{
	"id": "34a9a529-0067-45eb-b522-0be5585e5b48",
	"created_at": "2026-04-06T00:19:53.571296Z",
	"updated_at": "2026-04-10T03:21:02.155229Z",
	"deleted_at": null,
	"sha1_hash": "5904525ae4b99bec75d4024a5939c6b1aad91d60",
	"title": "Spam Campaign Delivers Cross-platform RAT Adwind",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 99426,
	"plain_text": "Spam Campaign Delivers Cross-platform RAT Adwind\r\nBy Rubio Wu, Marshall Chen, Ryan Maglaque ( words)\r\nPublished: 2017-07-11 · Archived: 2026-04-05 23:10:38 UTC\r\nCybercriminals are opportunists. As other operating systems (OS) are more widely used, they, too, would diversify\r\ntheir targets, tools, and techniquespredictions in order to cash in on more victims. That’s the value proposition of\r\nmalware that can adapt and cross over different platforms. And when combined with a business model that can\r\ncommercially peddle this malware to other bad guys, the impact becomes more pervasive.\r\nCase in point: Adwind/jRAT, which Trend Micro detects as JAVA_ADWIND. It’s a cross-platform remote access\r\nTrojan (RAT) that can be run on any machine installed with Java, including Windows, Mac OSX, Linux, and\r\nAndroid.\r\nUnsurprisingly we saw it resurface in another spam campaign. This time, however, it’s mainly targeting\r\nenterprises in the aerospace industry, with Switzerland, Ukraine, Austria, and the US the most affected countries.\r\nAdwind operators are active\r\nThe spam campaign actually corresponds to our telemetry for JAVA_ADWIND. In fact, the malware has had a\r\nsteady increase in detections since the start of the year. From a mere 5,286 in January 2017, it surged to 117,649 in\r\nJune. It’s notable, too, that JAVA_ADWIND detections from May to June, 2017 increased by 107%, indicating\r\nthat cybercriminals are actively pushing and distributing the malware.\r\nAdwind/jRAT can steal credentials, record and harvest keystrokes, take pictures or screenshots, film and retrieve\r\nvideos, and exfiltrate data. Adwind iterations were used to targetopen on a new tab banks and Danish\r\nbusinessesopen on a new tab, and even turnedopen on a new tab infected machines into botnets.\r\nNotorious as a multiplatform do-it-yourself RAT, Adwind has many aliases: jRAT, Universal Remote Control\r\nMulti-Platform (UNRECOM), AlienSpyopen on a new tab, Frutasopen on a new tab, and JSocketopen on a new\r\ntab. In 2014 we found an Android version of Adwind/jRAT modified to add a cryptocurrency-mining\r\ncapabilitynews- cybercrime-and-digital-threats. The fact that it’s sold as a service means this threat can be\r\ndeployed by more cybercriminals who can customize their own builds and equip them with diverse functionalities.\r\nintelFigure 1: JAVA_ADWIND detections from January to June, 2017 intel Figure 2: Adwind’s infection\r\nchain\r\nSpam campaign was deployed in two waves\r\nThe spam campaign we observed was deployed in two waves and is a classic example of social engineering. We\r\nsaw the first on June 7, 2017 using a different URL to divert victims to their .NET-written malware equipped with\r\nspyware capabilities. The second wave was observed on June 14, and used different domains that hosted their\r\nmalware and command and control (C\u0026C) servers. Both waves apparently employed a similar social engineering\r\ntactic to lure victims into clicking the malicious URLs.\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat\r\nPage 1 of 5\n\nThe spam email’s message impersonates the chair of the Mediterranean Yacht Broker Association (MYBA)\r\nCharter Committee. The spam email’s subject line, “Changes in 2017 – MYBA Charter Agreement”, tries to cause\r\na sense of urgency for potential victims. It uses a forged sender address, (info[@]myba[.]net) and a seemingly\r\nlegitimate content to trick would-be victims into clicking the malicious URL.\r\nintel\r\nFigure 3: Snapshot of the information sent to the C\u0026C server intel Figure 4: Snapshot of the spam email\r\nAnalyzing Adwind’s attack chain\r\nThe malicious URL will drop a Program Information file (PIF). PIFs contain information on how Windows can\r\nrun MS-DOS applications, and can be launched normally like any executable (EXE).  