{
	"id": "fa3b6d28-ae11-47f7-8b7c-ebec5695bb21",
	"created_at": "2026-04-06T02:10:46.829397Z",
	"updated_at": "2026-04-10T03:20:22.002067Z",
	"deleted_at": null,
	"sha1_hash": "f84a89a57eded03cf278d5b7a73b0a741108e5bb",
	"title": "Attack on Indian Government, Financial Institutions | blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4763791,
	"plain_text": "Attack on Indian Government, Financial Institutions | blog\r\nBy Sudeep Singh\r\nPublished: 2020-05-11 · Archived: 2026-04-06 01:33:54 UTC\r\nIt is not uncommon for cybercriminals to target specific countries or regions. They often employ this strategy\r\nIn April 2020, ThreatLabZ observed several instances of targeted attacks on Indian government establishments and the\r\nbanking sector. Emails were sent to organisations, such as the Reserve Bank of India (RBI), IDBI Bank, the Department of\r\nRefinance (DOR) within the National Bank for Agriculture and Rural Development (NABARD) in India with archive file\r\nattachments containing JavaScript and Java-based backdoors.\r\nFurther analysis of the JavaScript-based backdoor led us to correlate it to the JsOutProx RAT, which was used for the first\r\ntime by a threat actor in December 2019 as mentioned by Yoroi.\r\nThe Java-based RAT provided functionalities similar to the JavaScript-based backdoor in this attack.\r\nIn this blog, we describe in detail the email attack vector of this targeted campaign, the technical analysis of the discovered\r\nbackdoors, and our conclusions on this attack.\r\nEmail analysis\r\nBelow is the email that was sent to the government officials in NABARD, which contained a malicious archive file\r\nattachment.\r\nFigure 1: Email sent with malicious attachment to NABARD.\r\nThe email attachment filename is: KCC_Saturation_letter_to_all_StCBs_RRBs_pdf.zip\r\nThis archive contains an HTA file inside it that performs the malicious activities.\r\nThe MD5 hash of the HTA file is: 23b32dce9e3a7c1af4534fe9cf7f461e\r\nThe theme of the email is related to KCC Saturation, which relates to the Kisan Credit Card scheme and is detailed on the\r\nofficial website of NABARD.\r\nAttackers leveraged this theme because it is relevant to the Department of Refinance, making this email look more\r\nlegitimate.\r\nWe used the email headers to trace the origin to hosteam.pl, which is a hosting provider in Poland as shown below:\r\nX-Auth-ID: syeds@rockwellinternationalschool.com\r\nReceived: by smtp10.relay.iad3b.emailsrvr.com (Authenticated sender: syeds-AT-rockwellinternationalschool.com) with\r\nESMTPSA id 0928BE00BD;\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 1 of 14\n\nMon, 20 Apr 2020 21:33:53 -0400 (EDT)\r\nX-Sender-Id: syeds@rockwellinternationalschool.com\r\nReceived: from WINDEB0UPGVCUK (unused-31-133-6-113.hosteam.pl [31.133.6.113])\r\n         (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384)\r\n         by 0.0.0.0:465 (trex/5.7.12);\r\n         Mon, 20 Apr 2020 21:34:40 -0400\r\nThe same HTML Application (HTA) file was also sent in an archive attachment to IDBI bank as shown in Figure 2.\r\nFigure 2: The email sent with a malicious attachment to IDBI bank.\r\nBased on the email headers and the infrastructure used to send the previous emails, we were able to identify more instances\r\nof these attacks and were able to attribute them to the same threat actor.\r\nFigure 3 shows an email sent to RBI with an archive file that contains a Java-based backdoor.\r\nFigure 3: The email sent with a malicious attachment to RBI.\r\nFigure 4 shows an email that was used to send an archive file with a Java-based backdoor to Agriculture Insurance Company\r\nof India (AIC).\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 2 of 14\n\nFigure 4: The email sent with a malicious attachment to AIC India.\r\nThe contents of the email are in the Hindi language.\r\nIn both of the cases above, the Java-based backdoor has the same hash and only the filenames used were different.\r\nThe hash of the JAR file is: 0ac306c29fde5e710ae5d022d78769f6\r\nTechnical analysis of JsOutProx\r\nThe MD5 hash of the HTA file is: 23b32dce9e3a7c1af4534fe9cf7f461e\r\nUpon execution, the HTA file displays junk data in a window that flashes quickly on the screen before auto-closing.