Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
14 distinct techniques documented for this family, organized by ATT&CK tactic.
When the recipient opens the shortcut file, named juicio-grunt-posting.pdf.lnk and dressed up with a PDF icon, it silently invokes PowerShell with the execution policy disabled and hidden mode enabled.
The final payload then hides itself as msedge_proxy.exe within Microsoft Edge’s user data folder — a calculated move to blend in with trusted system processes.
What makes it particularly concerning is its built-in cleanup capability — when operators are finished, a single command erases every trace of the malware, making post-incident forensics significantly harder.
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Rust-built remote access trojan delivered through spear-phishing emails with fake court documents. It provides persistent control of infected systems, connects to a command-and-control server, supports file theft, credential harvesting, privilege escalation, encrypted file operations, persistent re-access, and includes anti-analysis and cleanup capabilities to erase traces after use.
A Rust-based remote access trojan delivered via spear-phishing ZIP archives containing a weaponized LNK, BAT loader, and PDF decoy. It downloads and executes a payload masquerading as msedge_proxy.exe, performs anti-VM/anti-sandbox/anti-debug checks, profiles the host, establishes C2 with IPv4/IPv6 fallback, supports persistence, file transfer, data harvesting, encryption/decryption, and privilege escalation, and can load additional credential-stealing and DLL-based ransomware modules.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.