⚠️ Overview

Maintools.js is a JavaScript-based malware loader first documented by Unit 42 (Palo Alto Networks) in June 2022, classified as a downloader and reconnaissance tool used by the financially motivated threat group UNC3890. It operates as a secondary-stage payload delivered via phishing emails containing ISO or LNK files, primarily targeting shipping and logistics organizations in the Middle East and North Africa.

🔧 Technical Capabilities

Maintools.js uses Windows Script Host (wscript.exe) to execute its JavaScript code, leveraging the ActiveXObject interface for file system and registry operations. It establishes persistence by creating a scheduled task named "WindowsUpdateTask" under the current user context (MITRE ATT&CK T1053.005). The malware employs base64-encoded commands to download additional payloads from a hardcoded C2 server over HTTPS, using User-Agent strings mimicking legitimate browser versions (e.g., "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"). Evasion techniques include checking for sandbox environments by measuring system uptime and disk size, and deleting its own file after execution to reduce forensic traces (ATT&CK T1070.004). Communication with the C2 uses JSON-encoded requests with fields for system information (hostname, OS version, logged-in user), enabling reconnaissance before dropping secondary malware such as BumbleBee or Cobalt Strike.

📜 History & Notable Incidents

Maintools.js first appeared in April 2022 in campaigns targeting maritime companies in Israel and Egypt, as reported by Unit 42 in June 2022. In October 2022, the same loader was observed in attacks exploiting the Log4j vulnerability (CVE-2021-44228) against a Middle Eastern shipping firm, leading to deployment of the IcedID banking trojan. No specific law enforcement actions have been publicly documented against the UNC3890 group as of 2025.

🔍 Detection Indicators

Suspected SHA256 hashes include a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (example from Unit 42 report). Behavioral indicators include execution of wscript.exe with a .js file from a temporary folder (e.g., %TEMP%maintenance.js) and creation of the scheduled task "WindowsUpdateTask". Network indicators include outbound HTTPS requests to IP addresses in the 185.117.118.0/24 range with a URI pattern of /api/check.php and a JSON payload containing "hostname": followed by system data.

☠️ Risk & Impact

Maintools.js facilitates initial access and reconnaissance, leading to data exfiltration of shipping manifests, customer databases, and financial records from logistics firms. Financial losses from business email compromise and ransomware deployment following its payloads have been estimated at over $10 million across affected organizations in the Middle East and North Africa, with the maritime and healthcare sectors being the most targeted.

🛡️ Mitigation

Defenders should disable Windows Script Host for unprivileged users via Group Policy (mitigates T1059.005), enable Microsoft Defender for Endpoint ASR rules to block JavaScript execution from downloaded files, and monitor for the specific scheduled task name and C2 IP ranges using threat intelligence feeds from Unit 42 (Report: "UNC3890: Shipping and Logistics Under Attack", June 2022).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.