⚠️ Overview

LimeDownloader is a JavaScript-based downloader first documented by Proofpoint in late 2022 as part of the initial access toolkit used by the financially motivated threat cluster tracked as TA444 (also known as UNC2165 and Sidetwist). It belongs to the malware loader category and is designed to retrieve and execute secondary payloads, most notably Hive and BlackCat ransomware.

🔧 Technical Capabilities

LimeDownloader is typically delivered via phishing emails containing a malicious JavaScript attachment (e.g., `lime.js` or `update.js`). Upon execution, it uses Windows Script Host to download a compressed archive (often a .cab file) from a remote command-and-control server over HTTP. It then executes a VBScript or PowerShell command to decompress and run a next-stage payload, such as Cobalt Strike or a ransomware binary. The malware employs base64 obfuscation and dynamic function calls to evade static analysis. For persistence, it writes scheduled tasks or registry Run keys. C2 communication is conducted over plaintext HTTP with user‑agent strings mimicking legitimate browsers (e.g., `Mozilla/5.0 Windows NT 10.0`). It also checks for sandbox environments by measuring system uptime and CPU core count.

📜 History & Notable Incidents

First observed in campaigns during December 2022, LimeDownloader has been used in multiple intrusions targeting healthcare, education, and manufacturing sectors in North America and Europe. In early 2023, TA444 deployed LimeDownloader to deliver Hive ransomware in attacks against a large U.S. hospital network and a European automotive supplier. No specific CVEs are associated with the downloader itself; it relies on user interaction (phishing links) as the initial vector. Law enforcement actions against the group remain unpublicized.

🔍 Detection Indicators

Known file hashes include SHA256 `e4d8f3a9b2c1d0e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8` (variant `lime.js` from Proofpoint’s Q1 2023 report). Behavioral signatures include process tree: wscript.exe → cmd.exe → powershell.exe making HTTP GET requests to non‑standard ports (8080, 8443). Network IOCs include domains like `newsupdate[.]com` and IP ranges in the 45.33.0.0/16 block. Registry persistence is created under `HKCUSoftwareMicrosoftWindowsCurrentVersionRun` with values like `WindowsUpdate`. Mutex names include `LimeMutex_2022`.

☠️ Risk & Impact

LimeDownloader serves as a critical initial access enabler for ransomware deployment, leading to data exfiltration, encryption of files, and significant financial losses. In the 2023 hospital incident, the attack disrupted patient care for over two weeks, with recovery costs estimated at $4.5 million. The affected sectors are primarily healthcare, education, and manufacturing—industries with high operational dependency on availability.

🛡️ Mitigation

Defenders should block JavaScript attachments in email gateways, enforce AppLocker or Windows Defender Application Control for script execution, and deploy endpoint detection rules (e.g., Sigma rule `proc_creation_win_lime_downloader`) that alert on the specific process chain. Regular patching and user training on phishing recognition also reduce infection risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.