs simultaneously on a victim’s system. It\r\ndeploys a well-known STRRAT and a new VCURMS based on Java. Even though the VCURMS RAT primarily\r\nhandles command and control communication, it also includes a modified version of a Rude Stealer and a\r\nkeylogger in its second phase to gather sensitive data from the victim's system. We discovered that the threat actor\r\nwas using multiple obfuscation techniques to avoid detection and attempting to use email for communicating with\r\nthe command and control server.\r\nFortinet Protections\r\nThe malware described in this report are detected and blocked by FortiGuard Antivirus as:\r\nJava/Agent.A881!tr\r\nJava/Agent.X!tr.spy\r\nJava/Agent.A249!tr\r\nJava/Agent.6057!tr\r\nJava/Agent.E730!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard Antivirus Service. The FortiGuard\r\nantivirus engine is part of each of those solutions. As a result, customers who have these products with up-to-date\r\nprotections are protected.\r\nThe FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros within the\r\ndocument.\r\nWe also suggest that organizations take the free Fortinet Fortinet Certified Fundamentals (FCF) cybersecurity\r\ntraining. The training is designed to help users learn about today's threat landscape and introduces basic\r\ncybersecurity concepts and technology.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block malware attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nhttps://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon\r\nPage 10 of 11\n\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact the Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nE-mails\r\ncopier@ferrellengineering[.]com\r\nsacriliage@proton[.]me\r\nDomains\r\nbankofindustry[.]s3[.]us-east-2[.]amazonaws[.]com\r\nriseappbucket[.]s3[.]ap-southeast-1[.]amazonaws[.]com\r\nofornta[.]ddns[.]net\r\njbfrost[.]live\r\nbackinghof[.]ddns[.]net\r\nFiles\r\n97e67ac77d80d26af4897acff2a3f6075e0efe7997a67d8194e799006ed5efc9\r\n8d72ca85103f44742d04ebca02bff65788fe6b9fc6f5a411c707580d42bbd249\r\n588d6f6feefa6273c87a3f8a15e2089ee3a063d19e6a472ffc0249298a72392d\r\n8aa99504d78e88a40d33a5f923caf7f2ca9578031d004b83688aafdf13b3b59f\r\nc0d0dee9b8345da3c6cf3e1c3ce5b5b6e8c9e4002358517df1e3cd04c0f0b3d1\r\nSource: https://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon\r\nhttps://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon"
	],
	"report_names": [
		"vcurms-a-simple-and-functional-weapon"
	],
	"threat_actors": [],
	"ts_created_at": 1775434138,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d256cb1dfc3a5bb635abad35f8d513e23bcc7a8.pdf",
		"text": "https://archive.orkl.eu/4d256cb1dfc3a5bb635abad35f8d513e23bcc7a8.txt",
		"img": "https://archive.orkl.eu/4d256cb1dfc3a5bb635abad35f8d513e23bcc7a8.jpg"
	}
}