{ "id": "633d9a89-8f2e-4ad7-ab5e-a142a2a2a31b", "created_at": "2026-04-06T00:07:28.187909Z", "updated_at": "2026-04-10T03:35:52.857361Z", "deleted_at": null, "sha1_hash": "90edd9e623f2c0cf17ed4d89fa7737d121017177", "title": "JSSLoader: Recoded and Reloaded | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 536007, "plain_text": "JSSLoader: Recoded and Reloaded | Proofpoint US\r\nBy June 24, 2021 Dennis Schwarz, Matthew Mesa and Crista Giering\r\nPublished: 2021-06-24 · Archived: 2026-04-02 10:40:05 UTC\r\nKey Takeaways \r\nAfter a months-long absence, the malware loader JSSLoader returned in June 2021 campaigns rewritten from the\r\n.NET programming language to C++. \r\nRewriting the malware could be an effort by threat actors to evade current detections. \r\nCurrent TA543 campaigns delivering JSSLoader are using similar lures to those observed by Proofpoint researchers\r\nin 2019 and the emails continue to contain links to a TDS landing page. \r\nOverview \r\nIn June 2021, Proofpoint researchers observed a new variant of the downloader JSSLoader in several campaigns impacting a\r\nvariety of organizations. This version of the malware loader was rewritten from .NET to the C++ programming language.\r\nThis change, while not unheard of, is not a common occurrence and could be an effort by the threat actors\r\nutilizing JSSLoader to evade current detections. JSSLoader is often dropped in the first or second stage of a campaign and\r\nhas the functionality to profile infected machines and load additional payloads.  \r\nThe campaigns are ongoing and use similar lures to those initially observed by Proofpoint researchers in 2019. According to\r\nour data, the recent campaigns have attempted to target as many as several hundred organizations at a time across a wide\r\nrange of industries, including finance, manufacturing, technology, retail, healthcare, education, and transportation. \r\nMalware Analysis \r\nProofpoint researchers initially observed JSSLoader in September 2019. It was written in .NET at the time and being\r\nactively developed. Fast forward nearly two years and Proofpoint has now identified this latest variant of the malware loader\r\nwritten in C++. It has much of the same functionality as previous iterations. The following provides a more in-depth look at\r\nthat early version and the changes the loader has undergone since 2019. \r\n2019 Version of JSSLoader (.NET) \r\nJSSLoader is an initial access malware that was written in .NET and was named after its “JSS” namespace and “jssAdmin”\r\ncommand and control (C\u0026C) panel login page: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 1 of 13\n\nFigure 1. JSSLoader C\u0026C panel login page from September 27, 2019 version. \r\nIts C\u0026C used HTTPS requests with base64-encoded data: \r\n \r\nFigure 2. Example C\u0026C request from September 27, 2019 version. \r\nThe initial C\u0026C beacon contained verbose system information: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 2 of 13\n\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 3 of 13\n\nFigure 3. Example system information (trimmed for readability) from September 27, 2019 version. \r\nIts commands and functionality focused on executing a next stage executable or JavaScript: \r\n \r\nFigure 4. Commands from September 27, 2019 version. \r\n2020-2021 JSSLoader Changes (.NET) \r\nSince the initial version of JSSLoader, there have been gradual changes and improvements to the malware in successive\r\ncampaigns. Morphisec wrote about some of these in a January 2021 paper titled “Threat Profile the Evolution of the\r\nFIN7 JSSLoader (PDF).” Two of the most visible changes were a switch from the verbose system information to a JSON\r\nobject and the addition of new commands. For example, the JSSLoader used in a December 14, 2020 email-based campaign\r\nsent the following system information: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 4 of 13\n\nFigure 5. Example system information (formatted and trimmed for readability) from December 14, 2020 version. \r\nWhile the formatting changed, the beacon contained much of the same information as the original version. In addition to the\r\nchanges in the C\u0026C protocol, several new commands were added. The focus of the new commands was still on executing a\r\nnext stage: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 5 of 13\n\nFigure 6. Commands from December 14, 2020 version. \r\nAfter this December 2020 campaign, activity paused and the malware went through a redevelopment phase, according to\r\nProofpoint’s visibility. \r\nJune 2021 JSSLoader (C++) \r\nIn June 2021, email campaigns resumed, but the JSSLoader malware had been redeveloped from using the .NET\r\nprogramming language to C++ (this change was also noticed on infosec Twitter). It is not common for a malware to be\r\nredeveloped in a different programming language, but it does happen occasionally. Proofpoint\r\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 6 of 13\n\nrecently documented another initial access malware known as “Buer Loader” that was redeveloped from the C programming\r\nlanguage to Rust. As noted in that blog post, rewriting a malware can enable threat actors to better evade existing detection\r\ncapabilities. \r\nThe C++ version of JSSLoader analyzed here is from a June 8, 2021 email-based campaign. It sets up “registry run”\r\npersistence using a value name of “AppJSSLoader” and has similar style of system information beacon as the later .NET\r\nversions: \r\n \r\nFigure 7. Example system information (formatted and trimmed for readability) from June 8, 2021 C++ version. \r\nThe C++ version also has similar command functionality, though they switched from the “Cmd” prefix of the later .NET\r\nversions back to the “Task” prefix seen in the earlier .NET samples: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 7 of 13\n\nFigure 8. Commands from June 8, 2021 C++ version. \r\nC\u0026C protocol and command similarity was likely a choice to remain backwards compatible with the existing\r\n.NET version’s C\u0026C panel software. \r\nCampaign Details \r\nJSSLoader appears to be exclusive to several threat actors. In fact, Proofpoint has only observed two actors using it since the\r\nfirst email campaign in 2019.