{ "id": "f60a5f01-36e1-436e-8fa0-a02523c4af98", "created_at": "2026-04-06T00:21:55.341518Z", "updated_at": "2026-04-10T03:36:48.464206Z", "deleted_at": null, "sha1_hash": "b0d739dcf094d75bdef9f31ea74a681fc7719cfd", "title": "IceRat evades antivirus by running PHP on Java VM", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1651384, "plain_text": "IceRat evades antivirus by running PHP on Java VM\r\nBy Karsten Hahn\r\nPublished: 2021-06-15 · Archived: 2026-04-05 15:06:18 UTC\r\n12/01/2020\r\nReading time: 5 min (1459 words)\r\nIceRat keeps low detections rates for weeks by using an unusual language implementation: JPHP. But there are more\r\nreasons than the choice of the compiler. This article explores IceRat and explains a way to analyze JPHP malware.\r\nDiscovery of IceRat\r\nUser McMcbrad of the Malwaretips.com forums discovered the first IceRat samples[5][7]. The malware caught his interest\r\ndue to the low detection rates on VirusTotal for most related samples. At the time of discovery only 2 to 3 engines showed\r\na detection despite the samples being a month old.\r\nStatic analysis reveals that most components of IceRat are written in JPHP. This is a PHP implementation that runs on the\r\nJava VM. This implementation uses .phb files instead of Java .class files -- a file type that, as I suspect, is not commonly\r\nsupported by antivirus products. So far I haven't heard or found any other malware that uses JPHP which partially explains\r\nthe low detection rates on VirusTotal.\r\nThe name IceRat is based on the module name of an older sample[11] that McMcbrad found.\r\nDecompiling JPHP\r\nThere don't seem to be any tools to decompile JPHP code yet. But JPHP has to produce Java Bytecode in order to run in the\r\nJava VM. So decompilation to Java code is possible.\r\nUnpacking the executable[5] with 7zip reveals the following structure.\r\nhttps://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp\r\nPage 1 of 9\n\nAs I noticed after looking at several JPHP samples, the entrypoint for the main JPHP code is under\r\n.system\\application.conf (see picture below). So for our klient.exe sample[5] the main code resides in\r\napp\\forms\\rqfdeqwf.phb.\r\nThe .phb files contain the 0xCAFEBABE magic bytes for Java .class files somewhere down below. Removing the first\r\npart of the file excluding the magic bytes makes it possible to decompile these files into Java code with, e.g., Fernflower.\r\nThe right side of the picture below shows how the file should look like after modification.\r\nThe decompiled code is still hard to read. As a first step I restored the strings. All of them are in an array called $MEM.\r\nReplacing the array access $MEM[X] with the actual value in the array will improve readability of the code. I achieved\r\nthis with a python snippet.\r\nAs a second step I replaced methods like assign and concat with operators. E.g., this can be done using regex and capture\r\ngroups. See table below for replacements. The replacement for one operator must be done several times until all nested\r\ncalls are replaced. The order must be preserved.\r\nhttps://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp\r\nPage 2 of 9\n\nAll analysed JPHP samples in this article can be decompiled to Java in the same fashion.\r\nFind Replace\r\nOperatorUtils\\.concat\\(([^,]+),([^\\)]+)\\) \\1 + \\2\r\n\\.assign\\(([^\\)]+)\\) = \\1\r\nMemory\\.assignRight\\((.+),([^)]+)\\); \\2 = \\1\r\n\\.equal\\(([^\\)]+)\\) == \\1\r\n\\.notEqual\\(([^\\)]+)\\) != \\1\r\n\\.concat\\(([^\\)]+)\\) + \\1\r\nStringMemory\\.valueOf\\(([^)]+)\\) \\1\r\n\\.toImmutable\\(\\)  \r\nStringFunctions\\.strtolower\\(([^\\)]+)\\) \\1\r\nLongMemory\\.valueOf\\(([^\\)]+)\\) \\1\r\nThere is still room for improvement but after the replacements the resulting code is readable without pain.\r\nInfection chain and components\r\nIceRat consists of several small components instead of putting all functionality into one file. As a result most of these files\r\nmay not attract any attention if their context is missing. E.g., a downloader is only malicious if the downloaded file is\r\nmalware. If information about the downloaded file is missing and cannot be inferred, there is no reason to detect the\r\ndownloader as malware.