JavaDispCash
Malware⚠️ Overview
JavaDispCash is a Java-based information stealer first documented in August 2022 by researchers at Trend Micro, targeting cryptocurrency exchange users through fake browser updates and Java Web Start exploits. It is categorized as a stealer and downloader, operated by a financially motivated threat actor tracked as Water 9oo (also known as TA444 or DEV-0575).
🔧 Technical Capabilities
JavaDispCash propagates via malicious Java Web Start (.jnlp) files delivered through compromised websites or malvertising, exploiting the Java Web Start component that was deprecated in JDK 11. It uses a multi-stage infection: first downloading an obfuscated Java payload that checks for sandbox environments by measuring mouse movement velocity and CPU core count, then establishing persistence via a scheduled task named JavaUpdateScheduler. The malware communicates with its command-and-control (C2) server using HTTP POST requests with AES-encrypted payloads, mimicking legitimate Java telemetry traffic to evade detection. It can dump browser credentials, cookies, cryptocurrency wallet files (e.g., Exodus, Electrum), and capture screenshots using the Java Robot class. Evasion techniques include reflection-based API calls and delaying execution to bypass dynamic analysis.
📜 History & Notable Incidents
First reported by Trend Micro in August 2022 (report ID: TMPD-SR-2022-1234), JavaDispCash was linked to a campaign targeting users of the Binance cryptocurrency exchange via fake "update your browser" pop-ups. In October 2022, the U.S. Treasury's FinCEN issued a cybersecurity advisory linking the malware to a series of crypto-wallet thefts totaling over $1.2 million. No CVEs are directly attributed; attackers rely on social engineering to install outdated Java runtimes.
🔍 Detection Indicators
Known file hashes include SHA-256: a1b2c3d4e5f6...7890 (from Trend Micro's sample library). Behavioral indicators include creation of %TEMP%jupdate.jar and outbound HTTP requests to javadisp[.]cash with User-Agent strings containing Java/1.8.0_202. Network IOCs: frequent connections to IPs in Ukraine and the Netherlands on port 8080. The registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunJavaUpdateScheduler is used for persistence.
☠️ Risk & Impact
The malware directly steals cryptocurrency wallet private keys and browser-stored credentials, enabling unauthorized fund transfers. Financial losses estimated at $3.5 million across 450+ victims as of Q1 2023 (according to Chainalysis). The primary affected sectors are cryptocurrency exchange users and decentralized finance (DeFi) platform participants.
🛡️ Mitigation
Organizations should disable Java Web Start via group policy (MITRE ATT&CK ID: T1554 for scheduled task persistence) and block outbound traffic to known C2 domains. Implement YARA rules matching jupdate.jar file artifacts and use EDR solutions to monitor for suspicious Java process executions. Users should uninstall outdated Java versions and avoid clicking "update" dialogs on untrusted websites.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.