{
	"id": "1f69507c-6fca-4625-85d1-68a7fe4141ee",
	"created_at": "2026-04-06T00:21:19.575181Z",
	"updated_at": "2026-04-10T03:35:53.162443Z",
	"deleted_at": null,
	"sha1_hash": "80e49b404381a5d2253a8276517466f1f377ad73",
	"title": "New JSSLoader Trojan Delivered Through XLL Files",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 411699,
	"plain_text": "New JSSLoader Trojan Delivered Through XLL Files\r\nBy Hido Cohen\r\nArchived: 2026-04-05 16:31:39 UTC\r\nMorphisec Labs has observed a new wave of JSSLoader infections this year. We’ve tracked JSSLoader activity\r\nsince December 2020 and published a thorough report on the Russian criminal hacking group FIN7’s JSSLoader:\r\nThe Evolution of the FIN7 JSSLoader. JSSLoader is a small, very capable .NET remote access trojan (RAT). Its\r\ncapabilities include data exfiltration, persistence, auto-updating, additional payload delivery, and more.\r\nAttackers are now using .XLL files to deliver a new, obfuscated version of JSSLoader. We explain how this new\r\nmalware variant utilizes the Excel add-ins feature to load the malware and inspect the changes inside.\r\nInfection Chain\r\nhttps://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files\r\nPage 1 of 7\n\nFigure 1: From .xll file to JSSLoader\r\nThis infection chain is similar to other XLL infections. The victim receives a malicious attachment, either an XLM\r\nor XLL file, inside an email. Once the attachment is downloaded and executed, Excel loads and executes the\r\nmalicious code inside the .xll file, which then downloads the payload from a remote server. The payload is a new,\r\nsimilar variant of JSSLoader.\r\nXLL Excel Add-in\r\nThe first stage of the malware responsible for downloading JSSLoader into an infected machine uses an Excel\r\nadd-in file, denoted by an XLL file extension. Because the file isn’t signed, a popup displays for the user before\r\nexecuting:\r\nhttps://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files\r\nPage 2 of 7\n\nFigure 2: Microsoft security popup\r\nEach XLL file must implement and export the xlAutoOpen function. This function is called by Excel whenever an\r\nXLL is activated. In our case, the malicious activity is located at the end of xlAutoOpen:\r\nFigure 3: Malicious code inside xlAutoOpen\r\nBefore exiting from the function, the malware loads itself, the .XLL file, into memory (not relevant to the attack)\r\nand calls the mw_download_and_execute function.\r\nThis function is responsible for downloading the payload from a remote server. An attacker uses a different User-Agent between samples to help avoid network signature-based security solutions.\r\nFigure 4: User Agent changes between samples\r\nhttps://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files\r\nPage 3 of 7\n\nOnce downloaded, the XLL file creates a temp file with a DNA prefix using a GetTempFileNameW API call and\r\nexecutes it as a new process.\r\nFigure 5: Temporary file creation\r\nNew Obfuscation Layer\r\nLook carefully at the dropped sample and compare it with a JSSLoader sample. They share the exact same\r\nexecution flow. So, what’s different? This variant introduces a new layer of string obfuscation, renaming all\r\nfunctions and variables names.\r\nFigure 6: Comparison of Samples\r\nIn order to evade static threat scanners, this variant has a simple string decoding mechanism:\r\nhttps://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files\r\nPage 4 of 7\n\nFigure 7: New variant’s string obfuscation\r\nThis version appears focused on breaking the string-based YARA rules used in the wild. It does so by splitting the\r\nstrings into substrings and concatenating them at runtime.\r\nFigure 8: Strings obfuscation comparison\r\nhttps://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files\r\nPage 5 of 7\n\nThis New Malware Variant Evades Traditional Security\r\nMorphisec Labs will continue to monitor the evolution of JSSLoader and its delivery methods. Although it didn’t\r\npresent new capabilities, this new JSSLoader variant is a worry. Especially for organizations relying on their next-generation antivirus (NGAV) or endpoint detection and response (EDR) to stop it. Most NGAV and EDR solutions\r\nwon’t detect day zero .XLL files hiding a JSSLoader. It can take days or weeks before signatures are deployed, all\r\nwhile attackers have free reign inside your network.