\r\nThis HTA file contains a JavaScript that is executed by mshta as can be seen in the file header in Figure 5.\r\nFigure 5: The HTA header in the file.\r\nThere is a long array of encoded strings present at the beginning of the JavaScript as shown in Figure 6.\r\nFigure 6: A long array of encoded strings.\r\nThis array of strings will be referenced throughout the JavaScript. They are base64 decoded and RC4 decrypted at runtime at\r\nthe time of execution.\r\nJavaScript code in this HTA file is heavily obfuscated as shown in Figure 7.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 3 of 14\n\nFigure 7: The heavily obfuscated JavaScript code.\r\nThe string decoding and decryption routines are shown in Figure 8.\r\nFigure 8: The string decoding and decryption routines.\r\nAfter analyzing the string decryption routine, we can see that RC4 algorithm was used.\r\nThe process of string decryption can be summarized in the following steps:\r\n1. The string decryption routines are invoked with calls such as: b(‘0x4’, ‘qP52’). The first parameter is the index of the\r\nencoded string in the long array declared at the beginning of the JavaScript. The second parameter is the RC4\r\ndecryption key.\r\n2. The string is base64 decoded using atob() JavaScript function.\r\n3. An S-box is generated using a for loop to generate the sequence: 0x0 to 0x100.\r\n4. S-box is permutated using the decryption key.\r\n5. The permutated S-box is used to perform XOR decryption of the encrypted string.\r\nAfter decrypting all the strings in this JavaScript, we can see the main configuration as shown in Figure 9.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 4 of 14\n\nFigure 9: The main configuration file of the JsOutProx backdoor.\r\nSome of the critical parameters in the above config file are:\r\n1. BaseURL: This is the C2 communication URL. In this case, it makes use of Dynamic DNS (*.ddns.net) and a non-standard port.\r\n2. Delimiter: This is the delimiter that will be used while exfiltrating information about the system.\r\n3. SleepTime: The duration for which the execution needs to be delayed.\r\n4. Delay: Similar to the SleepTime parameter.\r\n5. Tag: This is a unique indicator that is appended to the data during exfiltration. In this case the tag is: Vaster. The first\r\ntime this JavaScript based backdoor was discovered in December 2019, the value of this tag was: JsOutProx.\r\n6. IDPrefix: This parameter corresponds to the Cookie name that will be set in the HTTP POST request sent by the\r\nbackdoor to the C2 server at the time of initialization.\r\n7. RunSubKey: This is the Windows Registry Key that will be used for persistence on the machine.\r\nThe script checks whether it is being executed by mshta, wscript or by an ASP Server as shown in Figure 10.\r\nFigure 10: Checks for source of execution.\r\nThis also indicates that the script has the capability to execute in different environments, including web servers. The first\r\ninstance of JsOutProx discovered in December 2019 was a JavaScript file. The instance we discovered in April 2020 was an\r\nHTA file with the JavaScript code obfuscated and embedded inside. So we are observing this threat actor deploy the\r\nbackdoor using different methods in the wild.\r\nThe script also has the ability to delay execution as shown in Figure 11.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 5 of 14\n\nFigure 11: Delaying execution.\r\nThe init() routine is the initialization routine, which gathers different types of information from the system and sends it in an\r\nHTTP POST request to the C2 server as shown in Figure 12.\r\nFigure 12: The main initialization routine.\r\nThe individual fields collected during init() routine are:\r\nVolume serial number: Fetches the volume serial number using WMI query: “select * from win32_logicaldisk” by\r\ninspecting the volumeSerialNumber field.\r\nUUID: This is randomly generated using the getUUID function in the script. The format of the UUID used is: xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx\r\nComputerName: Host name of the machine.\r\nUserName: User name of the machine on which this script is executing.\r\nOS caption: This value is fetched using the WMI query: “select * from win32_operatingsystem” by inspecting the Caption\r\nfield.\r\nOS version: This information is also gathered using WMI query similar to OS caption.\r\nTag: This is the tag defined in the configuration of the backdoor. In our case, the tag is Vaster.\r\nThe last keyword is “ping,” which is added by the receive() method.\r\nAll these values are separated by the delimiter “_|_” and concatenated, then hex encoded and set in the Cookie header called\r\n“_giks” of the HTTP POST request sent to the C2 server as shown in Figure 13.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 6 of 14\n\nFigure 13: First HTTP POST request sent to the C2 server.\r\nThe command and control communication between the backdoor and the C2 server is synchronized using the Cookie in the\r\nHTTP request and responses.\r\nThe last field in the cookie indicates the type of client command.\r\nFor example, if the cookie is:\r\nCookie:\r\n_giks=46464646464646465f7c5f65363261396233322d323434352d346166612d393233622d3836653530306530363665655f7c5f486f73746e616d655f7c5\r\nThen the client command can be identified as:\r\n1. Hex decode the cookie to get: FFFFFFFF_|_e62a9b32-2445-4afa-923b-86e500e066ee_|_Hostname_|_Administrator_|_OS_Name_|_Version_|_Vaster_|_ping\r\n2. Split the decoded content using the delimiter: “_|_” to get: ['FFFFFFFF', 'e62a9b32-2445-4afa-923b-86e500e066ee',\r\n'Hostname', 'Administrator', 'OS_Name', 'Version', 'Vaster', 'ping']\r\n3. Extract the last field from the above list. In this case the command is: ping.\r\nFigure 14 shows the main subroutine in the code that handles all the commands.\r\nFigure 14: The C2 command handler subroutine in JsOutProx.\r\nThe description of the commands are included in the table below.\r\nCommand Description\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 7 of 14\n\nupd Download and execute the script.\r\nrst Re-launch the script.\r\nl32 Similar to rst command.\r\ndcn Exit the execution.\r\nrbt Reboot the system.\r\nshd Shutdown the system.\r\nlgf Shutdown the system.\r\nejs Use eval() to execute the JavaScript sent by server.\r\nevb Use ActiveXObject to execute the VBScript sent by server.\r\nuis Uninstall the backdoor.\r\nins Install the backdoor.\r\nfi Invokes the File Plugin.\r\ndo Invokes the Download Plugin.\r\nsp Invokes the ScreenPShellPlugin.\r\ncn Invokes the ShellPlugin.\r\nTechnical analysis of the Java-based backdoor\r\nThe MD5 hash of the JAR file is: 0ac306c29fde5e710ae5d022d78769f6\r\nThe JAR file is heavily obfuscated in this case. The structure of the JAR file is shown in Figure 15.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 8 of 14\n\nFigure 15: The JAR file structure.\r\nThere is an AES-encrypted resource present in this JAR file with the name: “jkgdlfhggf.bvl”.\r\nThis resource will be loaded and decrypted at runtime as shown in Figure 16.\r\nFigure 16: The Stage 1 resource decryption routine.\r\nThis resource gets decrypted to another JAR file, which will be dropped in the %appdata% directory on the machine with\r\nthe name jhkgdldsgf.jar\r\nThe dropped JAR file contains all the functionality for this Java-based backdoor. Figure 17 shows the main structure of the\r\nJAR file.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 9 of 14\n\nFigure 17: The JAR file structure of the Java-based backdoor.\r\nAll the strings in this JAR file are obfuscated by an obfuscator called Allatori. The string decryption routine is as shown in\r\nFigure 18.\r\nFigure 18: The string decryption routine.\r\nWe described this string decryption routine in more details in an earlier blog, which also includes the Python implementation\r\nof the decryption routine.\r\nThe JAR file connects to the C\u0026C server: scndppe.ddns.net at port 9050.\r\nThis Java-based backdoor is modular in structure and contains several plugins. Figure 19 shows the main network controller\r\ncode that handles the C\u0026C communication and dispatches the commands to corresponding plugins for further processing.\r\nFigure 19: The network controller command handler.\r\nThe controller receives the command along with an array of strings that represent the parameters for the corresponding\r\ncommand.\r\nEach of the C\u0026C commands are used to invoke a plugin that executes the command sent by the server.\r\nCommand Invoked Plugin\r\nsc Screen plugin.\r\naut Log plugin.\r\ncm Command plugin.