JavaScript to Command-and-Control (C2) Server Malware

EXECUTIVE SUMMARY

At CYFIRMA, we provide cutting-edge intelligence on emerging cyber threats and the evolving tactics used by adversaries to compromise organizations and individuals. This research report analyzes a sophisticated multi-stage malware attack that employs obfuscation, steganography, and covert communication channels to evade detection and compromise victims’ systems. The attack begins with an obfuscated JavaScript file, which fetches encoded strings from an open-source service to execute a PowerShell script. This script then downloads a JPG image and a text file from an IP address and a URL shortener, both of which contain malicious MZ DOS executables embedded using steganographic techniques. Once executed, these payloads deploy Stealer malware, designed to extract sensitive data from the infected system. The stealer collects credentials, browser data, and system information before transmitting the stolen data to an attacker-controlled Telegram bot. This method allows cybercriminals to maintain persistence while evading conventional security mechanisms. The attack leverages multiple layers of obfuscation, legitimate web services for payload hosting, and encrypted communication to make detection and mitigation challenging.

INTRODUCTION

The evolving cyber threat landscape has witnessed a surge in sophisticated malware campaigns that leverage multi-stage execution, obfuscation, and covert communication channels to evade detection. This research report examines a highly obfuscated attack chain that begins with a JavaScript file, which retrieves encoded commands from an open-source service to execute a PowerShell script. This script then downloads a JPG image and a text file from an IP address and a URL shortener, both of which conceal malicious MZ DOS executables through advanced steganographic techniques.

Once executed, these payloads deploy Stealer malware, engineered to extract sensitive system and user credentials. The malware further establishes a communication channel with an attacker-controlled Telegram bot, facilitating seamless data exfiltration while bypassing traditional security mechanisms. This report provides a comprehensive analysis of the attack chain, its technical intricacies, and the methodologies employed to evade detection, alongside strategic recommendations for effective threat mitigation.

OBJECTIVE

By understanding the tactics, techniques, and procedures (TTPs) employed in this attack, this report seeks to enhance threat intelligence and provide actionable insights for detection, mitigation, and defense against similar threats.

KEY FINDINGS

• Multi-Stage Attack Chain: The campaign uses a sophisticated, multi-stage process starting with an obfuscated Windows Script Host (WSH) dropper, followed by a PowerShell downloader, and culminating in the reflective loading of a .NET payload. This layered approach complicates detection and mitigation efforts.
• Advanced Obfuscation Techniques: The initial dropper script employs heavy obfuscation, including unusual Unicode characters, extensive string manipulation, and runtime code evaluation (e.g., using eval()). This not only masks the true intent of the script but also hinders both static and dynamic analysis.
• Legitimate Service Abuse for C2 and Payload Delivery: The attackers leverage a trusted open-source service for command and control communications and another open-source cloud-based media management service for hosting a seemingly innocuous image that conceals the malicious .NET assembly. This abuse of legitimate infrastructure helps the malware blend into normal network traffic.
• Steganography for Payload Concealment: By hiding a Base64-encoded .NET assembly within an image using steganographic techniques, the campaign bypasses many conventional content inspection mechanisms, making it challenging to identify the malicious payload using standard scanning methods.
• Reflective Loading: The use of reflective loading to execute the .NET payload directly from memory avoids leaving traces on disk, reducing the forensic footprint and evading detection by traditional file-based antivirus solutions.
• ActiveX and WSH Shell Abuse: The campaign exploits legacy technologies such as ActiveX objects (e.g., WScript.Shell, Scripting.FileSystemObject) to interact with the system and even provides an interactive shell. This enables the execution of arbitrary commands and further complicates the threat landscape.
• PowerShell Integration for Flexibility: The incorporation of PowerShell facilitates complex operations, including network communication, dynamic payload extraction, and in-memory code execution. Its flexibility also aids in evading many standard detection techniques.
• Operational Impact and Potential Threats: The integration of a .NET payload within this framework allows attackers to potentially deploy a variety of subsequent threats, including ransomware, information stealers, and backdoors. This broadens the campaign’s scope and potential impact on compromised systems.

