{
	"id": "98708dd9-f563-4eb1-9bf7-c7ca7d067d45",
	"created_at": "2026-04-06T00:09:36.983131Z",
	"updated_at": "2026-04-10T03:26:58.413008Z",
	"deleted_at": null,
	"sha1_hash": "d74502c80d9e80b76f1dd20df703a4001d7a6a0a",
	"title": "Earth Wendigo Injects JavaScript Backdoor for Mailbox Exfiltration",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66094,
	"plain_text": "Earth Wendigo Injects JavaScript Backdoor for Mailbox Exfiltration\r\nBy By: Trend Micro Research Jan 05, 2021 Read time: 9 min (2330 words)\r\nPublished: 2021-01-05 · Archived: 2026-04-05 14:58:42 UTC\r\nWe discovered a new campaign that has been targeting several organizations — including government organizations,\r\nresearch institutions and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations\r\nvia the injection of JavaScript backdoors to a webmail system that is widely-used in Taiwan.  With no clear connection to\r\nany previous attack group, we gave this new threat actor the name “Earth Wendigo.”\r\nAdditional investigation shows that the threat actor also sent spear-phishing emails embedded with malicious links to\r\nmultiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong.\r\nHowever, this is a separate series of attacks from their operation in Taiwan, which this report covers. \r\nInitial Access and Propagation\r\nThe attack begins with a spear-phishing email that is appended with obfuscated JavaScript. Once the victim opens the email\r\non their webmail page, the appended JavaScript will load malicious scripts from a remote server operated by the threat actor.\r\nThe scripts are designed to perform malicious behaviors, including:\r\nStealing browser cookies and webmail session keys and then sending them to the remote server.\r\nAppending their malicious script to the victim’s email signature to propagate the infection to their contacts.\r\nExploiting a webmail system’s cross-site scripting (XSS) vulnerability to allow their malicious JavaScript to be\r\ninjected on the webmail page permanently.\r\nRegistering a malicious JavaScript code to Service Worker, a web browser feature that allows JavaScript to intercept\r\nand manipulate HTTPS requests between client and server. The registered Service Worker script can hijack login\r\ncredentials and modify the webmail page to add malicious scripts in case the attackers were unable to inject the XSS\r\nvulnerability mentioned above. (This is also the first time we found an in-the-wild attack that leverages Service\r\nWorker.)\r\nExfiltration of the mailbox\r\nAfter the attackers gain a foothold into the system — either through XSS injection or Service Worker — the next (and final\r\npart) of the attack chain, the exfiltration of the mailbox, is initiated.\r\nThe Earth Wendigo threat actor will establish a WebSocket connection between the victims and their WebSocket server via a\r\nJavaScript backdoor. The WebSocket server instructs the backdoor on the victim’s browser to read emails from the webmail\r\nserver and then send the content and attachments of the emails back to the WebSocket server. We will share more details of\r\nthe attack chain in the following paragraphs.\r\nThe victim will receive a spear-phishing email disguised as an advertisement with a discount coupon from an online\r\nshopping website — however, an obfuscated malicious JavaScript is embedded inside. The email leverages the webmail\r\nsystem’s search suggestion function to trigger the webpage to execute their script instead of directly running the malicious\r\nscript. This is done to evade static security checks.\r\nThe email will generate multiple email search requests to the webmail system via the CSS function ”backgroup-image”\r\nusing their malicious code as a search keyword to make the system register it as a frequently searched keyword. Next, a new\r\nhttps://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html\r\nPage 1 of 9\n\n“embed” HTML element is created to load the result of the search suggestion by finding the keyword “java” on the webmail\r\nserver.\r\nThe returned suggestion is the JavaScript code that was searched during the first step and has now been indirectly loaded\r\nand used to execute the malicious code. This approach allows the threat actor to hide their malicious code inside CSS\r\nelements to prevent detection by security solutions that employ static analysis. At the end of this step, the code will create\r\nanother new script element that will load other malicious JavaScript codes from remote servers.\r\nInterestingly, we found many other emails that have injected their malicious JavaScript code at the bottom to load their\r\nmalicious code from remote servers. However, these emails don’t look like phishing emails and seemed more like real email\r\nsent from normal users within the same organization.