{
	"id": "8fb48404-4484-4caf-a40b-d03dfc38a853",
	"created_at": "2026-04-06T00:18:43.321767Z",
	"updated_at": "2026-04-10T03:20:04.002748Z",
	"deleted_at": null,
	"sha1_hash": "bb2ae0acb2850bab44baf3a5af328f29585040e8",
	"title": "Upgraded JasperLoader Infecting Machines with New Targets \u0026 Functional Improvements: What You Need to Know",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1220976,
	"plain_text": "Upgraded JasperLoader Infecting Machines with New Targets \u0026\r\nFunctional Improvements: What You Need to Know\r\nArchived: 2026-04-05 16:35:17 UTC\r\nA few months ago, JasperLoader (a new malware loader) emerged, infecting systems with various malware\r\npayloads, such as the Gootkit Banking Trojan. After a short, initial campaign, the threat actors behind the malware\r\nhalted their activity and JasperLoader went off the radar for a while. However, since late May, a new and upgraded\r\nversion of JasperLoader has been spotted infecting machines across Europe.\r\nJasperLoader is distributed via malicious email campaigns, while today’s main campaign relies on a certified\r\nemail services in Italy called Posta Elettronica Certificata (PEC). Using a trusted email service helps the threat\r\nactors convince victims that their emails are legitimate, tricking them in to opening the malicious email.\r\nThe emails in this campaign do not have a malicious VBS or DOCM file attached like the previous campaign, but\r\nrather mention that the original message is attached as an EML file. This additional email (shown below) contains\r\na malicious link posing as the “Tribunale di Napoli” – The court of Naples, Italy.\r\nPhoto Cred: Talos Blog\r\nIf the victim’s IP is located in Italy, a ZIP file containing a malicious VBS file is downloaded. Execution of the\r\nVBS file starts the infection and JasperLoader installation process.\r\nThe “Tribune di Napoli” domains used for this infection vector are:\r\nlowellunderwood.com\r\nprepperpillbox.com\r\nrecsinc.com\r\nrntman.com\r\nhttps://blog.threatstop.com/upgraded-jasperloader-infecting-machines\r\nPage 1 of 3\n\nRight at first glance, we can tell that these are not official domains but rather an impersonation attempt. Our\r\nsecurity and research team decided to analyze these domains further, and noticed that all four domains are hosted\r\non the same IP, which also hosts the domain tribunaledinapoli[.]prepperspillbox[.]com. This domain has not\r\npreviously been mentioned in relation to JasperLoader, but is extremely similar to the already-known\r\ntribunaledinapoli[.]prepperpillbox[.]com domain.\r\nAnother interesting finding is that each of these imposter domains have only one sibling, a gibberish-looking\r\nsubdomain sharing the same parent domain.\r\nAs opposed to the “Tribunale Di Napoli” domains, which have only been active for a few weeks, their siblings\r\nhave been active for years.\r\nhttps://blog.threatstop.com/upgraded-jasperloader-infecting-machines\r\nPage 2 of 3\n\nAlthough these domains have not previously been reported as malicious, it seems quite possible that they are\r\nrelated to the threat actor behind JasperLoader, given the infrastructure symmetry they share with the current\r\ncampaign.\r\nThe new JasperLoader version boasts a variety of upgrades, such as additional layers of obfuscation, VM/Sandbox\r\nevasion, a new persistence mechanism, a failback C2 mechanism, and more. It is clear that the threat actors are\r\nworking quickly at developing the malware’s capabilities, making it robust and flexible. We will continue\r\nanalyzing JasperLoader and updating our coverage of its malicious infrastructure.\r\nIf you’re interested in learning more about how ThreatSTOP protects you against JasperLoader and other\r\nmalware loaders, check us out below. Try us out for 14 days free or request a quick demo to see what we’re\r\nabout.\r\nGet a Demo\r\n       \r\nIf you’re already a ThreatSTOP user, you’re protected against JasperLoader in our TS Originated - Core\r\nThreats - IPs and TS Originated - Core Threats - Domains targets.\r\nSource: https://blog.threatstop.com/upgraded-jasperloader-infecting-machines\r\nhttps://blog.threatstop.com/upgraded-jasperloader-infecting-machines\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.threatstop.com/upgraded-jasperloader-infecting-machines"
	],
	"report_names": [
		"upgraded-jasperloader-infecting-machines"
	],
	"threat_actors": [],
	"ts_created_at": 1775434723,
	"ts_updated_at": 1775791204,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb2ae0acb2850bab44baf3a5af328f29585040e8.pdf",
		"text": "https://archive.orkl.eu/bb2ae0acb2850bab44baf3a5af328f29585040e8.txt",
		"img": "https://archive.orkl.eu/bb2ae0acb2850bab44baf3a5af328f29585040e8.jpg"
	}
}