@thehackernews · Post #7938 · 20.11.2025 г., 13:05
JSGuLdr: Multi-Stage Loader Delivering PhantomStealer #ANYRUN researchers identified #JSGuLdr, a multi-stage JavaScript-to-PowerShell loader used to deliver #PhantomStealer. A JScript file triggers PowerShell through an Explorer COM call, pulls the second stage from %APPDATA%\Registreri62, then uses Net.WebClient to fetch an encrypted payload from Google Drive into %APPDATA%\Autorise131[.]Tel. The payload is decoded in memory and loaded, with PhantomStealerinjected into msiexec.exe. Execution chain: wscript.exe ➡️ explorer.exe (svchost.exe) ➡️ explorer.exe (COM) ➡️ powershell.exe ➡️ msiexec.exe 👉 See analysis session: https://app.any.run/tasks/7b295f6f-5f16-4a44-a02b-5d59fd4b1e8f?utm_source=tg_thehackernews&utm_medium=post&utm_campaign=techpost&utm_content=task&utm_term=201125 👉 Read full analysis: https://t.me/anyrun_app/698
Hashtags