\r\nThe chain of infection and related files is in the graphic below. White boxes show non-malicious files. At least four of these\r\nfiles are JPHP EXE files, namely cheats.exe[4], 1.exe[12], klient.exe[5] and klip.exe[7]. The main component of IceRat is\r\nklient.exe[5].\r\nhttps://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp\r\nPage 3 of 9\n\nInfection chain and components of IceRat\r\nAccording to McMcbrad the first IceRat sample came from a malicious document for which he didn't keep a hash or file.\r\nThe first part of the chain that I could find is Browes.exe[1] which may have been distributed as trojanized software\r\ndownload for CryptoTab. Browes.exe is a selfextracting WinRAR archive that drops and executes the Windows Cabinet\r\nfile 1.exe[2].\r\nThe Windows Cabinet file is also a dropper for two more files, namely a non-malicious setup[3] for CryptoTab software,\r\nand a malware downloader named cheats.exe[4]. CryptoTab is a browser with mining features, but its installation is not\r\nsilent. The affected user will see the browser setup window (see image below) which is why I assume CryptoTab is\r\nprovided as a lure. To summarize: The infection chain starts with a downloader in a trojanized dropper in a dropper.\r\nhttps://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp\r\nPage 4 of 9\n\nThe JPHP file cheats.exe[4]\r\n has the project name droper (sic). It accesses IceRat's main server to download the backdoor\r\nklient.exe[5]. It chooses randomly one of the following names from a list:\r\nSystem\r\nJawas\r\nWindowsShell\r\nexploler\r\nantiDrw\r\nantiSsl\r\nADB\r\nMicrosoft\r\nsystem\r\nThen it will write the file into the following locations:\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.\u003cname\u003e.exe\r\nc:\\Windows\\Temp\\.\u003cname\u003e.exe\r\nd:\\Windows\\Temp\\\u003cname\u003e.exe\r\nThis file, klient.exe, is the main component that will be controlled by the server.\r\nCommand and Control\r\nAlthough the name IceRat indicates a remote access trojan, the current malware is better described as a backdoor. Features\r\nfor actual remote control, e.g., moving the mouse or typing the keyboard, are missing.\r\nThe command and control happens by periodically checking the contents of certain files on the malware server. E.g.\r\nklient.exe[5] will check the content of the file hxxp://malina1306.zzz.com.ua/dow_stil.txt. If that file contains a line that\r\nmatches the string \u003cMAC\u003e:\u003cOS\u003e:\u003cRAM\u003e:\u003cprocessor\u003e:\u003cusername\u003e for the infected system (see image below),\r\nklient.exe will download the stealer[6] from hxxp://malina1306.zzz.com.ua/stel.exe and save it to\r\nc:\\Windows\\Temp\\.Browser.exe.\r\nSimilarly, a coinminer downloader[7] will be obtained if hxxp://malina1306.zzz.com.ua/dow_klip.txt has a corresponding\r\nline for the infected system. It will be downloaded from hxxp://malina1306.zzz.com.ua/klip.exe to\r\nc:\\Windows\\Temp\\.Chrome.exe.\r\nThe file 1.exe[12] is downloaded from hxxp://malina1306.zzz.com.ua/1.exe or hxxp://bests.zzz.com.ua/1.exe and saved\r\nunder a randomly generated name by creating a random number between 10000 and 1000000. The resulting file location is\r\nc:\\Windows\\Temp\\.\u003c10000-1000000\u003e.exe. This component communicates via Telegram to the malware operator.\r\nTwo more files are referenced in klient.exe but don't exist anymore: hxxp://malina1306.zzz.com.ua/min.exe would be\r\ndownloaded to c:\\Windows\\Temp\\.Jawaw Se binar.exe. hxxp://malina1306.zzz.com.ua/klog.exe would be downloaded to\r\nc:\\Windows\\Temp\\.Windows Push.exe. Based on the filenames one would assume that min.exe should be the coinminer\r\nwhereas klip.exe rather sounds like a clipbanker. But that was not provided by the server. klog.exe might have been a\r\nkeylogger.\r\nhttps://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp\r\nPage 5 of 9\n\nListing of infected clients, format: \u003cMAC\u003e:\u003cOS\u003e:\u003cRAM\u003e:\u003cprocessor\u003e:\u003cusername\u003e. The MAC address is\r\nobfuscated by us.