JSSLoader
JSSLoader is a remote access trojan (RAT) associated with the Russian financially motivated threat group FIN7, also tracked as ELBRUS and Sangria Tempest. The content states that ELBRUS/FIN7 developed and distributed JSSLoader as one of its custom malware families used for persistence, alongside Griffon. Since at least 2019, Microsoft observed Storm-0324 (also referenced as TA543/Sagrid) primarily distributing JSSLoader and handing off resulting access to Sangria Tempest/FIN7, with infections frequently preceding ransomware activity.
Observed delivery vectors in the content include spear phishing and other email-based infection chains, as well as Microsoft Teams phishing beginning in 2023. One documented chain uses malicious Microsoft Excel add-in files (.xll) delivered by email. When opened, Excel loads an unsigned add-in, performs DNS lookups to delivery domains including physiciansofficenews.com, thechinastyle.com, and divorceradio.com, and downloads and executes JSSLoader from the user %TEMP% directory as a DNA-prefixed .tmp file. The content notes this use of a .tmp extension as an evasion measure. Another Microsoft-described chain uses SharePoint-hosted ZIP archives containing JavaScript, WSF, VBScript, Office documents, or Ekipa publisher files exploiting CVE-2023-21715; execution drops a JSSLoader variant DLL.
Behavior and follow-on activity described in the content indicate JSSLoader functions as an access-enabling implant for later FIN7/Sangria Tempest operations. FIN7-related artifacts involving JSSLoader have been observed downloading additional malware including Cobalt Strike and ransomware. Splunk content referenced in the source also describes JSSLoader-related activity generating SACL events while accessing a browser SQL database for collection of data to exfiltrate, indicating data theft capability or supporting collection behavior.
Targeting and victimology in the content are tied primarily to FIN7 operations, which are described as historically targeting U.S. retail, restaurant, and hospitality organizations. Storm-0324 campaigns distributing JSSLoader are described as using invoice- and payment-themed lures and as part of financially motivated initial-access operations that often culminate in ransomware deployment.
High-confidence indicators and artifacts directly mentioned in the content include the delivery domains physiciansofficenews.com, thechinastyle.com, and divorceradio.com; an example DNS resolution of physiciansofficenews.com to 209.99.64.51; execution by EXCEL.EXE of a DNA-prefixed temporary payload such as C:\Users\chris\AppData\Local\Temp\DNAxxx.tmp; an example malicious XLL SHA256 of 8783EB00ACB3196A270C9BE1E06D4841BF1686C7F7FC6E009D6172DAF0172FC6; and an example JSSLoader payload SHA256 of 45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41. Microsoft Defender detections referenced in the content include TrojanSpy:MSIL/JSSLoader.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Storm-0324 has used a variety of files to host the JavaScript code, including WSF and Ekipa publisher files exploiting the CVE-2023-21715 local security feature bypass vulnerability. | The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest.
ELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon.
The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniquesStorm-0324 manages a malware distribution chain and has used exploit kit and email-based vectors to deliver malware payloads.
ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware.
Storm-0324’s delivery chain begins with phishing emails referencing invoices or payments and containing a link to a SharePoint site that hosts a ZIP archive.
In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file. For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher.
Execution
4 techniquesStorm-0324 has used many file formats to launch the malicious JavaScript including Microsoft Office documents, Windows Script File (WSF), and VBScript, among others.
The ZIP archive contains a file with embedded JavaScript code... When the JavaScript launches, it drops a JSSLoader variant DLL.
The password also serves as an effective anti-analysis measure because it requires user interaction after launch.
Once the file is downloaded and opened, the malicious code in the file is loaded and executed by Excel.
Persistence
1 techniqueThese infections have been utilizing Microsoft Excel add-in files (XLL files) to drop the JSSLoader trojan to victim machines.
Stealth
3 techniquesIn some cases, Storm-0324 uses protected documents for additional social engineering... The password also serves as an effective anti-analysis measure because it requires user interaction after launch.
The XLL file downloads a .tmp file with the DNA prefix in the %TEMP% directory of the user, then executes this temporary file... The use of the .tmp extension is to bypass malware scanners and monitoring tools... The temporary file created can still be executed and is just a way of masquerading.
Storm-0324 has used a variety of files to host the JavaScript code, including WSF and Ekipa publisher files exploiting the CVE-2023-21715 local security feature bypass vulnerability.
Discovery
1 techniqueWindows System Discovery Using ldap Nslookup
Collection
3 techniquesincluding looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.
fin7 jssloader sacl event accessing browser sql db for collection of data to exfiltrate.
Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload.
Command and Control
1 techniqueFrom the execution logs, we see a DNS query for physiciansofficenews[.]com by Excel to retrieve the JSSLoader trojan.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A first-stage malware/loader distributed by Storm-0324 that facilitates access for Sangria Tempest and is followed by additional tooling, often as part of ransomware-linked intrusion chains.
A FIN7-associated remote access trojan delivered via malicious Microsoft Excel XLL add-in files. The XLL dropper causes Excel to load unsigned add-ins, performs DNS lookups to malicious domains, downloads the payload as a temporary file with a DNA prefix in %TEMP%, and executes it to establish infection.
Custom malware used for persistence by ELBRUS/FIN7; used in phishing-led intrusions and associated with ransomware/extortion activity.
Custom malware family used by ELBRUS for persistence and ongoing compromise activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.