Attack Chain Analysis

Analysis

The provided JavaScript code is a potentially malicious script designed to execute a web request and then run the returned code. The function begins by defining a string (prytaneum) that contains obfuscated characters (🍑🔙🕯🔄🎪👘⛪💅🖛🏥♏🏟🎁🗯⛤) which are replaced with an empty string. The script then attempts to create an ActiveXObject (MSXML2.XMLHTTP), which is a COM object used for making HTTP requests in Windows. The code sends a GET request to the URL stored in prytaneum and, if the request is successful (status 200), it executes the response using eval(). The response, likely to be a JavaScript code, is executed on the victim’s machine. This is a form of remote code execution that is typical of harmful or exploitative scripts. Afterward, the script ends by calling WScript.Quit() to terminate the script. This code appears to be designed for nefarious purposes, such as running malicious scripts from a remote server.

The Boleyn object contains a decode function that implements the process of Base64 decoding. It uses a string parameter that holds the Base64 alphabet (ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=) and operates on an input string (bufferless) that represents a Base64-encoded message. The function first sanitizes the input by removing non-Base64 characters. It then decodes the string in chunks of four characters, using bitwise operations to reconstruct the original data. The function decodes each group of four Base64 characters, converts them to their corresponding ASCII values, and concatenates them to form the decoded string. The padding character (=) is handled to ensure proper decoding, and the final result is the decoded string.

The JavaScript code creates an instance of WScript.Shell using ActiveX to execute system commands, which is typically used in Windows environments. It starts by defining a string cradlelike that appears to be a Base64-encoded string, which includes non-standard characters (🖢🍕E⛥♊👖♞3📃👸♆🏯💻🏢☵) likely serving as placeholders or obfuscation. The code then replaces those characters with “A”, and decodes the modified string using the scoundreldom.decode method, which is the custom Base64 decoder from earlier. Finally, the decoded string is passed to tormodont.Run(), which executes the decoded command on the system. This code is highly suspicious as it involves obfuscation techniques and ActiveX for potentially malicious activities.

The below snapshot of the code is replacing the characters “🍑🔙🕯🔄🎪👘⛪💅🖛🏥♏🏟🎁🗯⛤” with the letter “A”. This replacement is done using the replace() method in the script, which eliminates the obfuscated characters and replaces them with the letter “A.” This technique is commonly used for obfuscation, hiding the actual data or URL until these symbols are substituted. By replacing these characters, the script extracts the original Base64 encoded script that can be used further in the code execution.

After decoding the Base64 encoding, we see the following PowerShell script in the snapshot below:

In this snapshot, the strings are reversed and stored within the variable $originalText. The $restoredText is then derived by replacing certain characters within the string to modify the original encoded text. The below snapshot contains the decoded strings of the above URL.

The below snapshot contains reversed encoded strings of Base64, extracted from the above 222[.]txt file:

After decoding the Base64, it resulted in a DOS MZ executable:

In this snapshot, the PowerShell code processes the downloaded image data. The first line converts the image byte data, stored in the $imageBytes variable, into a readable string using UTF-8 encoding, which is stored in the $imageText variable. The subsequent lines define two flags, $startFlag and $endFlag, which are used to identify the boundaries of a Base64-encoded string embedded within the image text. The flags <<BASE64_START>> and <<BASE64_END>> are markers that indicate where the Base64 string begins and ends, allowing the code to extract the encoded data from the image content.

The code snippet provided involves decoding a Base64-encoded string that when decoded, contains a DOS MZ executable. The Base64 string is extracted and decoded into a byte array, which represents the executable’s data.

As per the PowerShell script, This decoded byte array ($commandBytes) is then loaded into memory as a .NET assembly using the System.Reflection.Assembly::Load method. This allows the program to treat the decoded executable as an in-memory assembly that can be manipulated or executed further.

After loading the assembly, the code attempts to invoke a specific method (main) from the ClassLibrary1.Home class within the assembly. The method is called using reflection with arguments that include $restoredText, which refers to the decoded MZ file extracted from 222.txt. The use of reflection in this case enables dynamic execution of methods from the loaded assembly, allowing the potentially embedded code to run, which could involve executing or interacting with the DOS MZ executable.

The inclusion of parameters like ‘false’, ‘MSBuild’, and ‘false’ in the method invocation suggests specific behavior or configuration being passed to the executed method.

