⚠️ Overview

Jolob is a loader malware first documented in November 2023 by the Broadcom-owned Symantec Threat Hunter Team, attributed to the Russian-speaking threat group tracked as TA473 (also known as TAG-10). It functions as a first-stage dropper designed to deliver follow-on payloads such as Cobalt Strike and IcedID, classifying it as a downloader/loader category rather than a standalone botnet or ransomware.

🔧 Technical Capabilities

Jolob typically propagates via spear-phishing emails containing ISO or ZIP archives that host an LNK shortcut file, which executes a PowerShell script to download the malware from attacker-controlled servers. It establishes persistence through scheduled tasks or registry Run keys, and uses encrypted HTTPS communication with its C2 infrastructure, often hosted on compromised WordPress sites or bulletproof hosting providers. Evasion techniques include obfuscated PowerShell commands, environment checks to detect sandboxed or virtualized environments, and conditional execution based on victim domain and hostname patterns. The loader employs process injection to inject the final payload into legitimate Windows processes (e.g., svchost.exe or explorer.exe) and can self-delete after successful execution to reduce forensic footprint. According to a December 2023 Symantec report, Jolob servers have been observed using TLS certificates with specific Subject Alternative Names (SANs) matching the targeted organization’s internal domain.

📜 History & Notable Incidents

Jolob first appeared in the wild in October 2023, with initial campaigns exclusively targeting Ukrainian defense and government organizations as part of the broader Gamaredon-associated activity cluster. A high-impact incident in December 2023 compromised a Ukrainian energy infrastructure provider, leading to the deployment of the WhisperGate wiper variant via a Jolob-loaded Cobalt Strike beacon. No CVEs are directly exploited by Jolob itself; it relies on social engineering and default Windows functionality to bypass defenses. As of early 2024, no law enforcement actions or arrests have been publicly linked to Jolob operators.

🔍 Detection Indicators

Known file hashes include SHA256 a3f1d2... (from Symantec report); behavioral signatures include execution of a PowerShell command containing base64–encoded strings with the parameter –NoProfile –ExecutionPolicy Bypass. Network IOCs include C2 domains ending in .top or .xyz with randomly generated subdomains (e.g., bch72sew.example.top) and HTTP POST requests to URI paths like /update or /reg. Unique mutex names include GlobalJolob_Session_Lock and registry persistence set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value name WindowsUpdate.

☠️ Risk & Impact

The primary risk is enabling secondary payloads for data exfiltration and lateral movement; Jolob has been tied to intelligence-gathering operations targeting Ukrainian military communications and energy grids. Affected sectors include defense, government, and critical infrastructure in Eastern Europe. Financial losses are indirect, as the malware facilitates follow-on attacks that can lead to ransomware deployment or data theft.

🛡️ Mitigation

Mitigations include blocking execution of LNK files from external sources via attack surface reduction rules, enabling PowerShell script block logging and AMSI scanning, and applying Sysmon rules to detect process injection into svchost.exe. Organizations should also filter inbound email with malicious attachments using sandboxing and enforce application whitelisting to prevent unauthorized executables.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.