Pulse Detail — Threat Intelligence

PULSE NAME

IOC - JS#SMUGGLER: Multi-Stage – Hidden iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery

WHITE celestre 2025-12-09 Modified: 2026-01-08

IOCs

MEDIUM VOLUME

The Securonix Threat Research team has analyzed a sophisticated web-based multi-stage malware campaign. The attack chain unfolds across three distinct stages: (1) an obfuscated JavaScript loader injected into a compromised website, (2) a stealthy HTA (HTML Application) that executes encrypted PowerShell stagers via mshta.exe, and (3) a final PowerShell payload that downloads, extracts, executes, and establishes persistence for a Windows-based remote access Trojan.

Indicators of Compromise (42)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	112eee08cf7d32f1951029635057c5cc	MD5 of a89b471528737b91046fc42527bf84008b067908ccc1bf4318135476c290de61	2025-12-09
FileHash-MD5	17c3fdde57c7fb6255848d2158043c8d	MD5 of 4f0494cf85322d540e9cb87295af1247377bcb65b09254900b7ca29f6f46508f	2025-12-09
FileHash-MD5	1cea2adb3531f6fb9cf685c6a1dc7f87	MD5 of fe8400a81be3de95807396ffa1539e6818c8c586bd8a17d833a573aa5d7b433b	2025-12-09
FileHash-MD5	59faa421f1bccccf49b0f43da4f88cfb	MD5 of 55ad68ee73fa288698cd3b885196d0d02cdfd417563d247f617bca288243bf44	2025-12-09
FileHash-MD5	6a13e652738820594efa2be7e713085f	MD5 of 24a8660ebdf54094d8e787486f19b2823f3bc4382f5ace764429a6b7e48025ea	2025-12-09
FileHash-MD5	742486662fcc418ddedcb16a22363841	MD5 of 15a3cd9fc6f3e89fc4901be19b15069ccef0dcdd8071b4900448bf2ab374c002	2025-12-09
FileHash-MD5	b95ced94c6311ac617e93e948007b9e4	MD5 of 9ce88cc6fd2e3d298b97592d431c301d994f9c4ed7a7886c225e167bce29c046	2025-12-09
FileHash-MD5	dffe543f3e23f78edea68e1ca6e3a3d7	MD5 of 99744720b128c6ac678a1d6e0fad0e69f159c1606428e91e7d2b7695cc353a80	2025-12-09
FileHash-MD5	ee75b57b9300aab96530503bfae8a2f2	MD5 of 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268	2025-12-09
FileHash-MD5	eee144ee0712d6274dd9d28b8d62a518	MD5 of fced9291b4339c4fe3a1abfe5878d210a500afa7e1fa4a3be8613a6791c02b8e	2025-12-09
FileHash-MD5	f938b983cfd5af66f8703ed28dcadbd5	MD5 of 246d7d74deaa27eaad25c97fa302d128a1c8d58058ce4cc95fd6055acbc9b959	2025-12-09
FileHash-SHA1	0f6f437ae4c017a9cb931db561b6526bf9360be2	SHA1 of a89b471528737b91046fc42527bf84008b067908ccc1bf4318135476c290de61	2025-12-09
FileHash-SHA1	1b1806bb20bdb2952933c6199cf334a08153c7bb	SHA1 of 4f0494cf85322d540e9cb87295af1247377bcb65b09254900b7ca29f6f46508f	2025-12-09
FileHash-SHA1	3aab2eeee1581e691d929d75cff803fb0eec817c	SHA1 of 15a3cd9fc6f3e89fc4901be19b15069ccef0dcdd8071b4900448bf2ab374c002	2025-12-09
FileHash-SHA1	44629dd05b93224df833465a2907949fdcb89ad1	SHA1 of 9ce88cc6fd2e3d298b97592d431c301d994f9c4ed7a7886c225e167bce29c046	2025-12-09
FileHash-SHA1	662a485008fb706f7c7413785d0f85bfe1a0bf77	SHA1 of fced9291b4339c4fe3a1abfe5878d210a500afa7e1fa4a3be8613a6791c02b8e	2025-12-09
FileHash-SHA1	833fbc9b65892ead441abd6327c5c0d0a5ce0180	SHA1 of fe8400a81be3de95807396ffa1539e6818c8c586bd8a17d833a573aa5d7b433b	2025-12-09
FileHash-SHA1	953cee08af7a2625d5705ae3019cefdf71fd2ba9	SHA1 of 246d7d74deaa27eaad25c97fa302d128a1c8d58058ce4cc95fd6055acbc9b959	2025-12-09
FileHash-SHA1	98dd757e1c1fa8b5605bda892aa0b82ebefa1f07	SHA1 of 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268	2025-12-09
FileHash-SHA1	d737f7243618ddbc35bdd601b38901762bb009c4	SHA1 of 99744720b128c6ac678a1d6e0fad0e69f159c1606428e91e7d2b7695cc353a80	2025-12-09
FileHash-SHA1	eef11f913715068bee5c20c0bb347a86682db533	SHA1 of 55ad68ee73fa288698cd3b885196d0d02cdfd417563d247f617bca288243bf44	2025-12-09
FileHash-SHA1	fd0c27748d66a66de03041f81e35c04ed2de1ecf	SHA1 of 24a8660ebdf54094d8e787486f19b2823f3bc4382f5ace764429a6b7e48025ea	2025-12-09
FileHash-SHA256	06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268	—	2025-12-09
FileHash-SHA256	15a3cd9fc6f3e89fc4901be19b15069ccef0dcdd8071b4900448bf2ab374c002	—	2025-12-09
FileHash-SHA256	246d7d74deaa27eaad25c97fa302d128a1c8d58058ce4cc95fd6055acbc9b959	—	2025-12-09
FileHash-SHA256	24a8660ebdf54094d8e787486f19b2823f3bc4382f5ace764429a6b7e48025ea	—	2025-12-09
FileHash-SHA256	4f0494cf85322d540e9cb87295af1247377bcb65b09254900b7ca29f6f46508f	—	2025-12-09
FileHash-SHA256	55ad68ee73fa288698cd3b885196d0d02cdfd417563d247f617bca288243bf44	—	2025-12-09
FileHash-SHA256	99744720b128c6ac678a1d6e0fad0e69f159c1606428e91e7d2b7695cc353a80	—	2025-12-09
FileHash-SHA256	9ce88cc6fd2e3d298b97592d431c301d994f9c4ed7a7886c225e167bce29c046	—	2025-12-09
FileHash-SHA256	a89b471528737b91046fc42527bf84008b067908ccc1bf4318135476c290de61	—	2025-12-09
FileHash-SHA256	fced9291b4339c4fe3a1abfe5878d210a500afa7e1fa4a3be8613a6791c02b8e	—	2025-12-09
FileHash-SHA256	fe8400a81be3de95807396ffa1539e6818c8c586bd8a17d833a573aa5d7b433b	—	2025-12-09
domain	boriver.com	—	2025-12-09
domain	byspotikfy.com	—	2025-12-09
domain	centaurustermas.com	—	2025-12-09
domain	cpajoliette.com	—	2025-12-09
domain	emoteragoddess.com	—	2025-12-09
domain	frostshiledr.com	—	2025-12-09
domain	kindstki.com	—	2025-12-09
domain	srimedhasoft.com	—	2025-12-09
domain	stoneandjon.com	—	2025-12-09

References (1)

↗ https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/