{
	"id": "80808795-7301-49c4-a1cd-fa8350079645",
	"created_at": "2026-04-06T00:14:42.930624Z",
	"updated_at": "2026-04-10T03:25:40.413937Z",
	"deleted_at": null,
	"sha1_hash": "a55a53a8d96894273342541964cc89cefb7e024b",
	"title": "Resecurity | The New Version of JsOutProx is Attacking Financial Institutions in APAC and MENA via GitLab Abuse",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2255615,
	"plain_text": "Resecurity | The New Version of JsOutProx is Attacking Financial\r\nInstitutions in APAC and MENA via GitLab Abuse\r\nPublished: 2024-04-03 · Archived: 2026-04-05 17:28:05 UTC\r\nIntro\r\nResecurity has detected a new version of JSOutProx, targeting financial services and organizations in the APAC\r\nand MENA regions. JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET. It employs\r\nthe .NET (de)serialization feature to interact with a core JavaScript module running on the victim's machine. Once\r\nexecuted, the malware enables the framework to load various plugins, which conduct additional malicious\r\nactivities on the target. This malware was first identified in 2019 and was initially attributed to SOLAR SPIDER's\r\nphishing campaigns, which delivered the JSOutProx RAT to financial institutions across Africa, the Middle East,\r\nSouth Asia, and Southeast Asia.\r\nNotable Pattern - From GitHub to GitHab Abuse\r\nThe spike in this activity was identified around February 8, 2024, when a major system integrator based in the\r\nKingdom of Saudi Arabia reported an incident targeting customers of one of their major banks regional banks.\r\nResecurity assisted multiple victims in acquiring relevant malicious code artifacts due to Digital Forensics \u0026\r\nIncident Response (DFIR) engagement and helped recover the payload. Multiple banking customers were targeted\r\nvia an impersonation attack using the \"mike.will@my[.]com\" email account. The actors employed a fake SWIFT\r\npayment notification (for enterprise customers) and a Moneygram template (for private customers), using\r\nmisleading notifications to confuse victims and execute malicious code.\r\nTransaction_Ref_jpg.zip\r\nd22f76e60a786f0c92fa20af1a1619b2\r\nTransaction_Ref_jpg.js\r\n89a088cd92b7ed59fd3bcc7786075130\r\nMoneyGram_Global_Compliance_pdf.zip\r\n9c9df8fbcef8acd1a5265be5fd8fdce9\r\nMoneyGram_Global_Compliance_pdf.js\r\n66514548cdffab50d1ea75772a08df3d\r\nSwift_Copy_jpg.zip\r\n81b9e7deb17e3371d417ad94776b2a26\r\nSwift_Copy_jpg.js / TRXN-00000087312_pdf.js\r\nbea8cf1f983120b68204f2fa9448526e\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 1 of 14\n\nMoneyGram_AML_Compliance_review.pdf.zip\r\n72461c94bd27e5b001265bbccc931534\r\nMoneyGram_AML_Compliance_review.pdf.js\r\n1bd7ce64f1a7cf7dc94b912ceb9533d0\r\nTransaction_details_jpg.zip\r\nf1858438a353d38e3e19109bf0a5e1be\r\nTransaction_details_jpg.js\r\n6764dbc4df70e559b2a59e913d940d4b\r\nTransaction_Ref_01302024_jpg.zip\r\n3a2104953478d1e60927aa6def17e8e7\r\nTransaction_Ref_01302024_jpg.js\r\n3d46a462f262818cada6899634354138\r\nMost of the identified payloads were hosted on GitHub repositories. Notably, independent cybersecurity\r\nresearchers first reported some of these payloads around November 14, 2023. Solar Spider is employing the\r\nclassic Masquerading technique (T1036), disguising its code as a PDF file rather than JS code.\r\nhxxps://github[.]com/agbusi/ikeketeorie/blob/main/Transaction_Ref_jpg.zip -\u003e\r\nhxxps://raw.githubusercontent[.]com/agbusi/ikeketeorie/main/Transaction_Ref_jpg.zip\r\nhxxps://github[.]com/agbusi/compliance/blob/main/MoneyGram_Global_Compliance_pdf.zip -\u003e\r\nhxxps://raw.githubusercontent[.]com/agbusi/compliance/main/MoneyGram_Global_Compliance_pdf.zip\r\nhxxps://github[.]com/agbusi/Singapore/blob/main/Swift_Copy_jpg.zip -\u003e\r\nhxxps://raw.githubusercontent[.]com/agbusi/Singapore/main/Swift_Copy_jpg.zip\r\nhxxps://github[.]com/vectorvector11/transaction/blob/main/MoneyGram_AML_Compliance_review.pdf.zip -\u003e\r\nhxxps://raw.githubusercontent[.]com/vectorvector11/transaction/main/MoneyGram_AML_Compliance_review.pdf.zip\r\nhxxps://github[.]com/Conel10/deal/raw/main/Transaction_details_jpg.zip -\u003e\r\nhxxps://raw.githubusercontent[.]com/Conel10/deal/main/Transaction_details_jpg.zip\r\nhxxps://github[.]com/winners101/admin/raw/main/Transaction_Ref_01302024_jpg.zip -\u003e\r\nhxxps://raw.githubusercontent[.]com/winners101/admin/main/Transaction_Ref_01302024_jpg.zip\r\nIn the result of the multi-stage infection chain, the actors drop multiple JS-based obfuscated payloads to collect\r\nsensitive information and plant a proxy server to connect remotely to the victim.\r\nMarch 27, 2024 - Resecurity became aware of a new malware sample attributed to the same group. The notable\r\ndifference was in the act of using GitLab (instead of GitHub) in a multi-stage infection chain:\r\nhxxps://gitlab[.]com/godicolony4040/dox05/-\r\n/raw/main/Transactions_Copy_65880983136606696162127010122_65890982136606\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 2 of 14\n\n696162127010102.zip\r\nhxxps://gitlab[.]com/godicolony4040/dox05/-\r\n/raw/b540e3682457f2499b687fa0cd213b03ba77290c/Transactions_Copy_658809831\r\n36606696162127010122_65890982136606696162127010102.zip\r\nThe actor registered multiple accounts on GitLab around March 25, 2024, and used them to deploy repositories\r\ncontaining malicious payloads.\r\nThe identified repositories controlled by the actor were:\r\ndocs909 (created April 2, 2024)\r\ndox05 (created March 26, 2024)\r\nOnce the malicious code has been successfully delivered, the actor removes the repository and creates a new one.\r\nThis tactic is likely related to the actor uses to manage multiple malicious payloads and differentiate targets.\r\nResecurity acquired the most recent malware payloads uploaded by the actor on April 2, 2024:\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 3 of 14\n\nReverse Engineering\r\nThe analysis of this malware, as provided below, can be used to detect, mitigate, and prevent threat campaigns\r\nutilizing JSOutProx.\r\nThe JSOutProx RAT malware features complex obfuscation within its JavaScript backdoor structure. It boasts a\r\nmodular plugin architecture, which enables it to execute shell commands, handle file uploads and downloads, run\r\nfiles, modify the file system, ensure persistence, capture screenshots, and control keyboard and mouse actions. A\r\ndistinctive aspect of this malware is its utilization of the Cookie header field in its command and control (C2)\r\ncommunications.\r\nWe downloaded the implants and unzipped them from their archives. They were then obfuscated using\r\nobfuscator.io. After deobfuscating them, we obtained the decoded JavaScript code.\r\nObfuscated implant:\r\nDeobfuscated implant:\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 4 of 14\n\nThe 1st stage implant supports the following commands:\r\npat – update implant\r\nuss.s – set proxy and update sleep time\r\nuss.g – set proxy and set sleep time to C2\r\nupd – update and restart implant\r\nl32 – start x86 process\r\nl64 – start x64 process\r\ndcn – exit\r\nejs – evaluate javascript code\r\nint.g – send sleep time to C2\r\nint.s – update sleep time\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 5 of 14\n\nThe script interacts with Windows Script Host (WSH) objects, such as ActiveXObject, to perform operations\r\ntypical for automation or administration tasks, but for malicious purposes. For example, it uses\r\nWinHttp.WinHttpRequest.5.1 for HTTP requests, WScript.Shell for executing commands, and\r\nScripting.FileSystemObject for file system access. Additionally, WMI is utilized to retrieve information about the\r\nsystem.