Threats

Fake POs Deploy JS.MonoGlyphRAT to Target Hackers Purchase

Several key warning signs indicate potential compromise. These include instances of wscript.exe executing JavaScript files from user directories and PowerShell processes launched with encoded command...

Marcus Rodriguez
Marcus Rodriguez
June 3, 2026 One Min Read
13 0

Several key warning signs indicate potential compromise. These include instances of wscript.exe executing JavaScript files from user directories and PowerShell processes launched with encoded command flags. Furthermore, new registry run keys often point to .js files, and HTTP POST traffic to unusual ports may exhibit distinct patterns such as a=iz&b=.

Detecting this threat early requires behavioral monitoring and sandbox-based analysis, not traditional signature matching.

Indicators of Compromise (IoCs):-

Type Indicator Description
IP Address 158.94.211.76 Primary C2 server IP address
IP Address 91.92.243.79 Secondary C2 server IP address
URL hxxp://158.94.211.76:34567/ceoznp C2 beacon endpoint
URL hxxp://158.94.211.76:34567/ceoznp?ia=GEZHOV8LBB7PY4KX&df= C2 check-in URL with session parameter
URL hxxp://158.94.211.76:34567/ceoznp?ia=UDP3HIP4P5SH3U5R&df= C2 check-in URL with alternate session
Domain aryamint.com C2 infrastructure domain
Domain scan.aryamint.com C2 infrastructure subdomain
File Hash (SHA256) 5446b24959c1c2707accfc257aaac61819c01d1ed65bca910a7e8be1787d20b Obfuscated JS malware sample
File Name PURCHASE ORDER_12258.js Phishing lure filename
File Name QUOTE_B2026.js Phishing lure filename
File Name CKML220066 – MSRS no. 812399.js Phishing lure filename
File Name QUOTATION2026115.js Phishing lure filename
Registry Key HKCUSoftwareMicrosoftWindowsCurrentVersionRun<random> Persistence registry key
File Path %USERPROFILE%<random letters><random letters>.js Malware installation path
HTTP Header X-A: C2 command delivery header
HTTP Header X-S: C2 session ID header
HTTP Pattern POST body: a=iz&b=<data> C2 check-in POST body pattern
Query Parameter ia=<session_id> C2 session identifier parameter
Query Parameter df=0 C2 telemetry upload parameter
Query Parameter ex=<token> C2 file download parameter
Query Parameter sb=<token> C2 loader/stage parameter
Query Parameter vc=<token> C2 payload URL parameter
Crypto IV sixteenbyteslong Static AES initialization vector (plaintext)
Encoded IV 76E6F6C63756479726E6565647879637 AES IV in reversed hex encoding
Suricata Rule ID 85006579 Detection rule for C2 traffic
Suricata Rule ID 85006580 Detection rule for C2 traffic
Suricata Rule ID 85006581 Detection rule for C2 traffic

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

HackerMalwarephishingThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts