{ "id": "fa508b6e-0723-4c72-92a1-8337559cfc59", "created_at": "2026-04-06T00:07:58.213579Z", "updated_at": "2026-04-10T03:35:53.173777Z", "deleted_at": null, "sha1_hash": "9f1faaee890e2df6d4c89e0c79fcd11a67d09936", "title": "JSSLoader: the shellcode edition", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 383739, "plain_text": "JSSLoader: the shellcode edition\r\nBy Mark Stockley\r\nPublished: 2022-08-14 · Archived: 2026-04-05 19:41:02 UTC\r\nThe Malwarebytes Threat Intelligence team observed a malspam campaign in late June that we attribute to the\r\nFIN7 APT group. One of the samples was also reported on Twitter by Josh Trombley; during execution, it was\r\nobserved to drop a secondary payload, written in .NET.\r\nDetails about FIN7 campaigns were described by Mandiant in the article “FIN7 Power Hour: Adversary\r\nArcheology and the Evolution of FIN7″. Earlier this year Morphisec and Secureworks described a new component\r\nused by this group, delivered in XLL format. That element was the first step in the attack chain leading to another\r\nmalware, dubbed JSSLoader. \r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition\r\nPage 1 of 2\n\nDuring our analysis, we found out that the current malware used by FIN7 is yet another rewrite of JSSLoader with\r\nexpanded capabilities as well as new functions that include data exfiltration.\r\nIn this white paper, we will focus on the implementation details of the new observed sample, and provide a deep\r\ndive in the code, as well as compare it with earlier samples analyzed by other vendors.\r\nArticle continues below this ad.\r\nDownload the white paper.\r\nSource: https://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition" ], "report_names": [ "jssloader-the-shellcode-edition" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434078, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9f1faaee890e2df6d4c89e0c79fcd11a67d09936.pdf", "text": "https://archive.orkl.eu/9f1faaee890e2df6d4c89e0c79fcd11a67d09936.txt", "img": "https://archive.orkl.eu/9f1faaee890e2df6d4c89e0c79fcd11a67d09936.jpg" } }