\r\nUsing WMI, the implant collects information about the victim's environment:\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 6 of 14\n\nThe implant uses the following static User Agent, which could potentially be used for malware tracking:\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0\r\nSafari/537.36 Edg/118.0.2088.76\r\nThe implant communicates with command and control (C2C) servers deployed using Dynamic DNS, for example:\r\nhttp://mdytreudsgurifedei.ddns.net:9708/\r\nhttp://kiftpuseridsfryiri.ddns.net:8907/\r\nhttp://hudukpgdgfytpddswq.ddns.net:8843/\r\nhttp://ykderpgdgopopfuvgt.ddns.net:7891/\r\nOne unique feature of the malware is its use of the Cookie header field in its command and control (C2C)\r\ncommunication. During its initialization routine, the malware gathers various types of information. These\r\ninformation values are separated by the delimiter \"_|_\", concatenated, hex-encoded, and then set in the Cookie\r\nheader field.\r\nThe 2nd-stage implant supports the following additional plugins:\r\nActivityPlugin\r\nEnables the RAT to be in an Online or Offline state. When the state is online, it\r\ncreates a adodb.stream object to save downloaded/collected data on disk. \r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 7 of 14\n\nCensorMiniPlugin\r\nEnables/disables proxy settings on user machine by modifying registry key\r\n“Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable”\r\nAdminConsolePlugin  \r\nCensorPlugin  \r\nClipboardPlugin\r\nIt is used to copy the clipboard data and send it to C2. It can also modify clipboard\r\ndata.\r\nDnsPlugin\r\nUsed to set DNS path. Add or modify new path in\r\nC:\\Windows\\System32\\drivers\\etc\\hosts.\r\nLibraryPlugin Sends list of dotnet versions installed on the machine to C2.\r\nOutlookPlugin It accesses the outlook account details and contacts list.\r\nPriviledgePlugin\r\nIn this, the option “UAC” allows to write in registry location\r\n“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\” by setting\r\nvalue 0 for keys EnableLUA and ConsentPromptBehaviorAdmin. The option\r\n“elevateScript” executes the script using wscript.exe with the batch mode option.\r\nThe option “elevateCommand” executes the command using Wsh with ‘runas’ flag.\r\nIt also has options for using UAC bypass techniques like fodhelper.exe, Slui File\r\nHandler Hijacking, CompMgmtLauncher, EventViewer.exe etc.\r\nPromptPlugin  \r\nProxyPlugin Sets DNS path. Add or modify new path in C:\\Windows\\System32\\drivers\\etc\\hosts.\r\nShortcutPlugin\r\nCreate a shortcut file for a given executable. Execute the shortcut file. Get the target\r\nof a shortcut file or dump the content of the file.\r\nRecoveryPlugin  \r\nTokensPlugin Steal OTP received from SymantecVIP application.\r\nIndustrial Implant with Chinese Character\r\nBefore the newly identified campaign targeting multiple financial institutions in the APAC and MENA regions,\r\nJSOutProx was actively used in targeted attacks against Indian Cooperative Banks and Finance Companies.\r\nIn April 2020, ZScaler observed several targeted attacks on Indian government establishments and the banking\r\nsector. Organizations such as the Reserve Bank of India (RBI), IDBI Bank, and the Department of Refinance\r\n(DOR) within the National Bank for Agriculture and Rural Development (NABARD) in India received emails with\r\narchive file attachments. These attachments contained JavaScript and Java-based backdoors.\r\nFurther analysis of the JavaScript-based backdoor allowed us to correlate it with the JSOutProx RAT. This RAT\r\nwas first used by a threat actor in December 2019, as mentioned by Yoroi. The Java-based RAT in this attack\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 8 of 14\n\nprovided functionalities similar to the JavaScript-based backdoor.\r\nIn one such campaign, the actors leveraging JSOutProx targeted government officials in NABARD (The National\r\nBank for Agriculture and Rural Development, a national financial institution in India), using a malicious archive\r\nfile attachment.\r\nThe actors used specific naming conventions for malicious files relevant to the government sector. Examples\r\ninclude:\r\nNodal_Police_Stations_furnished_MHA_GOI_New_Delhi_xlsx.hta\r\nSlip_RTGS_IDBI_To_HDFC_pdf.hta\r\n2685-Vishwambharlal_Kanahiyalal_Bhoot_Attachment_Order_pdf.hta\r\nNPCI_Compliance_Form_pdf.hta\r\nBased on the analysis of the most recent campaign, the following victims have been identified::\r\ngovernment organizations in India\r\ngovernment organizations in Taiwan\r\nfinancial organizations in the Philippines\r\nfinancial organizations in Laos\r\nfinancial organizations in Singapore\r\nfinancial organizations in Malaysia\r\nfinancial organizations in India\r\nfinancial organizations in KSA\r\nConsidering the malware's significant sophistication, the profile of the targets, and the geography of past attacks, it\r\ncan be suggested with a moderate level of confidence that JSOutProx may have been developed by actor(s) from\r\nChina or those affiliated with it.\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 9 of 14\n\nThe malware was initially identified around 2019 and has been constantly improved, which may indicate an\r\norganized and continuous effort in its development.\r\nIndicators of Compromise (IOCs)\r\nThe following indicators of compromise (IOCs) are associated with the recent JSOutProx malware campaigns, as\r\ndescribed above, from November 14, 2023, March 27, 2024, and April 2, 2024:\r\nTransaction_Ref_jpg.zip\r\nd22f76e60a786f0c92fa20af1a1619b2\r\nTransaction_Ref_jpg.js\r\n89a088cd92b7ed59fd3bcc7786075130\r\nMoneyGram_Global_Compliance_pdf.zip\r\n9c9df8fbcef8acd1a5265be5fd8fdce9\r\nMoneyGram_Global_Compliance_pdf.js\r\n66514548cdffab50d1ea75772a08df3d\r\nSwift_Copy_jpg.zip\r\n81b9e7deb17e3371d417ad94776b2a26\r\nSwift_Copy_jpg.js / TRXN-00000087312_pdf.js\r\nbea8cf1f983120b68204f2fa9448526e\r\nMoneyGram_AML_Compliance_review.pdf.zip\r\n72461c94bd27e5b001265bbccc931534\r\nMoneyGram_AML_Compliance_review.pdf.js\r\n1bd7ce64f1a7cf7dc94b912ceb9533d0\r\nTransaction_details_jpg.zip\r\nf1858438a353d38e3e19109bf0a5e1be\r\nTransaction_details_jpg.js\r\n6764dbc4df70e559b2a59e913d940d4b\r\nTransaction_Ref_01302024_jpg.zip\r\n3a2104953478d1e60927aa6def17e8e7\r\nTransaction_Ref_01302024_jpg.js\r\n3d46a462f262818cada6899634354138\r\nTransactions_Copy_65880983136606696162127010122_65890982136606696162127010102.zip\r\nefad51e48d585b639d974fcf39f7ee07\r\nTransactions_Copy_65880983136606696162127010122,65890982136606696162127010102.js\r\n118b6673bd06c8eb082296a7b35f8fa5\r\nC2C Communications\r\nsuedxcapuertggando.ddns[.]net:8843/ (185.244.30[.]218)\r\nmdytreudsgurifedei.ddns[.]net:9708/ (offline)\r\nkiftpuseridsfryiri.ddns[.]net:8907/ (offline)\r\nhudukpgdgfytpddswq.ddns[.]net:8843/ (offline)\r\nykderpgdgopopfuvgt.ddns[.]net:7891/ (offline)\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 10 of 14\n\nmdytreudsgurifedei.ddns[.]net (79.134.225[.]17)\r\nmdytreudsgurifedei.ddns[.]net (79.134.225[.]17)\r\nkiftpuseridsfryiri.ddns[.]net (79.134.225[.]17)\r\neopgupgdpopopfuupi.ddns[.]net (103.212.81[.]155)\r\nykderpgdgopopfuvgt.ddns[.]net (103.212.81[.]157)\r\nhudukpgdgfytpddswq.ddns[.]net (185.244.30[.]218)\r\nNotably, some of the IP addresses identified in the most recent campaign from April 2, 2024, such as\r\n185.244.30[.]218, were related to the Freemesh project.\r\nFreemesh redirects to a website dedicated to a non-commercial initiative for free wireless networks.\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 11 of 14\n\nIt is possible that the actor purposely deployed the command and control (C2C) host in such infrastructure to abuse\r\nit and conceal malicious network activity.