The file is written in .NET\r\nand serves as a downloader. The process spawned by the file kicks off the infection chain by first modifying the\r\nsystem certificate.\r\nThe URL we traced the malicious PIF file (TROJ_DLOADR.AUSUDT) to also contained various phishing and\r\nspam email-related HTML files. It’s possible that these are the landing pages from which victims are diverted to\r\nthe malicious PIF file.\r\nintelFigure 5: The downloader trying to modify the system certificate by calling Windows Application\r\nProgramming Interface (API) intel\r\nFigure 6: Snapshot showing a successfully modified certificate\r\nAfter the certificate has been poisoned, a Java EXE, dynamic-link library (DLL) and 7-Zip installer will be\r\nfetched from a domain that we uncovered to be a file-sharing platform abused by the spam operators:\r\nhxxps://nup[.]pw/DJojQE[.]7z\r\nhxxp://nup[.]pw/e2BXtK[.]exe\r\nhxxps://nup[.]pw/9aHiCq[.]dll\r\nThe installer has a wrapper function, which are typically employed by RATs to call additional routines without\r\nsacrificing computational resources. The wrapper we analyzed was in a Java ARchive file format (JAR) that we\r\nhave dubbed jRAT-wrapper (JAVA_ADWIND.JEJPCO), which will connect to a C\u0026C server and drop the\r\nAdwind/jRAT in runtime.\r\nBased on jRAT-wrapper’s import header, it appears to have the capability to check for the infected system’s\r\ninternet access. It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful\r\nfeature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and\r\nclasses at runtime. In cybercriminal hands, it can be abused to evade static analysis from traditional antivirus (AV)\r\nsolutions.\r\nintel\r\nFigure 7: Code snapshot of the PIF file that downloads a wrapper (jRAT-wrapper), which then retrieves the\r\npayload\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat\r\nPage 2 of 5\n\nintel\r\nFigure 8: The domain nup[.]pw is a file-hosting server abused by the spam operators\r\nintel\r\nFigure 9: Snapshot of an obfuscated Java class within jRAT-wrapper\r\nintel\r\nFigure 10: jRAT-wrapper’s import header\r\nintel\r\nFigure 11: The byte code we decompiled in jRAT-wrapper\r\njRAT-wrapper also tries to connect to another C\u0026C IP address, 174[.]127[.]99[.]234:1033, which we construe to\r\nbe from a legitimate hosting service that was abused by the attackers. jRAT-wrapper also uses Visual Basic scripts\r\n(VBS) to collect the system’s fingerprints, notably the installed antivirus (AV) product and firewall. It’s also coded\r\nto drop and execute the JAR file in the User Temp directory and copy malicious Java libraries to the Application\r\nData folder. It will then drop a copy of itself in the current user directory and create an autorun registry for\r\npersistence.\r\nHowever, we found that the IP address was already down during our analysis, preventing us from getting further\r\ninformation related to this IP address.\r\nintel\r\nintel\r\nFigure 12: Malicious VBS file that gathers the infected system’s configurations\r\nintel\r\nFigure 13: The properties of Adwind/jRAT\r\nSecurity researcher Michael Helwig’s rundownopen on a new tab of jRAT-wrapper helped us decrypt the\r\nproperties of the payload. The configuration file of the sample we analyzed indicated that the network traffic is\r\ndesigned to be hijacked to a proxy listen at the loopback address, 127[.]0[.]0[.]1:7777.\r\nHowever, we were not able to record any proxy setting during our analysis as the C\u0026C server that the jRAT-wrapper tried to connect to was already inaccessible. We can infer that the attackers intentionally shut down this\r\nC\u0026C server. Once attackers successfully accomplish what they want in the infected system, they can shut it down\r\nto deter further analysis. It’s also possible that the hosting service/ISP actually took it down for abuse.\r\nIn this instance, we can construe that a successful C\u0026C communication entails the C\u0026C server changing the\r\nproxy setting to the victims.