CyberSecurityBoard
Sponsor Register Login

Malicious JScript Loader Jailbreaked to Uncover Xworm Payload Execution Flow

This analysis highlights the evolution of modern malware distribution techniques, blending sophisticated obfuscation with targeted delivery mechanisms to maximize infection success while minimizing detection. This loader operates through a meticulously crafted execution flow that begins with JScript, transitions to PowerShell, and culminates in the delivery of fileless malware. The researchers noted that this location-based payload delivery represents an evolution in targeted malware distribution techniques, allowing threat actors to customize attacks based on geographic considerations. Security professionals are advised to implement robust detection mechanisms focused on identifying suspicious PowerShell execution chains and fileless injection techniques. Cybersecurity researchers have uncovered a sophisticated multi-stage attack chain utilizing JScript to deliver dangerous malware payloads. This code fragment demonstrates how the malware uses PowerShell reflection to dynamically load malicious components while evading detection. Upon execution, the JScript loader creates a PowerShell command by ingeniously reassembling randomly ordered array elements into a coherent script. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The attack, which employs a complex obfuscation technique, ultimately delivers either XWorm or Rhadamanthys malware depending on the victim’s geographic location. Victims are targeted with an mshta.exe command that executes obfuscated JScript code, which in turn generates PowerShell commands. This technique allows attackers to bypass traditional security measures by leveraging legitimate Windows components to execute malicious code. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The malware implements thorough anti-forensic measures, including terminating competing processes and removing potential evidence files from various system directories. Non-US victims are infected with Rhadamanthys, a sophisticated C++ info-stealer that employs AI-powered image recognition to identify cryptocurrency wallet seed phrases.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 15 Apr 2025 14:40:14 +0000


Cyber News related to Malicious JScript Loader Jailbreaked to Uncover Xworm Payload Execution Flow