\r\nIn fact, 185.244.30[.]218 is related to \"The Privacy First Project\", a non-profit which claims to provide \"IPv4\r\nspace to the Freemesh community (\"Freifunk\"), the operators of TOR nodes, small VPN providers and take care of\r\nprocessing the incoming complaints\". The project also states having no log files.\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 12 of 14\n\nBased on Virustotal historical data, this host has an extensive malicious activity history and multiple subdomains\r\ntied to the JsOutProx infrastructure specifically.\r\nResecurity has reached out to both operators to learn more about this activity. Our team has arranged successful\r\ntakedowns of multiple C2C servers to disrupt the new JsOutProx campaign. \r\nReferences\r\nSolar Spider (Threat Actor)\r\nhttps://www.crowdstrike.com/adversaries/solar-spider/\r\nFinancial Institutions in the Sight of New JsOutProx Attack Waves\r\nhttps://yoroi.company/en/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/ \r\nMulti-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies\r\nhttps://www.seqrite.com/documents/en/white-papers/whitepaper-multi-staged-jsoutprox-rat-target-india...\r\nUnveiling JsOutProx: A New Enterprise Grade Implant\r\nhttps://securityaffairs.com/95438/malware/jsoutprox-enterprise-grade-implant.html\r\nAdversary Playbook: JavaScript RAT Looking for that Government Cheese\r\nhttps://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-gov...\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 13 of 14\n\nConclusion\r\nThe increasing abuse of Public Cloud and Web 3.0 Services is a favored tactic among threat actors to distribute\r\nmalicious code. In February 2024, Resecurity highlighted this trend in a comprehensive threat research\r\npublication. This report underscored the continuous evolution of cybercriminals' arsenals and their innovative\r\nstrategies to escalate global malicious campaigns.\r\nThe discovery of the new version of JSOutProx, coupled with the exploitation of platforms like GitHub and\r\nGitLab, emphasizes these malicious actors' relentless efforts and sophisticated consistency. First detected in 2019,\r\nJSOutProx remains a significant and evolving threat, particularly to financial institution customers. This year, in a\r\nworrying expansion of scope, these threat actors have broadened their horizons in the MENA region, intensifying\r\ntheir cybercriminal footprint.\r\nAs these threats escalate in complexity and reach, Resecurity remains vigilant in its pursuit of tracking JSOutProx\r\nand safeguarding financial institutions and their customers globally from such nefarious activities.\r\nSource: https://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-a\r\nbuse\r\nhttps://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse"
	],
	"report_names": [
		"the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse"
	],
	"threat_actors": [
		{
			"id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c",
			"created_at": "2022-10-25T16:07:23.277763Z",
			"updated_at": "2026-04-10T02:00:04.514755Z",
			"deleted_at": null,
			"main_name": "Solar Spider",
			"aliases": [],
			"source_name": "ETDA:Solar Spider",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e227b757-7032-4a99-b119-1bfda2ebd543",
			"created_at": "2023-01-06T13:46:39.21663Z",
			"updated_at": "2026-04-10T02:00:03.248543Z",
			"deleted_at": null,
			"main_name": "SOLAR SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:SOLAR SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434482,
	"ts_updated_at": 1775791540,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a55a53a8d96894273342541964cc89cefb7e024b.pdf",
		"text": "https://archive.orkl.eu/a55a53a8d96894273342541964cc89cefb7e024b.txt",
		"img": "https://archive.orkl.eu/a55a53a8d96894273342541964cc89cefb7e024b.jpg"
	}
}