EXECUTIVE SUMMARY
An unidentified financially motivated threat actor is running a JavaScript‐based remote access Trojan that disguises itself as routine business documents. The campaign primarily targets organizations in the United States, with confirmed victims in the technology, managed‐security‐service, telecommunications, and education sectors; additional infections have been observed in Germany, Sweden, and Australia. Their objective is to gain a persistent foothold, steal sensitive data, and position the network for downstream ransomware or other payloads. By using familiar procurement language, the group increases the likelihood of user interaction and initial compromise.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
An unidentified financially motivated threat actor is running a JavaScript‐based remote access Trojan that disguises itself as routine business documents. The campaign primarily targets organizations in the United States, with confirmed victims in the technology, managed‐security‐service, telecommunications, and education sectors; additional infections have been observed in Germany, Sweden, and Australia. Their objective is to gain a persistent foothold, steal sensitive data, and position the network for downstream ransomware or other payloads. By using familiar procurement language, the group increases the likelihood of user interaction and initial compromise.[emaillocker id="1283"]
The initial vector is a phishing email that carries a .js attachment labeled as a purchase order, quote, or request for proposal. When an employee opens the file, Windows Script Host launches the script, which immediately writes a copy into the user profile and registers a Run key under HKCU for persistence. The implant then contacts a remote server over HTTP, receives encrypted PowerShell commands, and can download additional modules or exfiltrate system information. Throughout the infection it maintains a beacon loop, allowing the adversary to issue remote shell commands, pivot laterally, and update the backdoor without leaving obvious footprints.
The campaign matters because its obfuscation defeats most signature‐based antiviruses, and the persistent backdoor provides a silent gateway for ransomware or data theft that can cripple operations. Detection is hampered by the use of legitimate scripting tools and low‐volume network traffic, making traditional alerts insufficient. Organizations should reinforce email hygiene, restrict execution of JavaScript files from user directories, and deploy behavioral monitoring for unusual wscript.exe or PowerShell activity. Regular backups, segmented network design further reduce exposure and improve recovery if an infection occurs.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.009 | Obfuscated Files or Information | Embedded Payloads |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Impact | T1486 | Data Encrypted for Impact | — |
REFERENCES:
reports contain further technical details:
https://cybersecuritynews.com/hackers-use-fake-purchase-orders-to-deploy-js-monoglyphrat/
https://any.run/cybersecurity-blog/monoglyphrat-attacks-us-enterprise/?utm_source=csn&utm_medium=article&utm_campaign=monoglyphrat&utm_content=blog&utm_term=030626