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 8 of 13\n\nMost of the campaigns were attributed to the threat actor tracked by Proofpoint as TA543. They are characterized by\r\ntheir widespread distribution with opportunistic targeting. A typical campaign contains thousands of email messages and\r\ntargets several hundred organizations. The lures used by TA543 typically focus on invoices and delivery information of\r\npackages.  \r\nThe following sections describe and compare the original campaigns observed by Proofpoint in 2019 to the June\r\n2021 campaigns. \r\nSeptember 2019 Campaign Example \r\nOn September 27, 2019 Proofpoint analysts observed a TA543 campaign spoofing Intuit branding. The threat actor used a\r\nlikely compromised account for an email marketing service to send the malicious emails that purported to be invoices\r\nand contained URLs linking to a landing page hosting BlackTDS. The TDS would direct the user to the download another\r\nfile, a VBS downloader, hosted on SharePoint. The VBS downloader would then download JSSLoader. \r\nDuring our analysis of JSSLoader, it additionally loaded a Griffon payload which is historically associated with another\r\nactor, TA3546, also known as FIN7 or Carbanak. In the following months Proofpoint analysts observed TA543 shift to\r\nprimarily delivering JSSLoader and/or other loaders that were often observed downloading other TA3546-associated\r\npayloads. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 9 of 13\n\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 10 of 13\n\nFigure 9. TA543 email that leads to the download of JSSLoader. \r\nJune 2021 Campaign Example \r\nOn June 8, 2021, Proofpoint analysts observed a TA543 campaign spoofing UPS branding (Figure 10). The email\r\ncontained URLs linking to a Keitaro TDS landing. In turn, the landing linked to the download of a Windows Scripting File\r\n(WSF) hosted on SharePoint. If executed, it downloaded an intermediate script, which then downloaded and executed the\r\nC++ version of JSSLoader. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 11 of 13\n\nFigure 10. TA543 email sample from June 8, 2021, that leads to the download of JSSLoader. \r\nConclusion \r\nThe threat actors behind JSSLoader have continuously made modifications since its debut in 2019 and are likely to continue\r\ndoing so using the 2021 variant. With the redevelopment of the malware into C++, which was possibly done to evade\r\ncurrent detections and make analysis more difficult, Proofpoint researchers have not seen the .NET version in play. Instead,\r\nresearchers anticipate seeing small refinements being made to the 2021 version in future campaigns, keeping in line with the\r\nevolution of the .NET version over the past two years. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 12 of 13\n\nIndicators of Compromise \r\nIndicator  Type  Notes \r\ndd86898c784342fc11c42bea4c815cb536455ee709e7522fb64622d9171c465d  SHA256 \r\nSeptember\r\n27, 2019 JSSLoader Sample \r\nbikweb\\.com  Hostname \r\nSeptember\r\n27, 2019 JSSLoader C\u0026C \r\na062a71a6268af048e474c80133f84494d06a34573c491725599fe62b25be044  SHA256 \r\nDecember\r\n14, 2020 JSSLoader sample \r\nmonusorge\\.com  Hostname \r\nDecember\r\n14, 2020 JSSLoader C\u0026C \r\n7a17ef218eebfdd4d3e70add616adcd5b78105becd6616c88b79b261d1a78fdf  SHA256 \r\nJune\r\n8, 2021 JSSLoader Sample \r\ninjuryless\\.com  Hostname \r\nJune\r\n8, 2021 JSSLoader C\u0026C \r\nET Signatures  \r\n2033072 - ET TROJAN FIN7 JSSLoader Variant Activity (POST)  \r\n2033074 - ET TROJAN FIN7 JSSLoader Variant Activity (GET)  \r\n2838606 - ETPRO TROJAN Win32/jssLoader CnC Activity  \r\n2838607 - ETPRO TROJAN Win32/jssLoader CnC Checkin  \r\n2842028 - ETPRO TROJAN JSSLoader CnC Host Checkin  \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nhttps://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded\r\nPage 13 of 13\n\nFigure 1. JSSLoader Its C\u0026C used HTTPS C\u0026C panel login requests with page from September base64-encoded 27, 2019 version. data:\nFigure 2. Example C\u0026C request from September 27, 2019 version.\nThe initial C\u0026C beacon contained verbose system information: \n Page 2 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded" ], "report_names": [ "jssloader-recoded-and-reloaded" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "1998ad13-b343-4409-9a37-b1930d156a28", "created_at": "2023-09-17T02:00:09.948891Z", "updated_at": "2026-04-10T02:00:03.372224Z", "deleted_at": null, "main_name": "Storm-0324", "aliases": [ "DEV-0324", "Sagrid", "TA543" ], "source_name": "MISPGALAXY:Storm-0324", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434048, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/90edd9e623f2c0cf17ed4d89fa7737d121017177.pdf", "text": "https://archive.orkl.eu/90edd9e623f2c0cf17ed4d89fa7737d121017177.txt", "img": "https://archive.orkl.eu/90edd9e623f2c0cf17ed4d89fa7737d121017177.jpg" } }