Analysis of the Stealer:
The code snippet defines a method vequduqinput() that constructs and returns two obfuscated file paths targeting the ApplicationData directory (e.g., AppData\Roaming), a common location for malware persistence. Using a loop, it dynamically builds a base path by combining the user-specific ApplicationData folder with a Base64-encoded string decrypted via the method gejavipizotuhec, which likely performs additional custom decryption or string manipulation using runtime-generated parameters (e.g., netapacocegadeherin()). The final output is an array of two strings, each appending further obfuscated subpaths to the base path, suggesting the creation or targeting of files for malicious purposes such as configuration storage, data exfiltration, or payload deployment. Heavy obfuscation (Base64 + layered decryption) and the use of stealthy directories align with behaviors typical of malware aiming to evade detection while establishing persistence or preparing for data theft.

The code snippet compresses files and directories from a specified path (path) into an in-memory ZIP archive using ZipArchive, avoiding disk writes to evade detection, and stores the compressed data in SkypeSessions for potential exfiltration. It recursively processes directories and files, preserving their structure within the ZIP, while leveraging obfuscated strings (via Convert.FromBase64String and gejavipizotuhec) to dynamically resolve the target path, likely focusing on Skype-related data (suggested by SkypePath and SkypeSessions).

This code defines a sealed class comindex acting as a centralized thread controller for executing multiple malicious routines, likely part of a malware’s core payload. The class initializes four static ThreadStart delegates (pubijalajaxoxevocad, jebozetohohasun, etc.), each mapped to internal methods that invoke obfuscated functions from other classes (e.g., global::zadoxebesebitem.vojimundata.Run()). These methods perform distinct tasks: one triggers a data collection routine (Clipboard.AppendLine), another monitors Windows key combinations (WinKeyRc.AppendLine), and others execute system-level actions (e.g., wemadus(), vapanuhuyatezufindex()), suggesting behaviors like keystroke logging, clipboard theft, or persistence mechanisms. The use of ThreadStart delegates indicates multithreaded execution to run these tasks concurrently, while the class’s static singleton design (vofigorevusoteh) ensures a single point of control, typical in malware for coordinating stealthy, background operations. The obfuscated method names and external class dependencies align with evasion tactics to hinder reverse engineering and detection.

The vasucijaxajeyip class is designed to steal sensitive data from Gecko-based browsers (e.g., Firefox, Thunderbird) by identifying user profiles and critical files. It defines a static GeckoBrowsersList property, which maps browser-specific directories (e.g., Mozilla\Firefox) under LocalApplicationData to their human-readable names. This list targets browsers using Gecko engines, enabling the code to systematically locate installation paths. The rejelejapihihocuyaxvalue method searches for browser profiles by checking directories under a Profiles subfolder for the presence of sensitive files like logins.json (stored passwords), key4.db (encryption keys), and places.sqlite (browsing history). If found, it returns the profile path, indicating where credentials or decryptable data reside. The Concat method concatenates string arrays, likely used to aggregate browser paths or profile directories during data collection.

The screenshot depicts a list of malware-related data collection variables, likely from a data-stealing payload designed to harvest sensitive information across multiple applications and system components. Variables like chmCookiesList, gckHistoryList, and ChromiumExtensions target browser data (cookies, history, extensions) from Chromium-based browsers (Chrome, Edge), while DiscordTokenList, SkypeSessions, and TelegramSessions indicate theft of session tokens and credentials from communication platforms. WalletsB, WiFiPass, and Clipboard suggest extraction of cryptocurrency wallet data, Wi-Fi passwords, and clipboard contents, respectively. Additional variables such as SysInfo, InstalledApps, and FileZilla reveal broader system reconnaissance, including installed software and FTP credentials. The use of StringBuilder and byte[] types highlight structured data aggregation for exfiltration, underscoring the malware’s focus on comprehensive credential theft, financial fraud, and system profiling for further exploitation.

The snapshot below is the Process tree of the stealer

The snapshot below is the Command-&-Control (C2) Server of the Stealer:

The snapshot below is the Telegram Bot based Command-&-Control (C2) Server:

EXTERNAL THREAT LANDSCAPE MANAGEMENT

The External Threat Landscape Management (ETLM) analysis of this attack chain reveals a well-coordinated malware campaign leveraging jilas.net as the initial delivery source. The attack begins with an obfuscated JavaScript file hosted on jilas.net, which retrieves encoded commands from a trusted open-source service and executes a PowerShell script to download additional payloads. These include a JPG image and a text file containing embedded MZ DOS executables that ultimately deploy a Stealer malware. The Stealer extracts credentials, browser data, and system information, transmitting the stolen data to an attacker-controlled Telegram bot for exfiltration.

