{ "id": "eb257fee-acc6-435e-9747-20500edce3ea", "created_at": "2026-04-06T00:17:32.367452Z", "updated_at": "2026-04-10T03:37:26.643341Z", "deleted_at": null, "sha1_hash": "acdb520b65281997fbf3bd855f6bbd0e286c0187", "title": "BrushaLoader still sweeping up victims one year later | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2002468, "plain_text": "BrushaLoader still sweeping up victims one year later | Proofpoint US\r\nBy July 22, 2019 Kafeine and the Proofpoint Threat Insight Team\r\nPublished: 2019-07-22 · Archived: 2026-04-05 14:38:52 UTC\r\nOverview\r\nBrushaLoader is one of a growing group of downloaders frequently employed by threat actors to profile infected PCs\r\nand then load more robust payloads on devices of interest. Malware like BrushaLoader contributes to the ongoing trend\r\nof “quality over quantity” infections and enables threat actors to better stay under the radar than they can with highly\r\ndisruptive infections like ransomware or when distributing massive malicious spam campaigns with high-profile\r\nmalware as their primary payload. At the same time, these loaders can also deliver those same disruptive infections if\r\nthreat actors choose to load ransomware as secondary payloads, a scenario we have observed on multiple occasions\r\nrecently.\r\nBrushaLoader itself first appeared in June 2018 [1]. Now, just over a year later, we have observed the loader in a\r\nnumber of campaigns by prominent threat actors. We derived the name for this VisualBasic/JavaScript/PowerShell\r\nloader from the “Rusha” author of the command and control (C\u0026C) panel.\r\nFigure 1: BrushaLoader C\u0026C panel: \"Copyright\" section\r\nAnalysis\r\nImmediately after executing, BrushaLoader receives a PowerShell script called \"PowerEnum\" [5] (Figure 2).\r\nFigure 2: HTTP portion of BrushaLoader delivery and post-infection activity (PowerEnum activity is not illustrated\r\nhere); captured February 7, 2019\r\nPowerEnum performs extensive fingerprinting on infected devices and sends the data back to the C\u0026C. This\r\ncommunication occurs over a raw TCP \"parallel\" channel to BrushaLoader. PowerEnum is also used to send tasks,\r\nwhich were originally stored on Dropbox [2][3], and more recently were hosted on Google Drive [4].PowerEnum is\r\nhttps://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\nPage 1 of 11\n\nintegral to BrushaLoader and shares the same C\u0026C infrastructure. Interestingly, we also observed PowerEnum as a\r\nFallout EK payload delivering Danabot Affid \"4\" (Figure 3)\r\nFigure 3: Fallout EK dropping PowerEnum, which has been observed instructing the download of Danabot Affid 4 and\r\na BackConnect Socks.dll\r\nPayloads\r\nBrushaLoader is strongly connected to the Danabot banking Trojan Affid \"3\". However, this connection is not\r\nexclusive as we have observed it in conjunction with other malware as well (Figure 4).\r\nhttps://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\nPage 2 of 11\n\nhttps://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\nPage 3 of 11\n\nFigure 4: A selection of documented campaigns involving BrushaLoader over the last year\r\nFigure 4 illustrates a number of noteworthy events:\r\nUnusual Payload:\r\nUrsnif in Italy\r\nGootkit in Canada\r\nNymaim in Poland\r\nUnusual Spreading:\r\nTA544 [6], also known as Narwhal Spider [7] on May 14, 2019, in a T-Mobile-themed campaign\r\nThe C\u0026C panel\r\nEarly in its distribution, we observed the BrushaLoader C\u0026C panel and were surprised by the success of a “basic”\r\ncampaign using compressed-VBS attachments. Despite requiring several user interactions, the actors were able to\r\nensnare more than 4,000 computers in 36 hours (Figures 5 and 6).\r\nFigure 5: BrushaLoader C\u0026C panel - Victims a few hours after the beginning of a July 5, 2018 malicious spam\r\ncampaign\r\nhttps://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\nPage 4 of 11\n\nFigure 6: BrushaLoader C\u0026C panel - Victims approximately 24 hours after the beginning of a July 5, 2018 campaign\r\n(captured July 6, 2018)\r\nhttps://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\nPage 5 of 11\n\nFigure 7: BrushaLoader C\u0026C panel - Victims approximately 36 hours after the beginning of a July 5, 2018 campaign\r\n(captured July 9, 2018)\r\nFigure 8: BrushaLoader C\u0026C panel - Commands/Tasks\r\nhttps://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\nPage 6 of 11\n\nFigure 9: BrushaLoader C\u0026C panel - Home\r\nFigure 10:  BrushaLoader C\u0026C panel - The Google Drive link is the payload sent via raw TCP after PowerEnum\r\nfingerprinting\r\nhttps://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\nPage 7 of 11\n\nFigure 11:  BrushaLoader C\u0026C panel - jSloader configuration\r\nConclusion\r\nThough one of many downloaders in regular use, BrushaLoader has emerged in connection with numerous secondary\r\npayloads such as DanaBot and prolific actors including TA544. We have observed it in multiple geographies and a\r\nvariety of campaigns. Moreover, insights from the command and control panel suggest high infection success rates for\r\nthe loader, enabling deployment of a range of payloads by actors using the malware. While loaders fail to garner\r\nheadlines like high-profile ransomware attacks, they have emerged as a key element of many threat actors’ toolkits. We\r\nwill continue to monitor trends around this malware family and BrushaLoader in particular.