{ "id": "8ec16d1d-585c-45ff-af9c-c15f94ab6d2d", "created_at": "2026-04-06T00:16:21.239477Z", "updated_at": "2026-04-10T03:33:24.175234Z", "deleted_at": null, "sha1_hash": "74598122f156590f3963211935a7952327c8dd0e", "title": "Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign Targets Brazil With Astaroth Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 994194, "plain_text": "Water Makara Uses Obfuscated JavaScript in Spear Phishing\r\nCampaign Targets Brazil With Astaroth Malware\r\nPublished: 2024-10-14 · Archived: 2026-04-02 11:28:14 UTC\r\nAPT \u0026 Targeted Attacks\r\nTrend Micro researchers have uncovered a surge of malicious activities involving a threat actor group that we\r\ntrack as Water Makara. This group is targeting enterprises in Brazil, deploying banking malware using obfuscated\r\nJavaScript to slip past security defenses.\r\nBy: Charles Adrian Marty, Kim Benedict Victorio, Adriel Isidro, Christian Alpuerto, Mark Jason Co, Lorenzo\r\nLaureano, Andre Filipe Codod, Adremel Redondo Oct 14, 2024 Read time: 6 min (1618 words)\r\nHighlights:\r\nWater Makara uses the notorious Astaroth banking malware, now with a new evasion technique.\r\nThe spear phishing campaign was observed targeting companies in Latin America, with a particular focus\r\non organizations in Brazil.\r\nThe spear phishing campaign’s impact has targeted various industries, with manufacturing companies,\r\nretail firms, and government agencies being the most affected.\r\nThe malicious emails often impersonate official tax documents, using the urgency of personal income tax\r\nfilings to trick users into downloading the malware.\r\nTrend Micro Research recently identified a significant surge of spear phishing attacks aimed at users in Brazil.\r\nThese emails, which come with attachments often masquerading as personal income tax documents, contain\r\nharmful ZIP files. The threat uses mshta.exe, an oft-abused utility normally meant to run HTML Application files,\r\nto execute obfuscated JavaScript commands, establishing connections to a C\u0026C server.\r\nIn terms of impact, the spear phishing campaigns mostly target companies in Brazil. The figure below shows the\r\ndistribution of the cyberattacks by industry, with Trend Micro telemetry showing manufacturing companies, retail\r\nfirms, and government agencies as the most affected.\r\nhttps://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html\r\nPage 1 of 8\n\nFigure 1. Distribution of the attacks by industry\r\nWe track this intrusion set as Water Makara, which uses the Astaroth malware with a new defense evasion\r\ntechnique. Astarothnews article, a notorious information-stealing banking trojan, remains active and is anticipated\r\nto persist into 2024. In this blog, we’ll explore the tactics used by Water Makara and share best practices that can\r\nbe taken to strengthen defenses against such threats.\r\nFigure 2. The infection chain of the malware\r\nhttps://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html\r\nPage 2 of 8\n\nFigure 3. Example of the spear phishing email whose final payload is the Astaroth malware\r\nWater Makara’s attack chain\r\nFigure 2 illustrates the infection chain of the malware, from how the malicious attachment is delivered and how it\r\nintends to be executed. The attack begins with a spear phishing email that is designed to appear legitimate and\r\ncredible, often impersonating well-known organizations or official entities. This common social engineering tactic\r\ncould trick the recipient into downloading the malicious ZIP attachment.\r\nFigure 3 presents an example of an Astaroth phishing email, sourced from a threat hunter on Twitteropen on a new\r\ntab with the user @9823f_. The email’s content pertains to “Aviso de Irregularidade,” which translates to “Notice\r\nof Irregularity.” This term refers to a formal notification issued by authorities, typically related to taxes or\r\ncompliance indicating the presence of discrepancies or issues that require attention.\r\nThe ZIP file, in turn, contains a malicious LNK file. Although the originally mentioned ZIP file is unavailable, we\r\nhave sourced a similar email sample separately to analyze. In this instance, the downloaded a ZIP file is labeled\r\n“IRPF20248328025.zip” where “IRPF” refers to “Imposto de Renda da Pessoa Física,” which translates to\r\n“Personal Income Tax.” Due to the familiarity and significance of personal income tax documents, potential\r\nvictims are more inclined to trust and open or extract this file. In addition to “IRPF”, the file also uses other names\r\ndesigned to trick the user into downloading and extracting the ZIP file. The LNK file, when executed by the user,\r\nruns embedded malicious JavaScript commands.