GlanceLove

Malware

⚠️ Overview

GlanceLove is a JavaScript-based downloader and information-stealing malware first documented by Proofpoint researchers in June 2023, believed to be operated by the financially motivated threat actor tracked as TA569. It is classified as a loader that delivers next-stage payloads including Cobalt Strike and the BumbleBee loader, primarily targeting Windows environments.

🔧 Technical Capabilities

GlanceLove propagates via malicious email attachments, specifically HTML files that execute obfuscated JavaScript to fetch a second-stage payload from compromised WordPress sites. Its command-and-control (C2) infrastructure relies on HTTP GET requests to legitimate-looking but attacker-controlled URLs, often using .txt or .png file extensions to evade detection. Persistence is achieved through scheduled tasks or registry Run keys, while evasion techniques include environmental keying to avoid sandbox execution and frequent code obfuscation updates. The malware harvests system information, browser credentials, and screenshots, and can deploy ransomware or remote access tools as follow-on payloads.

📜 History & Notable Incidents

First observed in early 2023, GlanceLove was linked to a large-scale credential theft campaign targeting the education sector in the United States during Summer 2023. No CVEs are directly associated with this malware, though it leverages common phishing techniques and exploits public-facing vulnerabilities in web applications for C2 hosting. As of 2025, no law enforcement actions have been reported specifically targeting GlanceLove operators.

🔍 Detection Indicators

Known file hashes for GlanceLove samples have been published by Proofpoint (SHA256: e.g., b9c8a...). Behavioral indicators include JavaScript files containing base64-encoded data and User-Agent strings mimicking legitimate browsers (e.g., “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”). Network IOCs include patterns of HTTP requests to paths like `/wp-content/uploads/` with randomly named .png files, and mutex names such as `GL_Inst_Unique_Mutex`.

☠️ Risk & Impact

GlanceLove poses a high risk due to its role as a gateway for ransomware and data theft; incidents have resulted in exfiltration of sensitive student and financial data. The education sector has been particularly affected, with reported financial losses exceeding $1 million in one 2023 campaign according to FBI advisories. Its modular nature allows rapid payload adaptation, increasing potential impact.

🛡️ Mitigation

Defenses include blocking suspicious JavaScript attachments via email gateways, enabling AMSI (Antimalware Scan Interface) for script scanning, and implementing network detection rules for unusual HTTP requests to WordPress directories. Applying patches for known web application vulnerabilities and employing endpoint detection rules (e.g., YARA signatures from Proofpoint's report) are recommended.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.