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 10 of 14\n\ndn Downloader plugin.\r\nfm Filemanager plugin.\r\nst Startup plugin.\r\nln.t Base plugin to exit execution.\r\nln.rst Base plugin to restart execution.\r\nNow, we will describe two main plugins in this Java-based backdoor and the commands processed by them.\r\nFilemanager plugin: This plugin is responsible for managing all the file system related actions which can be performed by\r\nthe attacker remotely. The plugin supports multiple commands and the summary is in the table below.\r\nPlugin\r\ncommand\r\nPurpose\r\nFm.dv Get list of system drives (including CD drive.)\r\nFm.get Get list of files and folders in a directory.\r\nFm.nd Create a new directory.\r\nFm.e Execute a command using Runtime.getRuntime().exec()\r\nFm.es Start a new system shell based on the type of OS.\r\nFm.cp Copy contents of one file to another.\r\nFm.chm Change the permissions of a file using chmod command (only for Linux and Mac).\r\nFm.mv Move a file from one location to another.\r\nFm.del Delete a file.\r\nFm.ren Rename a file.\r\nFm.chmod Similar to chm command.\r\nFm.down\r\nDownload a file from the system. Contents of the file are Gzip compressed and Base64 encoded\r\nbefore downloading.\r\nFm.up\r\nUpload a file to the system. Contents of the file Gzip decompressed and Base64 decoded before\r\ndropping on the file system.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 11 of 14\n\nScreen Plugin: This plugin uses the java.Awt.Robot class to perform all the mouse and keyboard simulations on the\r\nmachine as well as to take screen captures. The commands for this plugin are detailed in the table below.\r\nPlugin Command Purpose\r\nsc.op Fetch the screen size width and height information.\r\nsc.ck Simulate mouse actions like double click, scroll up and scroll down.\r\nsc.mv Move the mouse cursor to specified co-ordinates.\r\nsc.cap Take a screen capture.\r\nsc.ky Send keystrokes to the machine.\r\nPersistence: To ensure that this JAR file is executed automatically when the system reboots, a Window run registry key is\r\ncreated as shown below:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v jhkgdldsgf /d '\\'C:\\Program\r\nFiles\\Java\\jre1.8.0_131\\bin\\javaw.exe\\' -jar \\'C:\\Users\\user\\AppData\\Roaming\\jhkgdldsgf.jar\\'' /f\r\nCloud Sandbox detection\r\nFigure 20 shows the Zscaler Cloud Sandbox successfully detecting the Java-based backdoor.\r\nFigure 20: The Zscaler Cloud Sandbox detection for this Java-based backdoor.\r\nFigure 21 shows the Zscaler Cloud Sandbox successfully detecting the HTA-based backdoor which contains the JsOutProx\r\nRAT.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 12 of 14\n\nFigure 21: The Zscaler Cloud Sandbox detection for the HTA-based backdoor.\r\nConclusion\r\nThis threat actor has a specific interest in organisations located in India and the content of the emails indicates a good\r\nknowledge of topics relevant to each of the targeted organisations. The backdoors used in this attack are uncommon, such as\r\nJsOutProx, which has only been observed in the wild once before in December 2019.\r\nThe Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe.\r\nMITRE ATT\u0026CK TTP Mapping\r\nTactic Technique\r\nObfuscation Obfuscated Files or Information - T1027\r\nSoftware Packing T1045\r\nPersistence Registry run keys / Startup folder - T1060\r\nScreen Capture T1113\r\nSystem Shutdown/Reboot T1529\r\nMshta T1170\r\nFile and Directory Discovery T1083\r\nUncommonly Used Port T1065\r\nWindows Management Instrumentation T1047\r\nIndicators of Compromise (IOCs)\r\nHashes\r\n23b32dce9e3a7c1af4534fe9cf7f461e – HTA file (JSOutProx)\r\n0ac306c29fde5e710ae5d022d78769f6 – Java-based Backdoor\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 13 of 14\n\nNetwork indicators\r\nscndppe[.]ddns[.]net:9050\r\nbackjaadra[.]ddns[.]net:8999\r\nSource: https://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat"
	],
	"report_names": [
		"targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775441446,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f84a89a57eded03cf278d5b7a73b0a741108e5bb.pdf",
		"text": "https://archive.orkl.eu/f84a89a57eded03cf278d5b7a73b0a741108e5bb.txt",
		"img": "https://archive.orkl.eu/f84a89a57eded03cf278d5b7a73b0a741108e5bb.jpg"
	}
}