{ "id": "ebb646a0-c12b-4e87-b414-f02e228251e6", "created_at": "2026-04-06T02:11:58.626835Z", "updated_at": "2026-04-10T03:35:52.768347Z", "deleted_at": null, "sha1_hash": "a8b545dfb59cd2f81cdbd75dda219aafd80b1a99", "title": "The Evolution of the FIN7 JSSLoader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 554890, "plain_text": "The Evolution of the FIN7 JSSLoader\r\nBy Arnold Osipov\r\nArchived: 2026-04-06 02:04:37 UTC\r\nThis report has been updated with assistance from the cybersecurity community.\r\nIntroduction\r\nMorphisec Labs has been tracking FIN7 (Carbanak Group) activity for the past several years. Morphisec’s ability\r\nto collect rich forensic data from memory has provided unique visibility into multiple FIN7 campaigns that our\r\nresearchers were proud to share with MITRE and the InfoSec community at large. Fin7 is a well-funded\r\nfinancially motivated cybercrime group. Their advanced techniques and tactics were even emulated in the third\r\nround of the MITRE ATT\u0026CK evaluations.\r\nThis report presents an attack chain that was intercepted and prevented within a customer’s network in December\r\n2020, then will focus on a component from a typical FIN7 attack chain – JSSLoader. Though JSSLoader is well\r\nknown as a minimized .NET RAT, not many details have been publicly available with respect to various\r\ncapabilities such as exfiltration, persistence, auto-update, malware downloading, and more. Furthermore, in the\r\nmany occasions where JSSLoader is mentioned, there are few details on the complete attack chain. The following\r\nprovides a never before seen technical analysis of this infamous group’s JSSLoader as part of an end to end attack.\r\nFIN7 JSSLoader Technical Analysis\r\nBelow is an example of a typical phishing campaign that may lead to a FIN7 JSSLoader compromise as well as to\r\nother malwares such as QBOT; the traffic is then redirected through BlackTDS traffic distribution system. In this\r\nexample an email is being sent from “Natural Health Sherpa” with an invoice to pay from Quickbooks.\r\nhttps://blog.morphisec.com/the-evolution-of-the-fin7-jssloader\r\nPage 1 of 4\n\nFigure 1: A typical phishing campaign\r\nClicking the invoice link leads to a private Sharepoint directory that stores an archive file containing a VBScript\r\n(later changed to WSF-Windows Script File).\r\nFigure 2: The private Sharepoint directory.\r\nShortly after this phishing campaign “Natural Health Sherpa” posted this on social media.\r\nhttps://blog.morphisec.com/the-evolution-of-the-fin7-jssloader\r\nPage 2 of 4\n\nFigure 3: Natural Health Sherpa’s message on social media.\r\nThis VBScript downloads and executes the next stage’s VBScript in memory. This second stage was recently\r\nintroduced. The in-memory script downloads and writes a .NET module (JSSLoader) on disk, then executes the\r\nmodule through a scheduled task with a newly introduced timeout delay to bypass attack chain monitoring.\r\nIt is worth mentioning that the early versions of the VB scripts have a strong resemblance to the ongoing QBOT\r\ncampaign that may lead to an Egregor compromise.\r\nThe JSSLoader is a RAT (Remote Access Trojan) with multiple capabilities that were introduced over time. These\r\nvarious capabilities are documented throughout this report. In the specific attack chain that was recently\r\nintercepted, the RAT typically executes a Takeout script which is responsible for the reflective loading and\r\nexecution of a Carbanak.\r\nNot surprisingly, the C2 hosting provider is a company named FranTech Solutions, which has been used before by\r\nthe FIN7 group. \r\nNote: Morphisec CTO Michael Gorelik contributed to this analysis.\r\nAbout the author\r\nhttps://blog.morphisec.com/the-evolution-of-the-fin7-jssloader\r\nPage 3 of 4\n\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: https://blog.morphisec.com/the-evolution-of-the-fin7-jssloader\r\nhttps://blog.morphisec.com/the-evolution-of-the-fin7-jssloader\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.morphisec.com/the-evolution-of-the-fin7-jssloader" ], "report_names": [ "the-evolution-of-the-fin7-jssloader" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441518, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a8b545dfb59cd2f81cdbd75dda219aafd80b1a99.pdf", "text": "https://archive.orkl.eu/a8b545dfb59cd2f81cdbd75dda219aafd80b1a99.txt", "img": "https://archive.orkl.eu/a8b545dfb59cd2f81cdbd75dda219aafd80b1a99.jpg" } }