\r\nHowever, Morphisec’s Moving Target Defense (MTD) technology instantly stops these and other unknown and\r\nzero-day attacks. It uses system polymorphism to unpredictably hide application targets, operating system targets,\r\nand other critical asset targets from adversaries. This leads to a dramatically reduced attack surface.\r\nGartner analysts have called Moving Target Defense a “game changer.” MTD can uniquely detect and stop\r\nransomware, zero-day, and other advanced attacks that bypass NGAV, EDR, and other defenses. Learn more about\r\nMoving Target Defense and why Gartner cited this technology in its report: Emerging Trends and Technologies\r\nImpact Radar for Security.\r\nIndicators of Compromise (IOCs)\r\nXLLs\r\nd42dfbeba20624a190cf903d28ac5ef5e6ff0f5c120e0f8e14909fec30871134\r\na8da877ebc4bdefbbe1b5454c448880f36ffad46d6d50083d586eee2da5a31ab\r\n8783eb00acb3196a270c9be1e06d4841bf1686c7f7fc6e009d6172daf0172fc6\r\n7a234d1a2415834290a3a9c7274aadb7253dcfe24edb10b22f1a4a33fd027a08\r\nc6224a579fcef3b67c02dabe55cc486a476e10f7ab9181a91c839fa3de0876fd\r\n8b76c48088a56532f73389933737af0cbe7a404e639ec51136090c7d8c8207c9\r\nJSSLoader 48053356188dd419c6212e8adb1d5156460339f07838f2c00357cfd1b4a05278\r\nda480b19c68c2dee819f7b06dbfdba0637fea2c165f3190c2a4994570c3dae2a\r\n910b6f3087b1d5342a2681376c367b53e30cf21dd9409fb1000ffb60893a7051\r\nde099bf0297de8e2fad37acc55c6b0456d1fd98a6fc1fbc381759e82a4e207c3\r\nee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0\r\na29c97cb43cd16fad9276e161017ae654eb9cc989081c7584f8f14a3795deb0e\r\n154186b5e0f5fae753a1f90c93a7150927bd03017e55f44abf21a5a08b7ec4ba\r\n38700a77355cdcc7804c53fa95072cd44835ac775fb6d16f8bd345e8ab13d353\r\n576560ada2906c22ca777ac51ed6f2b99086b94bbe44d86b82abe7d77736ba6a\r\nhttps://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files\r\nPage 6 of 7\n\n9419a0087f6fc8bccf318d7a2c9f9e709c81df651ab6ba65c10f28c4a34257a7\r\ncd6ad1e880396edc3cdcceba996dd424e96f4961e4884aee52717069537553e8\r\n33e8b5ea7a0900f2d4b56369fda2d29a06a586ddc0c9fd85fc17ea967f83f45d\r\n1af5f9b2b22282891adb17fb9283b47b7ba7a9439fef22cfba0320155dff3ae9\r\nDomains\r\nphysiciansofficenews[.]com\r\nthechinastyle[.]com\r\ndivorceradio[.]com\r\nAbout the author\r\nHido Cohen\r\nSource: https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files\r\nhttps://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files"
	],
	"report_names": [
		"new-jssloader-trojan-delivered-through-xll-files"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bfded1cf-be73-44f9-a391-0751c9996f9a",
			"created_at": "2022-10-25T15:50:23.337107Z",
			"updated_at": "2026-04-10T02:00:05.252413Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"FIN7",
				"GOLD NIAGARA",
				"ITG14",
				"Carbon Spider",
				"ELBRUS",
				"Sangria Tempest"
			],
			"source_name": "MITRE:FIN7",
			"tools": [
				"Mimikatz",
				"AdFind",
				"JSS Loader",
				"HALFBAKED",
				"REvil",
				"PowerSploit",
				"CrackMapExec",
				"Carbanak",
				"Pillowmint",
				"Cobalt Strike",
				"POWERSOURCE",
				"RDFSNIFFER",
				"SQLRat",
				"Lizar",
				"TEXTMATE",
				"BOOSTWRITE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82",
			"created_at": "2022-10-25T16:07:23.619566Z",
			"updated_at": "2026-04-10T02:00:04.690061Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"APT-C-11",
				"ATK 32",
				"G0046",
				"Gold Niagara",
				"GrayAlpha",
				"ITG14",
				"TAG-CR1"
			],
			"source_name": "ETDA:FIN7",
			"tools": [
				"7Logger",
				"Agentemis",
				"Anubis Backdoor",
				"Anunak",
				"Astra",
				"BIOLOAD",
				"BIRDWATCH",
				"Bateleur",
				"Boostwrite",
				"CROWVIEW",
				"Carbanak",
				"Cobalt Strike",
				"CobaltStrike",
				"DICELOADER",
				"DNSMessenger",
				"FOWLGAZE",
				"HALFBAKED",
				"JSSLoader",
				"KillACK",
				"LOADOUT",
				"Lizar",
				"Meterpreter",
				"Mimikatz",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"POWERPLANT",
				"POWERSOURCE",
				"RDFSNIFFER",
				"Ragnar Loader",
				"SQLRAT",
				"Sardonic",
				"Sekur",
				"Sekur RAT",
				"TEXTMATE",
				"Tirion",
				"VB Flash",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434879,
	"ts_updated_at": 1775792153,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80e49b404381a5d2253a8276517466f1f377ad73.pdf",
		"text": "https://archive.orkl.eu/80e49b404381a5d2253a8276517466f1f377ad73.txt",
		"img": "https://archive.orkl.eu/80e49b404381a5d2253a8276517466f1f377ad73.jpg"
	}
}