JSDropperLoader

JavaScript malware dropper with 3-layer encryption: XOR(20/142) outer, custom AES-256 with modified S-BOX/RCON, then embedded PowerShell loader. Targets MSBuild.exe via process hollowing. Uses OmniCascade assembly namespace (QuartzMediator, PhantomLinker). ConvertFrom-Base28 custom encoding for embedded blobs. Execution via WScript.Shell.Run() and ADODB.Stream. Consistent with XLoader/ModiLoader/I

Threat Profile
Type Loader
Programming LanguageJavaScript/PowerShell
C2 ProtocolHTTP/custom
First Seen2024
Targets Kuresel
Purpose / Capabilities
  • Loader/Dropper/Process Hollow
No C2 servers have been identified for this family yet.

Research Reports (1)

Critical

JSDropper 06cd8dcf -- XOR Custom AES-256 Modified SBOX PowerShell MSBuild Hollow OmniCascade QuartzMediator WScript ADODB ConvertFrom-Base28 XLoader ModiLoader | Kritik

JSDropper 06cd8dcf JS 804KB. 3 katman: XOR + Ozel AES-256 (degis SBOX) + PSLoader. MSBuild.exe hollow. OmniCascade assembly. WScript.Shell.Run ADODB.Stream.

Read Report →