\r\nFurther investigation revealed that the attacker had modified the victims’ email signatures through malicious code injection.\r\nThis means that all of the emails sent by the victim with the modified mail signature will have the malicious code appended\r\nat the end, which is how we found a normal email that was also injected with malicious code. We think the threat actor used\r\nthis approach to attempt to infect the victim’s contacts for further propagation.\r\nAs soon as the user executes the malicious script in the email, a cookie stealer script will be delivered and launched on the\r\nbrowser. The script generates a request to “/cgi-bin/start,” which is a wrapper page embedded with the webmail session key.\r\nThe script will then extract the session key from the page while also collecting browser cookies.\r\nThe script will send an HTTP GET request to remove the server with all the collected keys and cookies appended on the\r\nquery string to transfer the stolen information. The framework used to deliver and manage these XSS attack scripts is called\r\n“XSSER.ME” or “XSS Framework.” The stolen session keys and browser cookies are also sent to the framework to store in\r\nthe database.  \r\nWhile a stolen session key may allow the attacker to log into their target’s webmail system without a password, note that this\r\nis not the Earth Wendigo operation's ultimate goal. \r\nInfection of email accounts\r\nAfter the initial execution of malicious code with the approaches we mentioned above, the attacker implemented steps to\r\nensure that their malicious script would be constantly loaded and executed by their targets.\r\nThe actor prepared two different infection methods. The first involves injecting malicious code into the webpage via an XSS\r\nvulnerability on the webmail system. The vulnerability, which exists inside the webmail system’s shortcut feature, allows\r\nusers to create links on the webmail front page.\r\nThe attacker can add a shortcut with a crafted payload by exploiting the XSS vulnerability, which replaces part of the\r\noriginal script from the webmail system with malicious JavaScript code. If this is successful, the victim will load the\r\nmalicious code whenever they access the webmail page with the malicious shortcut added.\r\nNote that the infection will not impact all of the users on the system simultaneously, but only those with infected mail\r\naccounts. We have reported the vulnerability to the company that developed the webmail system, which informed us that the\r\nvulnerability had been fixed since January 2020. It should not affect those who are using the latest version of the webmail\r\nsystem.\r\nService Worker script exploitation\r\nAnother way the threat actor infects victims is by registering malicious JavaScript to the Service Worker script, which is a\r\nprogrammable network proxy inside the browser that provides an extended layer for websites and web applications to\r\nhttps://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html\r\nPage 2 of 9\n\nhandle their communications while the network is unreachable. The security risk of Service Worker has been discussed and\r\ndemonstrated by both PoC work and academic research — for example, a registered Service Worker could intercept and\r\nmanipulate the requests between the client and the web server.\r\nBy examining one of the malicious scripts from the Earth Wendigo campaign, we discovered that it uploaded the tampered\r\nService Worker script to the webmail server disguised as an original script provided by the server. It then registers the\r\nuploaded script to the user’s Service Worker before removing it from the server immediately after registration.\r\nThe registered Service Worker script checks the URL path from an intercepted request and performs various responses:\r\nFor HTTPS POST requests sent to “/cgi-bin/login,” which is the API for the authentication of webmail user login and\r\ncontains the username and password pair, the Service Worker script will copy the pair and send it to a remote server.\r\nFor requests sent to “/cgi-bin/start,” which is a page wrapper used to show the main webmail page, the Service\r\nWorker script will reply by sending another page to the victim. This new page is almost similar to the original\r\nwrapper but injected with a script element meant to load malicious script from Earth Wendigo’s server. Therefore, the\r\nvictim also loads the malicious script with the replaced wrapper page whenever they access the webmail server with\r\nthe malicious Service Worker enabled in the background.