Javascript files loaded with RATs hits thousands of victims

Kaspersky found a new campaign, using malicious JavaScript to deploy RATs
The RATs are used to deploy two infostealers
Among the victims are people and businesses in Russia

Hackers are targeting people and businesses in Russia with malicious JavaScript, in order to install backdoors on their devices. This is according to a new report from cybersecurity researchers Kaspersky, who named the campaign “Horns&Hooves”.

As per the researchers, Horns&Hooves started in March last year, and has since infected roughly 1,000 endpoints.

The campaign starts with a phishing email, in which the attackers impersonate individuals and businesses, and send emails that mimic requests and bids from potential customers, or partners.

Actively developed campaign

The emails come with various attachments, among which is the JavaScript payload. This payload delivers two Remote Access Trojans (RAT): NetSupport RAT and BurnsRAT. In turn, these RATs are used to deploy the final payload: either Rhadamanthys, or Meduza.

These two are known infostealers. Since late 2022, Rhadamanthys is being offered on the dark web as a service, enabling crooks to steal a vast range of information from the target device, from system details, passwords, to browsing data. Rhadamanthys has specialized tools for stealing cryptocurrency credentials, with support for over 30 different wallets.

Meduza, on the other hand, is part of the growing threat landscape for personal and business cybersecurity. Like Rhadamanthys, it steals user credentials and other sensitive information, including login credentials for various services and applications. However, Meduza operates with a more focused scope, aiming to evade detection through various obfuscation and anti-analysis techniques.

Horns&Hooves is an actively developed campaign, the researchers are saying, stressing that the code was revamped and upgraded numerous times. While attribution proved difficult, there is reason to believe that TA569 is behind the attacks. This group, according to The Hacker News, is also called Mustard Tempest, or Gold Prelude) and is the one running the SocGholish malware.

The same publication also stated that TA569 was seen acting as an initial access broker for affiliates deploying the WastedLocker ransomware strain.

Via The Hacker News

The Destruction of a Notorious Myanmar Scam Compound Appears to Have Been ‘Performative’

Philips’ most affordable 2025 Ambilight OLED TV just got even cheaper thanks to this Black Friday deal

Samsung Galaxy S26 Ultra 5G mobile may finally get a bigger battery

Don't miss

The Destruction of a Notorious Myanmar Scam Compound Appears to Have Been ‘Performative’

Philips’ most affordable 2025 Ambilight OLED TV just got even cheaper thanks to this Black Friday deal

Samsung Galaxy S26 Ultra 5G mobile may finally get a bigger battery

Javascript files loaded with RATs hits thousands of victims

Related Posts

The Destruction of a Notorious Myanmar Scam Compound Appears to Have Been ‘Performative’

Philips’ most affordable 2025 Ambilight OLED TV just got even cheaper thanks to this Black Friday deal

Samsung Galaxy S26 Ultra 5G mobile may finally get a bigger battery

The Destruction of a Notorious Myanmar Scam Compound Appears to Have Been ‘Performative’

Philips’ most affordable 2025 Ambilight OLED TV just got even cheaper thanks to this Black Friday deal

Samsung Galaxy S26 Ultra 5G mobile may finally get a bigger battery