\r\nintel\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat\r\nPage 3 of 5\n\nFigure 14: A part of Adwind’s configuration file\r\nCountermeasures\r\nAdwind is a cross-platform, Java-based malware. This calls for a multilayered approach to security that covers\r\nthe gatewayproducts, endpointsproducts, networksproducts, serversproducts, and mobile devicesproducts.\r\nIT/system administrators and information security professionals, as well as developers/programmers that use Java\r\nshould also adopt best practices for using and securing Java and regularly keep it patched and updated.\r\nAdwind’s main infection vector is spam email. This underscores the importance of securing the email gateway to\r\nmitigate threatsnews- cybercrime-and-digital-threats that use email as an entry point to the system and network.\r\nSpam filters, policy management, and email security mechanismsproducts that can block malicious URLsproducts\r\nare just some of the solutions that can be used to help mitigate email-based threats. Users and IT/system\r\nadministrators should also adopt best practices to help safeguard networks with bring-your-own device\r\n(BYOD)news- cybercrime-and-digital-threats policies from threats like Adwind that can steal important data.\r\nA crucial element in Adwind’s attack chain is social engineering. This highlights the need to cultivate a\r\ncybersecurity-aware workforce and foster conscientiousness against email scamsnews- cybercrime-and-digital-threats: think before you click, be more prudent when opening unknown or unsolicited emails, and be more aware\r\nof different social engineering tactics cybercriminals use. These best practices can significantly help reduce an\r\norganization’s exposure to these malware.\r\nTrend Micro Solutions\r\nTrend Micro endpoint solutions such as Trend Micro™ Smart Protection Suitesproducts and Worry-Free™ Business Securityworry free services suites can protect users and businesses from these threats by\r\ndetecting malicious files, and spammed messages as well as blocking all related malicious URLs. Trend\r\nMicro Deep Discovery™products has an email inspection layer that can protect enterprises by detecting malicious\r\nattachment and URLs.\r\nTrend Micro™ Hosted Email Securityproducts is a no-maintenance cloud solution that delivers continuously\r\nupdated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they\r\nreach the network. It protects Microsoft Exchange, Microsoft Office 365products, Google Apps, and other hosted\r\nand on-premises email solutions.\r\nTrend Micro™ OfficeScan™products with XGen™ endpoint security infuses high-fidelity machine learning with\r\nother detection technologies and global threat intelligence for comprehensive protection against advanced\r\nmalware.  \r\nIndicators of Compromise\r\nFiles and URLs related to Adwind/jRAT:\r\nhxxp://ccb-ba[.]adv[.]br/wp-admin/network/ok/index[.]php\r\nhxxp://www[.]employersfinder[.]com/2017-MYBA-Charter[.]Agreement[.]pif\r\nhxxps://nup[.]pw/e2BXtK[.]exe\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat\r\nPage 4 of 5\n\nhxxps://nup[.]pw/Qcaq5e[.]jar\r\nRelated Hashes:\r\n3fc826ce8eb9e69b3c384b84351b7af63f558f774dc547fccc23d2f9788ebab4 (TROJ_DLOADR.AUSUDT)\r\nc16519f1de64c6768c698de89549804c1223addd88964c57ee036f65d57fd39b (JAVA_ADWIND.JEJPCO)\r\n97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 (JAVA_ADWIND.AUJC)\r\n705325922cffac1bca8b1854913176f8b2df83a70e0df0c8d683ec56c6632ddb (BKDR64_AGENT.TYUCT)\r\nRelated C\u0026C servers:\r\n174[.]127[.]99[.]234 Port 1033\r\nhxxp://vacanzaimmobiliare[.]it/testla/WebPanel/post[.]php\r\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat"
	],
	"report_names": [
		"spam-remote-access-trojan-adwind-jrat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434793,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5904525ae4b99bec75d4024a5939c6b1aad91d60.pdf",
		"text": "https://archive.orkl.eu/5904525ae4b99bec75d4024a5939c6b1aad91d60.txt",
		"img": "https://archive.orkl.eu/5904525ae4b99bec75d4024a5939c6b1aad91d60.jpg"
	}
}