{
	"id": "2b1199a7-7ac3-4c26-91fb-b910feb8dd15",
	"created_at": "2026-04-06T00:11:02.833781Z",
	"updated_at": "2026-04-10T03:21:41.969544Z",
	"deleted_at": null,
	"sha1_hash": "c7467e23988add60710501f32542d5bce4b2d883",
	"title": "Sorpresa! JasperLoader targets Italy with a new bag of tricks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4068410,
	"plain_text": "Sorpresa! JasperLoader targets Italy with a new bag of tricks\r\nBy Edmund Brumaghin\r\nPublished: 2019-05-23 · Archived: 2026-04-05 16:48:08 UTC\r\nThursday, May 23, 2019 11:10\r\nNick Biasini and Edmund Brumaghin authored this blog post.\r\nExecutive summary\r\nOver the past few months, a new malware loader called JasperLoader has emerged that targets Italy and other\r\nEuropean countries with banking trojans such as Gootkit. We recently released a comprehensive analysis of the\r\nfunctionality associated with JasperLoader. Shortly after the publication of our analysis, the distribution activity\r\nassociated with these campaigns halted. But after several weeks of relatively low volumes of activity, we\r\ndiscovered a new version of JasperLoader being spread. This new version features several changes and\r\nimprovements from the initial version we analyzed. JasperLoader is typically used to infect systems with\r\nadditional malware payloads which can be used to exfiltrate sensitive information, damage systems or otherwise\r\nnegatively impact organizations.\r\nThe attackers behind this specific threat have implemented additional mechanisms to control where the malware\r\ncan spread and are now taking steps to avoid analysis by sandboxes and antivirus companies. There's also a new\r\ncommand and control (C2) mechanism to facilitate communications between infected systems and the\r\ninfrastructure being used to control them. The campaigns that are currently distributing JasperLoader continue to\r\ntarget Italian victims and further demonstrate that while JasperLoader is a relatively new threat, the developers\r\nbehind it are continuing to actively refine and improve upon this malware at a rapid pace and introduce\r\nsophistication that is not commonly seen in financially motivated malware.\r\nhttps://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html\r\nPage 1 of 11\n\nDelivery changes\r\nAs mentioned in our previous analysis of JasperLoader, the distribution campaigns attempting to spread this\r\nmalware are relying heavily on certified email services in Italy. However, the actors have made some changes to\r\nthe way distribution occurs.\r\nThe initial emails we saw contained ZIP files with VBS files inside them. These VBS files were similar to the\r\nVBS and DOCM files we saw in the previous campaign and began the infection process. The version with\r\nattached files didn't last long and was not very high in volume.\r\nShortly afterward, we saw a new shift away from using attachments directly. In the case shown below, you can see\r\nthe initial email being sent through the typical certified email service that has been repeatedly leveraged by the\r\nactors behind JasperLoader.\r\nJust as we saw previously, the email is written in Italian and states that the original message is included as an\r\nattachment. You can see the original email titled \"postacert.eml\" attached.  The following pops up once the email\r\nis opened:\r\nThis is where the distribution process started to shift. There are not any attachments in the email, but instead, there\r\nis a hyperlink that makes a connection to hxxp:\\\\tribunaledinapoli[.]recsinc[.]com/documento.zip with a parameter\r\nthat is referenced in the email. For example, above the full URL was\r\nhxxp:\\\\tribunaledinapoli[.]recsinc[.]com/documento.zip?214299. Note that the number 214299 is the number\r\nhttps://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html\r\nPage 2 of 11\n\nreferenced in the email itself. When we initially saw this change, we immediately began to investigate and,\r\ninitially, it appeared to be benign. The URL leads to an HTTP 302 response from the web server. HTTP 302 is the\r\nredirect code for temporarily moved and has been abused by adversaries for years, including the use of 302\r\ncushioning by exploit kits several years ago.\r\nThis particular 302 redirected to www.cnnic[.]cn, which is the Chinese Internet Network Information Center\r\n(CNNIC), the organization responsible for internet affairs in the People's Republic of China. Obviously, this isn't\r\nthe place that an adversary would send a potential victim to get compromised. It was at this point that we started\r\nlooking at potential geofencing.