\r\nhttps://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html\r\nPage 3 of 8\n\nFigure 4. Example file name of the ZIP file\r\nFigure 5. Example of the LNK file\r\nAside from the LNK file, the ZIP file also contains another file that has similar obfuscated JavaScript commands.\r\nInitially, this file is Base64-encoded, and decoding reveals the hidden malicious scripts. Employing various file\r\nformats to spread malware is a tactic commonly seen in drive-by downloads. By embedding malicious code into\r\nseemingly benign files, they trick users into executing the malicious payload.\r\nIn this campaign, there are multiple variants or file extensions used, namely, .pdf, .jpg, .png, .gif, .mov, and .mp4.\r\nFigure 6 shows the content of the LNK file. In this example, we analyzed a sequence of commands used to\r\nexecute a malicious JavaScript hidden within the LNK file. Each command plays a specific role, contributing to\r\nthe overall execution of the attack:\r\ncmd.exe: The command-line interpreter on Windows\r\n/v:Off: Disables the delayed environment variable expansion to ensure that the command variables are\r\nresolved immediately, potentially avoiding conflicts or detection\r\nD: Turns off the execution of AutoRun commands to ensure that their specific commands execute without\r\ninterference from any automatic scripts that might otherwise run\r\n/c: Carries out the command specified by the string, which then terminates, to ensure that the command is\r\nexecuted efficiently and that the command prompt closes immediately afterward to reduce the likelihood of\r\ndetection\r\nmshta: A legitimate Microsoft program that executes HTML Applications (HTA), which can be used\r\nmaliciously to execute code through a seemingly benign HTML file\r\nFigure 6. Snippet of code showing the abuse of MSHTA to execute encoded JavaScript commands\r\nFigure 7. The encoded JavaScript commands\r\nhttps://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html\r\nPage 4 of 8\n\nFigure 7 shows the encoded JavaScript commands, which can be decoded using unescape string. The decoded\r\ncommands reveal a malicious URL. The variable _$_TLEN is defined as an array containing two strings: '[7\r\nrandom characters]' and is most likely a method or function name, and the URL.\r\nThe hostname looks suspicious and could be part of a phishing or malware distribution campaign. The use of\r\nGetObject function indicates an attempt to execute or retrieve an object, which could lead to other malicious\r\nactions.\r\nFigure 8. The decoded JavaScript commands with malicious URL\r\nThe GetObject function attempts to retrieve and execute the object at the URL by invoking a method named\r\n“SXSPP29” on it. If an error occurs during this process, it is silently caught, and no action is taken. If the\r\nJavaScript command is executed successfully, the Astaroth C\u0026C server will be able to gain a foothold on the\r\nendpoint.\r\nFigure 9. The GetObject function\r\nThe URLs share several similarities and patterns. In this example, the URLs contain the domain\r\npatrimoniosoberano[.]world. This indicates that they belong to the same domain but might point to different\r\nsubdomains or paths within that domain.\r\nEach URL has a unique subdomain but follows a similar naming scheme:\r\nhxxps[://]pritonggopatrimoniosoberano[.]world/?5/\r\nhxxps[://]pritongongor[.]patrimoniosoberano[.]world/?5/\r\nhxxps[://]spunalu[.]patrimoniosoberano[.]world/?5/\r\nhxxps[://]sprunal[.]patrimoniosoberano[.]world/?5/\r\nAdditionally, each URL ends with the similar path, /?5/. There might be some commonality in the resource they\r\nare pointing to or in the way the parameters are structured in the URLs. The technique they use is called domain\r\nhttps://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html\r\nPage 5 of 8\n\ngeneration algorithm (DGA), a method used by various malware to create a large number of domain names\r\nalgorithmically.\r\nBased on list of indicators of compromise (IoCs), the second-level domain (SDL) of the URLs has a similar\r\nstructure and potentially the same C\u0026C servers used by Astaroth. While Trend Micro has already neutralized the\r\nknown behaviors associated to this malware, it is crucial for users to remain vigilant and aware of the risks posed\r\nby this phishing attack.\r\nWe are actively monitoring this intrusion set. As of this writing, no critical payloads have been observed on the\r\nendpoints, thanks to the existing mitigation policy for these behaviors. Trend Micro solutions effectively block\r\nthis threat from the point of initial access.