Unit 42 Collaborative Research With Ukraine's Cyber Agency To Uncover the Smoke Loader Backdoor - This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006. The SCPC SSSCIP has identified Smoke Loader as a prominent type of ...
1 year ago Unit42.paloaltonetworks.com
Malicious JScript Loader Jailbreaked to Uncover Xworm Payload Execution Flow - This analysis highlights the evolution of modern malware distribution techniques, blending sophisticated obfuscation with targeted delivery mechanisms to maximize infection success while minimizing detection. This loader operates through a ...
8 hours ago Cybersecuritynews.com
Flow Security Launches GenAI DLP - PRESS RELEASE. TEL AVIV, Israel, Nov. 30, 2023 /PRNewswire/ - Flow Security, the pioneering Data Security Lifecycle Platform, announced today its extension to GenAI Security with the launch of a new GenAI DLP module. This move makes Flow Security the ...
1 year ago Darkreading.com
Ragnar Loader Employed By Multiple Ransomware Groups To Evade Detection - A sophisticated malware toolkit known as Ragnar Loader has been identified as a critical component in targeted ransomware attacks. The loader, also known as Sardonic Backdoor, serves as the primary infiltration mechanism for the Monstrous Mantis ...
1 month ago Cybersecuritynews.com Ragnar Locker
New Variant Of XWorm Delivered Via Windows Script File - It executes a wide range of commands like “system manipulation” (‘shutdown,’ ‘restart,’ ‘logoff’), “file operations,” and “remote code execution” via PowerShell. This diverse ...
6 months ago Cybersecuritynews.com
From Implicit to Authorization Code With PKCE, BFF - Lack of Refresh Token Support occurs when there are no refresh tokens, and frequent requests for new tokens are necessary, increasing the chances of token leakage and misuse. The Implicit Flow had several security vulnerabilities, such as token ...
9 months ago Feeds.dzone.com
Hackers Exploiting Windows Defender SmartScreen Flaw - Hackers actively target and exploit Windows Defender SmartScreen to deceive users and deliver malicious content by creating convincing, misleading websites or applications. By evading SmartScreen, the threat actors increase the chances of their ...
1 year ago Cybersecuritynews.com CVE-2023-36025
CVE-2022-23555 - authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a ...
2 years ago Slug
CVE-2023-52487 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
Parrot TDS: A Persistent and Evolving Malware Campaign - Websites with Parrot TDS have malicious scripts injected into existing JavaScript code hosted on the server. To help the reader better understand Parrot TDS, this article provides in-depth analysis of the landing scripts and payload scripts we have ...
1 year ago Unit42.paloaltonetworks.com
New KoiLoader Abuses Powershell Scripts to Deliver Malicious Payload - Cyber Security News - This updated strain employs PowerShell scripts embedded within Windows shortcut (LNK) files to bypass traditional detection mechanisms, demonstrating a concerning evolution in attack methodologies. eSentire’s Threat Response Unit (TRU) first ...
1 week ago Cybersecuritynews.com
Fully Undetected Batch Script Leverages PowerShell & Visual Basic to Drop XWorm - Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. It can steal sensitive data (e.g., login credentials), deploy ransomware, launch Distributed Denial-of-Service (DDoS) attacks, ...
1 month ago Cybersecuritynews.com
DJvu Ransomware Mimic as Freeware to Compromise Computers - A recent campaign has been observed to be delivering DJvu ransomware through a loader that pretends to be freeware or cracked software. This ransomware has been previously reported to provide a.xaro extension to infected files, and threat actors ...
1 year ago Cybersecuritynews.com
CVE-2023-26481 - authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible ...
2 years ago
CVE-2025-21647 - In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: add bounds checks to host bulk flow fairness counts Even though we fixed a logic error in the commit cited below, syzbot still managed to trigger an underflow of the ...
2 months ago Tenable.com
CVE-2009-1920 - The JScript scripting engine 5.1, 5.6, 5.7, and 5.8 in JScript.dll in Microsoft Windows, as used in Internet Explorer, does not properly load decoded scripts into memory before execution, which allows remote attackers to execute arbitrary code via a ...
6 years ago
Pikabot Malware Surfaces As Qakbot Replacement for Black Basta Attacks - A threat actor associated with Black Basta ransomware attacks has been wielding a new loader similar to the notoriously hard-to-kill Qakbot, in a widespread phishing campaign aimed at gaining entry to organization networks for further malicious ...
1 year ago Darkreading.com Black Basta
Stealthy AsyncRAT malware attacks targets US infrastructure for 11 months - A campaign delivering the AsyncRAT malware to select targets has been active for at least the past 11 months, using hundreds of unique loader samples and more than 100 domains. AsyncRAT is an open-source remote access tool for Windows, publicly ...
1 year ago Bleepingcomputer.com
SIEM agent being used in SilentCryptoMiner attacks | Securelist - The most interesting action in this attack was the implementation of unusual techniques like using an SIEM agent as backdoor, adding the malicious payload to a legitimate digital signature, and hiding directories containing malicious files. The ...
6 months ago Securelist.com
Turla APT Group Attacking European Ministry of Foreign Affairs - LunarWeb and LunarMail were used to compromise a European MFA and its diplomatic missions. Analyzers don't know the password, but the file sizes match the Stage 1 loader and Stage 2 blob with the LunarWeb backdoor. Execution T1047 Windows Management ...
11 months ago Cybersecuritynews.com
Researchers Uncover Packer Used by Malware to Evade Detection for 6 Years - Check Point Research recently uncovered a shellcode-based packer, TrickGate, which has been used by threat actors to deploy a wide range of malware for over six years without being detected. Arie Olshtein, a researcher at Check Point, called ...
2 years ago Thehackernews.com
'Ov3r Stealer' Malware Spreads Through Facebook to Steal Crates of Info - The malware by design exfiltrates specific types of data such as geolocation, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Office documents, and antivirus product information, according ...
1 year ago Darkreading.com
CVE-2007-5147 - Multiple PHP remote file inclusion vulnerabilities in Puzzle Apps CMS 2.2.1 allow remote attackers to execute arbitrary PHP code via a URL in the MODULEDIR parameter to (1) core/modules/my/my.module.php or (2) core/modules/xml/xml.module.php; the ...
16 years ago
Data Security: Beyond Threat Hunting to Monitoring Data Flow and User Behavior - This evolution marks a departure from conventional threat detection, steering towards a strategy that emphasizes context and preempts user behavior to detect anomalous patterns. This isn't just about erecting barriers against known threats; it's ...
1 year ago Securityboulevard.com
CVE-2023-52580 - In the Linux kernel, the following vulnerability has been resolved: net/core: Fix ETH_P_1588 flow dissector When a PTP ethernet raw frame with a size of more than 256 bytes followed by a 0xff pattern is sent to __skb_flow_dissect, nhoff value ...
1 year ago Tenable.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)