\r\nStealer and coinminer\r\nUnlike other IceRat components the stealer[6] is written in Python 3 and was compiled with PyInstaller to an EXE file. It\r\nsteals credentials from the following browsers:\r\nFirefox\r\nYandex\r\nFilezilla\r\nChrome\r\nAmigo\r\nkometa\r\nOrbitum\r\nChromium\r\nK-Melon\r\nThe coinminer downloader obtains the configuration file MMMMMM.MMMM[8], the driver WinRing0x64.sys[10] by\r\nOpenLibSys.org, as well as the coinminer Winlogin.exe[9] from hxxp://malina1306.zzz.com.ua/p/. The configuration\r\nshows the user dimargo2003@gmail.com.\r\nAt the time of writing this article the stealer and the coinminer are well-detected with more than 40 detections on\r\nVirustotal. This is a remarkable contrast to the low detection rates of the JPHP components.\r\nHosting domain\r\nhttps://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp\r\nPage 6 of 9\n\nThe malware host and CnC server hxxp://malina1306.zzz(.)com.ua also provides a Russian website with two buttons and a\r\ntext field. The field seems to require a username because the text is translated to \"Enter User\". The buttons say \"Download\r\nminer (v1)\" and \"Download miner (v2)\".\r\nSeverity and targeted regions\r\nIceRat has gone unnoticed for longer than usual. I attribute this mainly to the choice of using JPHP as well as the\r\nfragmentation of the malware's features into many small files. \"Small\" does not mean the size of the files here. These are\r\ncomparably large because they carry the JPHP runtime with them. \"Small\" rather refers to the amount of features they have\r\nor capability of the code. If one file does only little on its own, it won't show malicious behaviour to an automated analysis\r\nsystem. That way it stays undetected.\r\nThe log files that are used to communicate with the server contain more than 200 entries with different systems. Many\r\nusernames of the infected systems are kyrillic which indicates that mostly East European and Russian regions are affected.\r\nAntivirus engines may have to upgrade their engines to support .phb files as well as take a holistic approach for automated\r\nanalysis systems to detect fragmented malware.\r\nIndicators of compromise\r\nDescription Filename SHA256\r\n[1] PE SFX\r\ncontaining [2]\r\nBrowes.exe 6a7cc0ab2cfaa9457f47d5e21ef41e56800b37d7e5bfe69b296545bff95fdf96\r\n[2] Windows\r\nCabinet file,\r\n1.exe 592c60435099477a2656784f28dd31523a91ebf9dd348827d9120a4b411ab6c9\r\nhttps://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp\r\nPage 7 of 9\n\nDescription Filename SHA256\r\ncontaining [3]\r\n[4]\r\n[3] CryptoTab\r\nsetup file\r\nBrowserSetup.exe 3c63d911e4f911f2ba6f411e93ba850091aac9c6c4c962eee914358ac1ac8e0c\r\n[4] Backdoor\r\ndownloader,\r\nJPHP\r\ncheats.exe 0161540edfceb643389a28ebe7d1092639596325e8f40defe52192ab999d3d36\r\n[5] IceRat\r\nbackdoor,\r\nJPHP\r\nklient.exe cebee34d5f0292befca058537bf2320dd1492afa26fb9af471155c9332046320\r\n[6] Stealer,\r\nPython\r\nstel.exe fdff65ae03fab7bfd6f943833bf7aa16f6ada9219786995df9ef7127ab9aa93d\r\n[7] Coinminer\r\ndownloader,\r\nJPHP\r\nklip.exe 06a10cf99cc7c2d2ebc3e41300404e8f5816eb31a869d22835ade3a381199c0b\r\n[8] Miner\r\nconfig, JSON\r\nfile\r\nMMMMMM.MMMM c0a3b67b4056aeefd086edbe0c6ccb5fa7835505ef4ebe6220e5f914012e9e32\r\n[9] Coinminer Winlogin.exe e656c75017a557ad342dfa95d76e1b36b54a004825615f721a5dd51431899e90\r\n[10]\r\nWinRing0x64\r\ndriver\r\nWinRing.sys 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5\r\n[11] IceRat\r\nbackdoor,\r\nolder sample\r\nIceRat.exe 29c63169ffc5dfacef9245c0f3afae987525f9b164a17133e51f598d3b75120d\r\n[12] Telegram\r\ncommunicator,\r\nJPHP\r\n1.exe 8a3dd23d0d47114c06ace407b93a3403e33b8cb2e243a548f4c7158b4d340165\r\nRelated articles:\r\nShare Article\r\n Content\r\nDiscovery of IceRat\r\nhttps://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp\r\nPage 8 of 9\n\nDecompiling JPHP\r\nInfection chain and components\r\nCommand and Control\r\nStealer and coinminer\r\nHosting domain\r\nSeverity and targeted regions\r\nIndicators of compromise\r\nRelated articles\r\nSource: https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp\r\nhttps://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp" ], "report_names": [ "icerat-evades-antivirus-by-using-jphp" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434915, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b0d739dcf094d75bdef9f31ea74a681fc7719cfd.pdf", "text": "https://archive.orkl.eu/b0d739dcf094d75bdef9f31ea74a681fc7719cfd.txt", "img": "https://archive.orkl.eu/b0d739dcf094d75bdef9f31ea74a681fc7719cfd.jpg" } }