\r\n While Astaroth might seem like an old banking trojan, its reemergence and continued evolution make it a\r\npersistent threat. Beyond stolen data, its impact extends to long-term damage to consumer trust, regulatory fines,\r\nand increased costs from business disruption and downtime as well as recovery and remediation.\r\nWater Makara's spear phishing campaign relies on unwitting users clicking on the malicious files, which\r\nunderscores the critical role of human awareness. Companies should also adopt best practices, such as conducting\r\nregular security training, enforcing strong password policies, using multifactor authentication (MFA), keeping\r\nsecurity solutions and software updated, and applying the principle of least privilege.\r\nTrend Micro solutions\r\nTrend Micro solutions already detect, block, and mitigate this threat:\r\nEmail Securityproducts  has a hunting query that can be utilized as a filter to block malicious emails. It can\r\ndetect and quarantine phishing emails before they reach end users.\r\nEndpoint protection withproducts\r\nApex Oneproducts  provides advanced threat detection and response capabilities to identify and mitigate\r\nsuspicious activities like the execution of encoded JavaScript commands.\r\nCloud App Securityproducts add an extra layer of security for cloud-based email services such as Office\r\n365 or Google Workspace, scanning and blocking malicious attachments and links before they reach the\r\ninbox.\r\nDeep Securityproducts provides comprehensive security controls for networks, including real-time analysis\r\nand protection against threats.\r\nDeep Discovery Analyzerproducts uses behavioral analysis and sandboxing to understanding the behavior\r\nof JavaScript-encoded commands and its potential impact\r\nTrend Micro’s solutions also have Playbookservices rules that can be utilized to block, flag, and respond to\r\nsuspicious file names, such as LNK files, which can often be used in phishing campaigns.\r\nVision Oneone-platform has extended detection and response capabilities that continuously monitor the\r\nnetwork for IoCs and unusual behaviors. Vision One also has Threat Insightsproducts that provide\r\ncomprehensive intelligence on threat actors, their activities, and techniques, which enables organizations to\r\nhttps://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html\r\nPage 6 of 8\n\nproactively protect their environments, mitigate risks, and respond effectively to threats. Additionally,\r\nVision Once has the Search App function that can match or hunt the IoCs with data in the organization’s\r\nenvironment.   \r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\n[TAD Emerging Threat Analysis]: Encoded JavaScript commands with malicious URL in LATAM\r\nTrend Micro Vision One Threat Insights App\r\n               Threat Actor/s: Water Makara\r\n               Emerging Threats: Surge in Obfuscated JavaScript Commands Executed via mshta.exe Targeting Brazil\r\nwith Phishing Campaigns\r\nTrend Micro Vision One Search App – Hunting Queries\r\nPossible malicious HTTPS request connecting to Astaroth’s C\u0026C server:\r\nrequest:/https\\:\\/\\/.*(\\.world|\\.org|\\.io|\\.net|\\.city|\\.com|\\.cfd|\\.xyz)(\\/\\?[0-9]\\/)/\r\nIndicators of Compromise (IOCs)\r\nThe full list of IOCs can be found here.\r\nMITRE ATT\u0026CK® techniques\r\nTactic Technique ID\r\nInitial Access Phishing: Spearphishing Attachment T1566.001\r\nExecution\r\nUser Execution: Malicious File T1204.002\r\nCommand and Scripting Interpreter: JavaScript T1059.007\r\nDefense Evasion\r\nSystem Binary Proxy Execution: Mshta T1218.005\r\nMasquerading: Masquerade File Type T1036.008\r\nhttps://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html\r\nPage 7 of 8\n\nCommand and Control Dynamic Resolution: Domain Generation Algorithms T1568.002\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html\r\nhttps://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html" ], "report_names": [ "water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html" ], "threat_actors": [ { "id": "dd4daf8c-4e86-4b2a-a228-0d31c0114f56", "created_at": "2024-11-03T02:00:03.644016Z", "updated_at": "2026-04-10T02:00:03.736167Z", "deleted_at": null, "main_name": "Water Makara", "aliases": [], "source_name": "MISPGALAXY:Water Makara", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434581, "ts_updated_at": 1775792004, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/74598122f156590f3963211935a7952327c8dd0e.pdf", "text": "https://archive.orkl.eu/74598122f156590f3963211935a7952327c8dd0e.txt", "img": "https://archive.orkl.eu/74598122f156590f3963211935a7952327c8dd0e.jpg" } }