\r\nGeofencing is a technique that some adversaries use to ensure that all the victims are from a particular region or\r\ncountry and that researchers like us have more difficulty tracking down the activity. It's something we've seen\r\nrepeatedly used by advanced adversaries but is not commonly done with crimeware threats like JasperLoader. In\r\norder to make that determination, we routed our traffic through Italian IP space and tried to follow the same link.\r\nWhen the traffic is routed through Italian IP space, the results are drastically different. The request is met with a\r\nZIP file that contains a malicious VBS file that is similar to the samples we found attached to emails earlier in the\r\nweek. Once this VBS file is executed, the infection process kicks off and the loader is installed.\r\nAs we observed in previous campaigns, JasperLoader continues to leverage domain shadowing, and moves\r\nrapidly across subdomains that they control. The chart below shows the DNS resolution activity associated with\r\none of the C2 domains leveraged by JasperLoader. The scope if fairly limited, but more than 95 percent of\r\nresolutions came from Italy, so the geofencing protections they put into place appear to be somewhat successful.\r\nhttps://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html\r\nPage 3 of 11\n\nLet's now walk through the new infection process where we highlight some of the evolutions we've discovered.\r\nJasperLoader functionality changes\r\nThe infection process associated with JasperLoader continues to feature multiple stages which are used to\r\nestablish a foothold on systems, initiate communications with attacker-controlled infrastructure and implement the\r\ncore functionality of the loader. While much of the process functions similar to what was described in our\r\nprevious analysis of JasperLoader, there have been several notable changes to the malware's operation, which are\r\ndescribed in the following sections.\r\nAdditional layers of obfuscation\r\nSimilar to what was previously seen in the JasperLoader infection process, the attackers rely upon several layers\r\nof obfuscation to attempt to hide the operation of the malware. In general, they leverage character replacement\r\nmechanisms and perform mathematical calculations at runtime to reconstruct the PowerShell instructions that will\r\nbe executed on infected systems. This same process is used by the Visual Basic Script (VBS) downloader\r\nobserved across these campaigns.\r\nhttps://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html\r\nPage 4 of 11\n\nIn current campaigns spreading JasperLoader, the attackers have introduced an additional layer of character\r\nreplacement to further obfuscate the underlying PowerShell. Once the VBS has been deobfuscated, the underlying\r\nPowerShell is:\r\nReplacing each of the characters in the previous image results in the Stage 1 PowerShell that is used to retrieve\r\nadditional stages from attacker controlled servers. An example of this stage of PowerShell is:\r\nhttps://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html\r\nPage 5 of 11\n\nThis PowerShell is similar to what was seen in previous JasperLoader campaigns with a few notable differences.\r\nDecoy documents\r\nAs can be seen in the PowerShell associated with Stage 1, a PDF is retrieved from the specified URL and\r\ndisplayed to the user. This PDF is not overtly malicious and is simply designed to function as a decoy document\r\nso that when a user executes the VBS, there's an expected result.\r\nWhile victims will simply see the PDF above, in the background, the infection process is continuing with the\r\nmalware attempting to retrieve Stage 2.\r\nGeolocation filtering\r\nhttps://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html\r\nPage 6 of 11\n\nOne of the changes made in JasperLoader is the introduction of additional geolocation-based filtering.\r\nGeolocation-based filtering was also being leveraged during the delivery stage of the infection process. In\r\nprevious versions of JasperLoader, the malware would use the Get-UICulture PowerShell cmdlet at each stage of\r\nthe infection process and terminate if the system was configured to use the language pack associated with People's\r\nRepublic of China, Russia, Ukraine or Belarus. The latest version of JasperLoader has added an additional check\r\nfor Romanian and will exit if any of these language settings are in use.