\r\nEmail exfiltration\r\nAt the end of the attack, Earth Wendigo delivers a JavaScript code that then creates a WebSocket connection to a remote\r\nserver and executes the script returned from the server. We found that the returned script is a backdoor that gets its\r\ninstructions from the WebSocket server. It has only one command, “get(‘URL’),” to perform a request from the victim’s\r\nbrowser to the webmail server and collect the response back to the WebSocket server. The usage of the backdoor we found,\r\nin this case, is for the mailbox exfiltration.\r\nA typical sequence used for mailbox exfiltration:\r\n1.      The WebSocket server returns a backdoor script that is executed on the victim’s browser\r\n2.      The backdoor sends the webmail session key, browser cookies, webpage location, and browser user agent string back\r\nto the WebSocket server to register the victim’s information\r\n3.      The WebSocket server sends the command “get(‘/cgi-bin/folder_tree2?cmd=…’)” to grab the list of existing mailboxes\r\nunder the victim’s mail account\r\n4.      The WebSocket server sends the command “get(‘/cgi-bin/msg_list?cmd=…’)” to grab the list of emails inside a\r\nmailbox that they are interested in reading\r\n5.      The WebSocket server sends the command, “get(‘/cgi-bin/msg_read?cmd=pring_mail\u0026…’)” to read the email listed in\r\nthe response seen in the previous step; it reads each email sequentially from the mailbox and sends it back to the WebSocket\r\nserver\r\n6.      If a stolen email has attachments, the WebSocket server sends the command “get(‘att:/cgi-bin/downfile/…’)” to grab\r\nthe relevant attachment from the webmail server and slice it into 4096 bytes as chunks to return to the WebSocket server.\r\nThese steps are repeatedly performed until they receive the victim’s entire mailbox.\r\nAdditional Findings\r\nBesides their attack on webmail servers, we also found multiple malware variants used by Earth Wendigo. These malware\r\nvariants, which are written in Python and compiled as Windows executables, communicate to a malicious domain — the\r\nhttps://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html\r\nPage 3 of 9\n\nsame one used in this attack.\r\nMost of them are shellcode loaders that load embedded shellcode likely from Cobalt Strike. Some of them are backdoors\r\nthat will communicate with the command and control (C\u0026C)) server to request and execute additional python code.\r\nHowever, we don’t know what code they delivered because the server was already down when we were verifying the\r\nmalware variants. It’s also not clear how they were delivered to the victims.\r\nConclusion\r\nWhile Earth Wendigo uses typical spear-phishing techniques to initiate their attack, the threat actor also uses many atypical\r\ntechniques to infiltrate the targeted organizations, such as the use of mail signature manipulation and Service Worker\r\ninfection.\r\nThe impact of spear-phishing attacks can be minimized by following security best practices, which include refraining from\r\nopening emails sent by suspicious sources. We also encourage both users and organizations to upgrade their servers to the\r\nlatest version to prevent compromise via vulnerability exploits.\r\nTo avoid XSS attacks similar to what we described in this report, we recommend adapting Contant-Security-Policy (CSP)\r\nfor websites.\r\nIndicators of Compromise\r\nIndicator Description Detection\r\nmail2000tw[.]com\r\nDomain\r\noperated by\r\nEarth\r\nWendigo\r\nbf[.]mail2000tw[.]com\r\nDomain\r\noperated by\r\nEarth\r\nWendigo\r\nadmin[.]mail2000tw[.]com\r\nDomain\r\noperated by\r\nEarth\r\nWendigo\r\ngoogletwtw[.]com\r\nDomain\r\noperated by\r\nEarth\r\nWendigo\r\nhttps://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html\r\nPage 4 of 9\n\nbf[.]googletwtw[.]com\r\nDomain\r\noperated by\r\nEarth\r\nWendigo\r\nws[.]googletwtw[.]com\r\nDomain\r\noperated by\r\nEarth\r\nWendigo\r\nadmin[.]googletwtw[.]com\r\nDomain\r\noperated by\r\nEarth\r\nWendigo\r\nanybodyopenfind[.]com\r\nDomain\r\noperated by\r\nEarth\r\nWendigo\r\nsupport[.]anybodyopenfind[.]com\r\nDomain\r\noperated by\r\nEarth\r\nWendigo\r\nsupports[.]anybodyopenfind[.]com\r\nDomain\r\noperated by\r\nEarth\r\nWendigo\r\nsupportss[.]anybodyopenfind[.]com\r\nDomain\r\noperated by\r\nEarth\r\nWendigo\r\na61e84ac9b9d3009415c7982887dd7834ba2e7c8ea9098f33280d82b9a81f923\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\nhttps://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html\r\nPage 5 of 