JsOutProx
JsOutProx is a fully functional JavaScript remote access trojan (RAT) first reported in December 2019. It has been delivered in spearphishing campaigns targeting government, monetary, and financial-sector organizations in Asia, and has also been reported in phishing campaigns against financial institutions across Africa, the Middle East, South Asia, and Southeast Asia. Reported lures impersonated government entities and an Asian central bank and used anti-money laundering/compliance themes. Victims were prompted to open compressed attachments containing malicious Microsoft HTA files that executed heavily obfuscated JavaScript to install and run the malware.
JsOutProx can run as a JavaScript file from the command line or as an HTA via mshta.exe. When executed in a window, it attempts to hide by resizing the window to 0x0 pixels and moving it off-screen. Reported functionality includes remote access capabilities, modular plugin support, and an updated command, "rmz," that modifies the Zone Identifier in NTFS alternate data streams to improve execution of downloaded files across Windows security zones. FortiGuard also described a PowerShell-related screen/remote-control capability able to capture screenshots and provide virtual keyboard and mouse control; the related plugin can execute either HTA files or Java JAR files.
Observed delivery and infrastructure details include the HTA files "Pilipina_Anti-Money_Laundering_Council_Resolution_pdf.hta" (SHA-256: c10ea9b5aade9e98b7c87a6926fed6356d903440a17590c519aec7a54e1e5165) and "Information_on_Compliance_officer_xlsx.hta" (SHA-256: f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a). Reported C2 endpoints include myabiggeojs.myftp[.]biz:9895 resolving to 185.195.79[.]210, afghphae.gotdns[.]ch:9060 resolving to 185.19.85[.]156, and posssdhm.ddns[.]net:9060 resolving to 151.106.14[.]155. Additional related DDNS domains resolving to 185.19.85[.]156 included dirhaeednotrtup.hopto[.]org:9097 and bushaka009.duckdns[.]org. Infrastructure overlap with other malware campaigns has been noted, but attribution remains uncertain.
The malware has been associated in reporting with SOLAR SPIDER phishing activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"SOLAR SPIDER’s phishing campaigns deliver the JSOutProx RAT to financial institutions across Africa, the Middle East, South Asia and Southeast Asia."
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A JavaScript-based remote access trojan delivered via spearphishing attachments (compressed archives containing malicious .HTA). It uses heavily obfuscated JavaScript, communicates with C2 over DDNS domains, supports modular plugins, and can execute code (JavaScript/VB/.NET), manage files/processes, capture screenshots, and provide remote control via virtual keyboard/mouse. It includes evasion such as hiding the mshta window and modifying Zone Identifier ADS (rmz) to ease execution of downloaded files.
Remote access trojan delivered via phishing, targeting financial institutions across multiple regions (Africa, Middle East, South Asia, Southeast Asia).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.