\r\nVirtual machine/Sandbox detection\r\nAnother new feature that has been added in the latest version of JasperLoader is detection for hypervisor-based\r\nenvironments. In many cases, malware will perform various checks to determine if it being executed in a virtual\r\nenvironment and terminate execution to avoid being analyzed by sandbox or anti-malware solutions\r\nThe latest version of JasperLoader has introduced mechanisms that query the Windows Management\r\nInstrumentation (WMI) subsystem to obtain the model of the system that is being infected. The model identifier is\r\nthen checked so see if it matches the following hypervisors:\r\nVirtualBox\r\nVMware\r\nKVM\r\nIf so, the malware terminates execution and does not attempt to perform any additional actions on the system.\r\nThese same checks are performed at each stage of the infection process.\r\nStage 3 functionality/Payload retrieval\r\nWhile there have been minor changes at Stage 2, they are mostly related to file storage locations, file naming\r\nconventions, and other characteristics are frequently modified on a campaign by campaign basis, but the overall\r\nfunctionality and process of retrieving, deobfuscating, and executing Stage 2 to obtain Stage 3 remains relatively\r\nunchanged. For details of how this process works, please refer to our previous blog here.\r\nThe majority of the ongoing development activity appears to have been focused on Stage 3 of the JasperLoader\r\ninfection process as that is where most of the JasperLoader functionality resides. The latest version of\r\nJasperLoader has changed how the malware attempts to persist across reboots, has introduced mechanisms to\r\nhttps://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html\r\nPage 7 of 11\n\nprotect C2 communications, and added more robust mechanisms for ensuring that updates to JasperLoader get\r\npropagated efficiently to all of the systems that are part of the JasperLoader botnet.\r\nPersistence mechanism\r\nIn previous versions of JasperLoader, the malware would obtain persistence on infected systems by creating a\r\nmalicious Windows shortcut (LNK) in the Startup folder on the system. The latest version of JasperLoader\r\naccomplishes this using the Task Scheduler, as well. A scheduled task is created on infected systems using the\r\nfollowing syntax:\r\nschtasks.exe /create /TN \"Windows Indexing Service\" /sc DAILY /st 00:00 /f /RI 20 /du 24:59 /TR (Join-Path\r\n$bg_GoodPAth 'WindowsIndexingService.js');\r\nThis creates a Scheduled Task that will relaunch JasperLoader periodically. If this process fails, JasperLoader will\r\nthen revert back to the use of the shortcut for persistence.\r\nFailback C2 mechanism\r\nOne of the features that has been added to JasperLoader is a failback C2 domain retrieval mechanism that allows\r\nfor time-based fluxing. A default C2 domain is specified. If that domain is not available, the current date on the\r\nsystem is used to generate a series of failback domains that the malware will attempt to use for C2\r\ncommunications.\r\nBot registration\r\nThe malware has also implemented a new bot registration and ID generation mechanism and utilizes different\r\npieces of information to create a unique identifier for each system than what was seen in previous versions of\r\nJasperLoader. As before, this information is communicated to the C2 as parameters within an HTTP GET request\r\nand is generated using the following:\r\nhttps://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html\r\nPage 8 of 11\n\nInteresting PowerShell artifacts\r\nOne interesting artifact present in the PowerShell associated with Stage 3 of JasperLoader is in the function\r\nresponsible for defining the C2 domain to use for future communications. The function is called\r\nBG_SelectDomen(). The word \"domen\" translates to \"domain\" and is a word that is widely used in multiple\r\ncountries, including Romania.\r\nWhile this is a low-confidence indicator, it is interesting in relation to the apparent targeting of this malware as\r\nwell as the geolocational checking that is performed to determine whether it should continue to execute on\r\ninfected systems.