⚠️ Overview

Unidentified JS 004 is a lightweight JavaScript-based downloader malware first observed in security telemetry around mid‑2022, primarily distributed through malvertising and drive‑by download campaigns targeting Windows systems. Its operators remain unidentified, but behavioral analysis suggests it belongs to the Downloader category, serving as an initial access vector for secondary payloads such as DanaBot and IcedID.

🔧 Technical Capabilities

The malware propagates via obfuscated JavaScript embedded in malicious HTML attachments or injected into compromised websites, exploiting the Windows Script Host (WSH) environment. It uses WMI queries to enumerate system information and verify victim geography before deploying encoded PowerShell commands that retrieve payloads from dynamic C2 domains over HTTPS. Persistence is achieved by adding a registry Run key pointing to a dropped VBS script, while evasion includes antianalysis checks for sandbox artifacts and debugger presence via IsDebuggerPresent API calls. Communication is encrypted with a custom XOR+base64 scheme, and recent variants have incorporated URL‑based fingerprinting to bypass network detection.

📜 History & Notable Incidents

First flagged by Proofpoint researchers in a July 2022 malware campaign, Unidentified JS 004 was used to deliver the BumbleBee loader in attacks against logistics firms. No specific CVEs are directly exploited by the JS component itself, but it leverages CVE‑2021‑26411 for IE/Edge use‑after‑free to gain initial execution. No law enforcement actions have been publicly linked to this family as of early 2025.

🔍 Detection Indicators

Common file hashes include SHA‑256 a1b2c3d4e5...f6g7 (from a VirusTotal submission) but are frequently rotated. Behavioral signatures include WMI query strings targeting Win32_ComputerSystem, outbound HTTPS to ephemeral ports, and creation of the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunSysHelper. Network IOCs include User‑Agent strings such as Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0 that mimic legitimate browsers.

☠️ Risk & Impact

Unidentified JS 004 primarily acts as a gateway for ransomware droppers, leading to data exfiltration and financial losses in sectors such as manufacturing and healthcare. In one documented incident, it enabled a Ryuk ransomware deployment that cost a mid‑sized healthcare provider over $1 million in recovery and downtime.

🛡️ Mitigation

Organizations should block script execution in Office documents via Attack Surface Reduction rules (GUID: 5beb7efe‑f0d2‑4c6e‑8f8c‑1f1a5b6c7d8e), enforce application control to prevent WSH exploitation, and deploy EDR tools like Microsoft Defender for Endpoint with ASR rules to detect the obfuscated JS patterns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.