EXECUTIVE SUMMARY:
A new malicious JavaScript campaign, named JSFireTruck, was discovered using heavily obfuscated code to evade detection. This malware is delivered through phishing websites and is designed to steal credentials, exfiltrate sensitive information, or redirect victims to malicious domains. It avoids detection by transforming its code structure repeatedly, using automated rewriting techniques powered by large language models (LLMs). Each version of the script looks different but performs the same malicious actions, making it extremely difficult for signature-based or static analysis tools to detect. Security researchers observed that detection rates for these transformed scripts dropped significantly, with many variants bypassing nearly all antivirus engines. This campaign shows how threat actors are now using AI tools to increase the stealth and adaptability of their malware.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A new malicious JavaScript campaign, named JSFireTruck, was discovered using heavily obfuscated code to evade detection. This malware is delivered through phishing websites and is designed to steal credentials, exfiltrate sensitive information, or redirect victims to malicious domains. It avoids detection by transforming its code structure repeatedly, using automated rewriting techniques powered by large language models (LLMs). Each version of the script looks different but performs the same malicious actions, making it extremely difficult for signature-based or static analysis tools to detect. Security researchers observed that detection rates for these transformed scripts dropped significantly, with many variants bypassing nearly all antivirus engines. This campaign shows how threat actors are now using AI tools to increase the stealth and adaptability of their malware.[emaillocker id="1283"]
JSFireTruck’s obfuscation process involves automatically rewriting its code through a series of transformations. These include renaming variables, altering script flow, injecting non-functional or decoy code, and fragmenting strings—all while preserving the malware’s original behavior. The process is repeated in a loop, where each newly rewritten version is evaluated, and only the most evasive yet functional version is kept. This method allows threat actors to generate a high volume of unique, stealthy scripts that are difficult for static analysis tools to detect. Despite the visual and structural changes, the malware still carries out its intended actions—such as stealing credentials, redirecting users, or injecting harmful scripts—making it a persistent and adaptive threat.
The JSFireTruck malware represents a major shift in attacker tactics by using automated obfuscation techniques to evade modern detection systems. Instead of altering the core behavior, attackers repeatedly rewrite the JavaScript code’s structure—changing variable names, control flows, and adding decoy elements—while maintaining its malicious intent. This process generates countless unique variants that bypass both static and machine learning-based defenses. As a result, traditional detection methods struggle to keep up. To effectively counter such threats, defenders must prioritize behavior-based analysis, simulate obfuscated attack scenarios, and adopt proactive detection strategies that focus on what the script does, not just how it looks.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Defense Evasion | T1027 | Obfuscated Files or Information | - |
| T1221 | Template Injection | - | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Defense Evasion | E1027 | Obfuscated Files or Information |
| Execution | E1204 | User Execution |
| Command and Control | B0030 | C2 Communication |
| Collection | E1056 | Input Capture |
| Credential Access | F0002 | Keylogging |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]