\r\nPayload delivery\r\nDuring our analysis of the latest JasperLoader campaigns, we were unable to receive the commands and URL\r\ninformation required to obtain a malicious PE32 from the attacker's C2 infrastructure. We did note that the C2\r\ncommunications channel remained active and was beaconing.\r\nThis may be due to JasperLoader not being actively used to spread additional payloads at this time. The botnet\r\noperator may be attempting to obtain JasperLoader infections in order to build out capabilities so that they can be\r\nmonetized for the purposes of leveraging the botnet to distribute additional malware in the future. We have seen\r\nhttps://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html\r\nPage 9 of 11\n\nreports indicating that GootKit may again be the payload of choice for this campaign. GootKit was the payload\r\nduring the previous campaign we analyzed, so its inclusion in this campaign seems likely.\r\nConclusion\r\nAs illustrated by these new JasperLoader campaigns, adversaries are always going to take steps to try and increase\r\ntheir ability to infect victims, while at the same time evading detection and analysis. JasperLoader has taken that\r\nto the extreme and has quickly developed additional capabilities and added additional layers of obfuscation, while\r\nat the same time taking steps to evade virtual machines and geofence their victims in Italy. The majority of these\r\nchanges came rapidly and demonstrate the author's commitment to making JasperLoader a robust, flexible threat\r\nthat can be updated rapidly as security controls and detection capabilities change. Despite all these steps, we are\r\nstill able to derive enough intelligence to expose their activities and protect our customers and the general public\r\nfrom their malicious intentions.\r\nJasperLoader is another prime example of how rapidly threats can change and illustrates just how important threat\r\nintelligence is to ensuring that organizations are prepared to defend against them even as adversaries are\r\nconstantly investing time, effort, and resources into improving upon their tools as they attempt to stay ahead of\r\ndefenses deployed on enterprise networks. As techniques become less effective, cybercriminals will continue to\r\nmove to other techniques to maximize their success in achieving their mission objectives. While JasperLoader is\r\nstill relatively new compared to other established malware loaders out there, they have demonstrated that they will\r\ncontinue to improve upon this malware and leverage it against organizations. It is expected that as this botnet\r\ncontinues to grow, it will likely become more heavily leveraged for the distribution of various malware payloads\r\nas the operators of this botnet can make use of already infected systems at the push of a button or the issuance of a\r\ncommand.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nhttps://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html\r\nPage 10 of 11\n\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of compromise\r\nThe following IOCs are associated with various malware distribution campaigns that were observed during the\r\nanalysis of JasperLoader activity.\r\nDomains\r\nA list of domains observed to be associated with JasperLoader are below.\r\nbreed[.]wanttobea[.]com\r\nzzi[.]aircargox[.]com\r\nnono[.]littlebodiesbigsouls[.]com\r\ntribunaledinapoli[.]recsinc[.]com\r\ntribunaledinapoli[.]prepperpillbox[.]com\r\ntribunaledinapoli[.]lowellunderwood[.]com\r\ntribunaledinapoli[.]rntman.com\r\nIP addresses\r\nA list of IP addresses observed to be associated with JasperLoader are below.\r\n185[.]158[.]251[.]171\r\n185[.]158[.]249[.]116\r\nHashes\r\nA list of file hashes (SHA256) observed to be associated with JasperLoader are below.\r\n052c9895383eb10e4ad5bec37822f624e443bbe01700b1fe5abeeea757456aed\r\n54666103a3c8221cf3d7d39035b638f3c3bcc233e1916b015aeee2539f38f719\r\nee3601c6e111c42d02c83b58b4fc70265b937e9d4d153203a4111f51a8a08aab\r\nSource: https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html\r\nhttps://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html"
	],
	"report_names": [
		"sorpresa-jasperloader.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434262,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c7467e23988add60710501f32542d5bce4b2d883.pdf",
		"text": "https://archive.orkl.eu/c7467e23988add60710501f32542d5bce4b2d883.txt",
		"img": "https://archive.orkl.eu/c7467e23988add60710501f32542d5bce4b2d883.jpg"
	}
}