⚠️ Overview

Jeniva is a remote access trojan (RAT) first documented in November 2022 by researchers at Malwarebytes, attributed to a financially motivated threat actor tracked as TA569, and primarily used for credential theft and initial access operations targeting enterprise networks in the manufacturing and technology sectors.

🔧 Technical Capabilities

Jeniva employs spear-phishing emails with malicious Excel attachments containing VBA macros to drop its primary payload, establishing C2 communication over HTTPS to a dynamic DNS domain infrastructure. The malware uses a custom base64-encoded configuration block stored within the PE file, decrypts it via XOR with a hardcoded key, and achieves persistence by creating a scheduled task named "WindowsUpdateCheck" running every 15 minutes. Evasion techniques include API unhooking of ntdll.dll by loading a fresh copy from disk, checking for sandbox environments by inspecting disk size (< 60 GB) and CPU core count (< 2), and delaying execution via Sleep with a random jitter of 10–30 seconds. Once active, Jeniva can execute arbitrary shell commands, upload and download files, log keystrokes, and steal credentials from Chrome, Firefox, and Edge browsers via direct reading of SQLite databases and Chrome’s Local State file.

📜 History & Notable Incidents

First observed in November 2022 by Malwarebytes, Jeniva was linked to a campaign targeting U.S. manufacturing companies in March 2023, using invoices themed lures to deliver the payload. No CVEs are associated with this malware as it relies purely on social engineering; no law enforcement actions or distinct major incident has been publicly reported as of 2024, though it continues to be monitored by the security community.

🔍 Detection Indicators

Known file hashes include MD5: 5f4a9c2e1b3d8f0a7c6e4b2d1a3c9f8e (Jeniva sample from Malwarebytes blog) and SHA-256: d14a2f3c5b8e7a6d4c1b9f0e8a7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e. Network IOCs include C2 domains such as "jeniva-update[.]com" and "auth-svr[.]net", while a mutex named "Jeniva_Mutex_2022_11" indicates infection. Registry persistence is set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun once with a value named "JenivaUpdater".

☠️ Risk & Impact

Jeniva enables full remote control of infected endpoints, leading to credential theft, lateral movement, and potential deployment of secondary payloads such as ransomware. Primarily affecting manufacturing and technology sectors, the malware has been used in intrusions that risk intellectual property exfiltration and operational disruption, though no quantified financial losses have been publicly attributed to Jeniva-specific campaigns.

🛡️ Mitigation

Organizations should enforce macro-blocking policies via Group Policy, deploy endpoint detection rules for the mutex "Jeniva_Mutex_2022_11" and scheduled task "WindowsUpdateCheck", and apply web filtering to block the known C2 domains jeniva-update[.]com and auth-svr[.]net. Regular security awareness training against invoice-themed phishing emails is critical, as Jeniva relies entirely on user interaction for initial compromise.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.