A new and insidious threat is emerging within the realm of cybersecurity, one that is eluding the grasp of conventional security measures. Researchers have identified a novel piece of malware, dubbed JS.MonoGlyphRAT, which camouflages itself as a mundane business document—such as a purchase order, quote, or request for proposal. This clever disguise allows attackers to infiltrate corporate networks with alarming stealth.
Upon an unsuspecting employee opening the seemingly innocuous attachment, the malware establishes a persistent foothold within the company’s network. JS.MonoGlyphRAT is primarily disseminated through phishing emails, targeting a variety of sectors across the United States, including technology firms, managed security service providers (MSSPs), telecommunications, and educational institutions. Its reach, however, extends beyond U.S. borders, with confirmed incidents reported in countries such as Germany, Sweden, and Australia, highlighting a growing international concern.
Analysts at ANY.RUN have meticulously documented this malware cluster in a comprehensive report shared with Cyber Security News (CSN). The name MonoGlyphRAT is derived from its distinctive obfuscation technique, where variable and function names are crafted from repetitive characters in mixed case, rendering the code exceedingly difficult to decipher using standard security tools.
What sets JS.MonoGlyphRAT apart is its classification as “Unknown malware” on major threat intelligence platforms like VirusTotal and ThreatFox. Traditional antivirus solutions, which rely on known signatures, are ineffective against this threat. Instead, real-time monitoring for suspicious behavior is essential for detection.
The financial ramifications of a successful infection can be staggering, potentially reaching millions of dollars. Organizations face a myriad of risks, including ransomware deployment, data theft, regulatory penalties, business email compromise, and prolonged operational downtime. The malware’s ability to download and deploy additional malicious payloads means that even a single compromised machine can serve as a gateway to a much larger and costlier breach.
Hackers Use Fake Purchase Orders
The attack typically begins with a solitary email. Employees in procurement, sales, or finance receive a message containing a JavaScript file named something innocuous, such as PURCHASE ORDER12258.js or QUOTEB2026.js. These filenames are intentionally crafted to resemble routine business documents, prompting recipients to open them without hesitation.
Once executed via Windows Script Host (WSH), the malware quietly replicates itself within a subfolder of the user’s profile directory and registers itself in the Windows registry. This action ensures that the malware activates automatically with each reboot, all while remaining undetected by the user.
Following this, the malware establishes communication with its command-and-control (C2) server over HTTP using non-standard ports, further evading detection. It gathers critical system information, including the username, domain, operating system version, and hardware profile, subsequently relaying this data back to the attacker before entering a dormant state, poised for further instructions.
How JS.MonoGlyphRAT Operates Under the Radar
Once a connection is established, attackers gain the capability to download additional payloads, execute encrypted PowerShell commands, and load malicious code entirely in memory, leaving no trace on disk. The malware can even patch Windows’ built-in security measures to thwart future detection attempts.
All communications with the C2 server utilize custom HTTP response headers—where X-S carries the active session ID and X-A delivers the command code. The data exchanged is encrypted using AES-128 and XOR encoding, with part of the key hardcoded into the malware, complicating forensic investigations.
Utilizing an Interactive Sandbox, analysts can execute suspicious JavaScript attachments safely, allowing for immediate observation of malicious behaviors associated with MonoGlyphRAT, such as the execution of wscript.exe, spawning of PowerShell processes, registry persistence, C2 communications, and attempts to deliver payloads.
Security teams are strongly encouraged to focus on behavioral signals rather than relying solely on antivirus signatures. Key indicators of compromise include:
- wscript.exe executing JavaScript files from user directories
- PowerShell processes launched with encoded command flags
- New registry run keys pointing to .js files
- HTTP POST traffic to unusual ports with patterns like a=iz&b=.
Early detection of this threat necessitates behavioral monitoring and sandbox-based analysis, moving away from traditional signature matching methods. Implementing ANY.RUN can significantly enhance proactive defense strategies.
Indicators of Compromise (IoCs):
| Type | Indicator | Description |
|---|---|---|
| IP Address | 158.94.211.76 | Primary C2 server IP address |
| IP Address | 91.92.243.79 | Secondary C2 server IP address |
| URL | hxxp://158.94.211.76:34567/ceoznp | C2 beacon endpoint |
| URL | hxxp://158.94.211.76:34567/ceoznp?ia=GEZHOV8LBB7PY4KX&df= | C2 check-in URL with session parameter |
| URL | hxxp://158.94.211.76:34567/ceoznp?ia=UDP3HIP4P5SH3U5R&df= | C2 check-in URL with alternate session |
| Domain | aryamint.com | C2 infrastructure domain |
| Domain | scan.aryamint.com | C2 infrastructure subdomain |
| File Hash (SHA256) | 5446b24959c1c2707accfc257aaac61819c01d1ed65bca910a7e8be1787d20b | Obfuscated JS malware sample |
| File Name | PURCHASE ORDER_12258.js | Phishing lure filename |
| File Name | QUOTE_B2026.js | Phishing lure filename |
| File Name | CKML220066 – MSRS no. 812399.js | Phishing lure filename |
| File Name | QUOTATION2026115.js | Phishing lure filename |
| Registry Key | HKCUSoftwareMicrosoftWindowsCurrentVersionRun | Persistence registry key |
| File Path | %USERPROFILE%.js | Malware installation path |
| HTTP Header | X-A: | C2 command delivery header |
| HTTP Header | X-S: | C2 session ID header |
| HTTP Pattern | POST body: a=iz&b= | C2 check-in POST body pattern |
| Query Parameter | ia=<sessionid></sessionid> | C2 session identifier parameter |
| Query Parameter | df=0 | C2 telemetry upload parameter |
| Query Parameter | ex= | C2 file download parameter |
| Query Parameter | sb= | C2 loader/stage parameter |
| Query Parameter | vc= | C2 payload URL parameter |
| Crypto IV | sixteenbyteslong | Static AES initialization vector (plaintext) |
| Encoded IV | 76E6F6C63756479726E6565647879637 | AES IV in reversed hex encoding |
| Suricata Rule ID | 85006579 | Detection rule for C2 traffic |
| Suricata Rule ID | 85006580 | Detection rule for C2 traffic |
| Suricata Rule ID | 85006581 | Detection rule for C2 traffic |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