The use of jilas.net as a payload host suggests a compromised or attacker-controlled infrastructure, emphasizing the need for enhanced network monitoring, domain analysis, and proactive threat intelligence measures to detect and neutralize such evolving threats.

Diamond Model

CONCLUSION

The analyzed attack chain demonstrates a highly sophisticated, multi-stage malware campaign that leverages obfuscation, steganography, and covert communication to evade detection and compromise victims’ systems. The use of jilas.net as the initial JavaScript payload source, combined with a trusted open source tool for encoded command retrieval, highlights a strategic approach to malware distribution. By embedding malicious executables within seemingly harmless JPG and text files, the attackers effectively bypass traditional security mechanisms.

Furthermore, the final payload – a Stealer malware communicating with a Telegram bot emphasizes the growing reliance on encrypted messaging platforms for data exfiltration, making detection and mitigation increasingly challenging. Organizations must implement advanced behavioral analysis, endpoint detection, and strict network monitoring to counter such evolving threats. Strengthening domain intelligence, restricting unauthorized script execution, and raising user awareness are crucial steps toward mitigating these stealthy and persistent cyber threats.

YARA Rule:

rule MultiStage_Malware_Detection {
meta:
author = “CYFIRMA Research Team”
description = “Detects multi-stage malware using obfuscated JavaScript, PowerShell, steganography, and Telegram-based exfiltration”
date = “2025-02-13”
strings:
$js_obf = {91 98 e2 9b aa f0 9f 92 85 f0 9f 96 9b f0 9f 8f a5 e2 99 8f f0 9f 8f 9f f0 9f 8e 81 f0 9f 97 af}
$jpg_steg = { 3c 3c 42 41 53 45 36 34 5f 53 54 41 52 54 3e 3e 20 }
$telegram_api = “api.telegram.org/bot”
$telegram_send = “/sendMessage”
condition:
(any of ($js_obf, $jpg_steg, $telegram_api, $telegram_send))
}

RECOMMENDATIONS

Strategic Recommendations:

• Enhance Employee Awareness and Training: Security Training Programs: Conduct regular security training sessions to educate employees about the latest threats, including phishing and social engineering tactics used by stealer malware.
• Implement Defense-in-Depth Strategy: Develop a comprehensive defense strategy that integrates network segmentation, strong perimeter defenses, and advanced endpoint security, creating multiple layers of protection against threats.
• Invest in Security Technologies: Engage with threat intelligence services to stay updated on the evolving tactics, techniques, and procedures used by malware operators. Regularly update defenses based on the latest threat intelligence to improve proactive detection capabilities.

Tactical Recommendations:

• Utilize Advanced Endpoint Protection: Implement advanced endpoint protection solutions that include behavioral analysis, heuristic detection, and threat intelligence to detect and mitigate the specific techniques used by the stealer.
• Update and Patch Systems: Consistently update and patch operating systems, software, and applications to fix vulnerabilities that malware like stealers exploit. Utilize automated patch management tools to streamline this process and reduce the attack surface.
• Implement application whitelisting: Restrict the execution of unauthorized applications. This measure prevents the execution of unknown or malicious binaries, effectively hindering stealers’ ability to run on endpoints.

Management Recommendations:

• Security Governance: Establish a robust security governance framework that includes policies, standards, and procedures to govern the organization’s security posture. This framework should cover areas such as access control, data classification, encryption, and third-party risk management.
• Incident Response Plan: Create a comprehensive incident response strategy that describes specific steps for detecting, containing, eliminating, and recovering from a Stealer infection. To guarantee that the plan is effective, test it on a regular basis and improve it.
• Collaborate with Industry Peers: Participate in information exchange and engagement with industry peers, cybersecurity communities, and appropriate authorities. Sharing threat intelligence and best practices can enhance collective resilience to emerging attacks like Stealers.

APPENDIX 1

MITRE ATT&CK Matrix

IOCs