9\n\n66cf12bb9b013c30f9db6484caa5d5d0a94683887cded2758886aae1cb5c1c65\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\n4cdaca6b01f52092a1dd30fc68ee8f6d679ea6f7a21974e4a3eb8d14be6f5d74\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\nf50a589f3b3ebcc326bab55d1ef271dcec372c25d65f381a409ea85929a34b49\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\ne047aa878f9e7a55a80cc1b70d0ac9840251691e91ab6454562afbff427b0879\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\na1a6dc2a6c795fc315085d00aa7fdabd1f043b28c68d4f98d4152fe539f026f1\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\n10d2158828b953ff1140376ceb79182486525fd14b98f743dafa317110c1b289\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\n0e04a03afa5b66014457136fb4d437d51da9067dc88452f9ebd098d10c97c5b8\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\n75f3f724a2bfda1e74e0de36ff6a12d3f2ea599a594845d7e6bc7c76429e0fa4\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\nhttps://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html\r\nPage 6 of 9\n\nc3bc364409bb0c4453f6d80351477ff8a13a1acdc5735a9dff4ea4b3f5ad201c\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\n5251087bb2a0c87ac60c13f2edb7c39fb1ea26984fcc07e4cf8b39db31ce2b08\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\n7fa9a58163dd233065a86f9ed6857ed698fc6e454e6b428ea93f4f711279fb61\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\nf568f823959be80a707e05791718c1c3c377da1b0db1865821c1cf7bc53b6084\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\na54d58d5a5812abaede3e2012ae757d378fb51c7d3974eaa3a3f34511161c1db\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\n77c3d62cce21c2c348f825948042f7d36999e3be80db32ac98950e88db4140b1\r\nEarth\r\nWendigo\r\nXSS attack\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\nc0dabb52c73173ea0b597ae4ad90d67c23c85110b06aa3c9e110a852ebe04420\r\nEarth\r\nWendigo\r\nService\r\nWorker\r\nscript\r\nTrojan.JS.WENDIGOE.A\r\nefe541889f3da7672398d7ad00b8243e94d13cc3254ed59cd547ad172c1aa4be Earth\r\nWendigo\r\nWebSocket\r\nBackdoor.JS.WENDIGOE.A\r\nhttps://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html\r\nPage 7 of 9\n\nJavaScript\r\nbackdoor\r\n2411b7b9ada83f6586278e0ad36b42a98513c9047a272a5dcb4a2754ba8e6f1d\r\nEarth\r\nWendigo\r\nShellcode\r\nLoader\r\nTrojan.Win32.WENDIGOE.A\r\n1de54855b15fc55b4a865723224119029e51b381a11fda5d05159c74f50cb7de\r\nEarth\r\nWendigo\r\nShellcode\r\nLoader\r\nTrojan.Win32.WENDIGOE.A\r\nd935c9fe8e229f1dabcc0ceb02a9ce7130ae313dd18de0b1aca69741321a7d1b\r\nEarth\r\nWendigo\r\nShellcode\r\nLoader\r\nTrojan.Win32.WENDIGOE.B\r\n50f23b6f4dff77ce4101242ebc3f12ea40156a409a7417ecf6564af344747b76\r\nEarth\r\nWendigo\r\nShellcode\r\nLoader\r\nTrojan.Win32.WENDIGOE.C\r\nfab0c4e0992afe35c5e99bf9286db94313ffedc77d138e96af940423b2ca1cf2\r\nEarth\r\nWendigo\r\nShellcode\r\nLoader\r\nTrojan.Win32.WENDIGOE.C\r\n4d9c63127befad0b65078ccd821a9cd6c1dccec3e204a253751e7213a2d39e39\r\nEarth\r\nWendigo\r\nShellcode\r\nLoader\r\nTrojan.Win32.WENDIGOE.C\r\n25258044c838c6fc14a447573a4a94662170a7b83f08a8d76f96fbbec3ab08e2\r\nEarth\r\nWendigo\r\nShellcode\r\nLoader\r\nTrojan.Win32.WENDIGOE.C\r\n13952e13d310fb5102fd4a90e4eafe6291bc97e09eba50fedbc2f8900c80165f Earth\r\nWendigo\r\nTrojan.Win32.WENDIGOE.C\r\nhttps://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html\r\nPage 8 of 9\n\nShellcode\r\nLoader\r\nccb7be5a5a73104106c669d7c58b13a55eb9db3b3b5a6d3097ac8b68f2555d39\r\nEarth\r\nWendigo\r\nShellcode\r\nLoader\r\nTrojan.Win64.WENDIGOE.A\r\n40a251184bb680edadfa9778a37135227e4191163882ccf170835e0658b1e0ed\r\nEarth\r\nWendigo\r\nShellcode\r\nLoader\r\nTrojan.Win64.WENDIGOE.B\r\n0d6c3cc46be2c2c951c24c695558be1e2338635176fa34e8b36b3e751ccdb0de\r\nCobalt\r\nStrike\r\nTrojan.Win32.COBALT.SM\r\nSource: https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html\r\nhttps://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html"
	],
	"report_names": [
		"earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html"
	],
	"threat_actors": [
		{
			"id": "501fec31-9b82-487b-bad5-736645148ddc",
			"created_at": "2022-10-25T16:07:23.569989Z",
			"updated_at": "2026-04-10T02:00:04.670486Z",
			"deleted_at": null,
			"main_name": "Earth Wendigo",
			"aliases": [],
			"source_name": "ETDA:Earth Wendigo",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a1063e48-c06a-4bdd-bb56-03654dd2c690",
			"created_at": "2023-01-06T13:46:39.39909Z",
			"updated_at": "2026-04-10T02:00:03.313651Z",
			"deleted_at": null,
			"main_name": "Earth Wendigo",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Wendigo",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434176,
	"ts_updated_at": 1775791618,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d74502c80d9e80b76f1dd20df703a4001d7a6a0a.pdf",
		"text": "https://archive.orkl.eu/d74502c80d9e80b76f1dd20df703a4001d7a6a0a.txt",
		"img": "https://archive.orkl.eu/d74502c80d9e80b76f1dd20df703a4001d7a6a0a.jpg"
	}
}