\r\nAcknowledgement\r\nWe would like to thank @Racco42 for his multiple inputs in our tracking in the past year.\r\nReferences\r\n[1] https://4programmers.net/Forum/Off-Topic/310825-vbs_wirus_analiza?p=1490086\r\nhttps://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\nPage 8 of 11\n\n[2] https://urlhaus.abuse.ch/url/85687/\r\n[3] https://urlhaus.abuse.ch/url/74920/\r\n[4] https://urlhaus.abuse.ch/url/154856/\r\n[5] https://urlhaus.abuse.ch/browse.php?search=chkesosod\r\n[6] https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\n[7] https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/\r\n[8] https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html\r\nIndicators of Compromise (IOCs)\r\nIOC IOC Type Description Date\r\neb12ece1bb8ebaf888282db3c6c852f3e21397d60b45a694c424690b2d6fe838 sha256\r\nUrsnif\r\ndropped by\r\nBrushaLoader\r\n2018-\r\n08-21\r\nbf70c2a22bfb0cc952b29689394e623b632f1c3371f2a6864fd26514639393aa sha256\r\nCanada\r\nfocused\r\nGootkit\r\ndropped by\r\nBrushaLoader\r\n2018-\r\n08-02\r\na3f00f3b77faed13f24c8d572fe59ac38a2467449a60a1b9dc1c64baeb145b0a sha256 PowerEnum\r\n2019-\r\n03-08\r\n04869bef3007a33e8bf9b14bd650e2b872daa6d2bb2b5ea35d4cb271f35d49e2 sha256 PowerEnum\r\n2019-\r\n06-19\r\nd994f65735bb53dda95f7ab097e59bbd2043f8091d246bc4e21ba55ba6bda764 sha256\r\nPoland\r\nfocused\r\nNymaim\r\ndropped by\r\nBrushaLoader\r\n2018-\r\n12-27\r\nhttps://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\nPage 9 of 11\n\na1a6886f86ac1080d2fc3d645a8a1223209bfb1e91918d90a99b06d559ccb010 sha256\r\naced-VBS\r\nspread by\r\nTA544\r\n2019-\r\n05-14\r\nfees.tetofevent[.]online|210.16.101[.]169 domain|IP\r\nGidensTDS\r\nleading after\r\nfiltering to\r\nBrushaLoader\r\ndownload\r\n2019-\r\n02-07\r\nanaliticap[.]info|185.203.117.63  domain|IP\r\nPowerEnum\r\n(dropped by\r\nFallout) C\u0026C\r\n2019-\r\n06-06\r\nhttps[:]//drive.google[.]com:443/uc?id=14ok5q46YDL8wL1HLmQyuWi0n-xRgtHxq\u0026export=download\r\nURL\r\nPowerEnum\r\nTask\r\n(Danabot\r\nAffid 4)\r\n2019-\r\n06-06\r\nET and ETPRO Suricata/Snort Signatures\r\n2832054 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (OSVersion.Version)\r\n2832055 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (GetCurrent User)\r\n2832053 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32 Get-WmiObject)\r\n2833475 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32_ComputerSystem)\r\n2833477 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (System Language)\r\n2833476 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (OS Install Date)\r\n2833475 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32_ComputerSystem)\r\n2833477 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (System Language)\r\n2833476 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (OS Install Date)\r\n2833478 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32_VideoController)\r\n2832054 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (OSVersion.Version)\r\n2832055 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (GetCurrent User)\r\nhttps://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\nPage 10 of 11\n\n2832053 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32 Get-WmiObject)\r\n2833475 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32_ComputerSystem)\r\n2833477 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (System Language)\r\n2833476 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (OS Install Date)\r\n2833478 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32_VideoController)\r\n2833472 || ETPRO CURRENT_EVENTS PowerShell Downloader Saving Payload to AppData Inbound Over Raw\r\nTCP\r\n2834482 || ETPRO TROJAN PowerEnum Sending Base64 Payload Part 1\r\n2834483 || ETPRO TROJAN PowerEnum Sending Base64 Payload Part 2\r\n2833473 || ETPRO CURRENT_EVENTS PowerShell Loader with Wide Base64 Encoded Stage 2 Inbound Over Raw\r\nTCP\r\nSource: https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\nhttps://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later" ], "report_names": [ "brushaloader-still-sweeping-victims-one-year-later" ], "threat_actors": [ { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cc045f52-bbdb-4fcc-8fbf-a0d8a7c5e64f", "created_at": "2022-10-25T16:07:24.519535Z", "updated_at": "2026-04-10T02:00:05.019918Z", "deleted_at": null, "main_name": "Narwhal Spider", "aliases": [ "Gold Essex", "Storm-0302" ], "source_name": "ETDA:Narwhal Spider", "tools": [ "Cutwail", "Pushdo" ], "source_id": "ETDA", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434652, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/acdb520b65281997fbf3bd855f6bbd0e286c0187.pdf", "text": "https://archive.orkl.eu/acdb520b65281997fbf3bd855f6bbd0e286c0187.txt", "img": "https://archive.orkl.eu/acdb520b65281997fbf3bd855f6bbd0e286c0187.jpg" } }