JSGuLdr: Multi-Stage Loader Delivering PhantomStealer
#ANYRUN researchers identified #JSGuLdr, a multi-stage JavaScript-to-PowerShell loader used to deliver #PhantomStealer. A JScript file triggers PowerShell through an Explorer COM call, pulls the second stage from %APPDATA%\Registreri62, then uses Net.WebClient to fetch an encrypted payload from Google Drive into %APPDATA%\Autorise131[.]Tel. The payload is decoded in memory and loaded, with PhantomStealerinjected into msiexec.exe.
Execution chain: wscript.exe ➡️ explorer.exe (svchost.exe) ➡️ explorer.exe (COM) ➡️ powershell.exe ➡️ msiexec.exe
👉 See analysis session: https://app.any.run/tasks/7b295f6f-5f16-4a44-a02b-5d59fd4b1e8f?utm_source=tg_thehackernews&utm_medium=post&utm_campaign=techpost&utm_content=task&utm_term=201125
👉 Read full analysis: https://t.iss.one/anyrun_app/698
#ANYRUN researchers identified #JSGuLdr, a multi-stage JavaScript-to-PowerShell loader used to deliver #PhantomStealer. A JScript file triggers PowerShell through an Explorer COM call, pulls the second stage from %APPDATA%\Registreri62, then uses Net.WebClient to fetch an encrypted payload from Google Drive into %APPDATA%\Autorise131[.]Tel. The payload is decoded in memory and loaded, with PhantomStealerinjected into msiexec.exe.
Execution chain: wscript.exe ➡️ explorer.exe (svchost.exe) ➡️ explorer.exe (COM) ➡️ powershell.exe ➡️ msiexec.exe
👉 See analysis session: https://app.any.run/tasks/7b295f6f-5f16-4a44-a02b-5d59fd4b1e8f?utm_source=tg_thehackernews&utm_medium=post&utm_campaign=techpost&utm_content=task&utm_term=201125
👉 Read full analysis: https://t.iss.one/anyrun_app/698
⚡7👍3👏1