Cryxos is identified in the provided content as a trojan with infostealer capabilities, including detections such as JS:Trojan.Cryxos. The content links Cryxos-tagged activity to JavaScript/JScript malware used as a dropper and to samples associated with the Formbook/AgentTesla credential-theft family. One analyzed sample, "RFQ No 600002389875 RG724.JS" (SHA256: 6721891351a9aadcd1be105bbeacf147d9f1ceff2c26eb5f275cdcc946b03205), was distributed via spear-phishing as an RFQ-themed attachment and executed through Windows Script Host (wscript.exe). It used heavy obfuscation, decoded embedded payloads, dropped PE files disguised as PNG images to C:\Users\Public\Vile.png and C:\Users\Public\Libraries\Mands.png, invoked PowerShell with a base64-decoded IEX command for in-memory execution, and established persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The script used ADODB.Stream to write binaries, Microsoft.XMLDOM for base64 decoding, WScript.Shell for execution and registry writes, and Scripting.FileSystemObject for file operations. Static analysis did not recover hardcoded C2 from that sample, but the final payload was assessed as AgentTesla, which is commonly used for credential theft and likely exfiltration over SMTP, FTP/FTPS, or HTTP/HTTPS according to the content. A second sample, "ottercookie-socketScript-module-3.js" (SHA256: f44c2169250f86c8b42ec74616eacb08310ccc81ca9612eb68d23dc8715d7370), is explicitly described as a Cryxos trojan with infostealer capabilities. That sample contains logic to detect Windows Subsystem for Linux (WSL) by checking WSL-related environment variables and /proc/version, retrieve the Windows username via cmd.exe or by enumerating /mnt/c/Users, locate Windows browser paths, and prioritize /mnt for access to host drives. The campaign context described in the content is consistent with credential-theft operations using RFQ-themed lures and targeting manufacturing, logistics, and procurement staff.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
8 distinct techniques documented for this family, organized by ATT&CK tactic.
The script decodes multiple layers of obfuscation... 5-layer string obfuscation, Unicode obfuscation
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An obfuscated JScript crypter/dropper family used to deliver credential-theft payloads such as AgentTesla, employing heavy string obfuscation, payload inflation, PowerShell execution, dropped binaries disguised as .png files, and Run-key persistence.
JavaScript-based Cryxos trojan with infostealer capabilities that checks whether it is running under WSL, enumerates the Windows username, and (when in WSL) prioritizes harvesting from Windows-mounted paths (e.g., /mnt and Windows browser paths).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.