> Family · iteGroup SBS Dropper_

~/packetpursuit $ cat /intel/families/itegroup-sbs-dropper.md

typeentityfamilyitegroup-sbs-dropperconfidencemediumcreated2026-06-07updated2026-06-07scriptdropperc2obfuscationevasiondefense-evasionpersistence

iteGroup SBS Dropper

Invoice-themed JavaScript dropper cluster using javascript-obfuscator self-defend obfuscation and a two-stage JS → PowerShell download chain. C2 stage is a single .ps1 payload hosted on an itegroup.sbs subdomain. Observed once; build pattern implies a commodity dropper-as-a-service or off-the-shelf obfuscation tooling.

Capabilities

  • javascript-obfuscator-self-defend-stringarray
  • rc4-like-string-array-decoder
  • control-flow-flattening-pipe-dispatch
  • wscript-powershell-craddle
  • powershell-executionpolicy-bypass
  • lnk-shortcut-persistence-startup
  • hidden-window-attribute
  • https-download-remote-script
  • anti-debug-regex-toString-trap

Build / RE

  • Language: JScript for Windows Script Host
  • Obfuscation: Commercial-grade javascript-obfuscator npm package with:
    • ~1019-element string array (B()) of base64-like segments ^[/intel/analyses/0bc60a0e11587e0a20fbd34f0fab12cc989abb6355bce40f5682608b5f5b60e7.html]
    • Custom decoder v(g,e) performing base64 decode + RC4-like XOR keyed by a salt string ^[/intel/analyses/0bc60a0e11587e0a20fbd34f0fab12cc989abb6355bce40f5682608b5f5b60e7.html]
    • Control-flow flattening via pipe-delimited numeric dispatch ('4|3|1|2|0') inside while(!![]) / switch blocks
    • Dead-code IIFE wrappers aliasing every meaningful call to randomly-named local functions (e3eg)
    • Anti-debug prototype-polluter trap inside v() that regex-tests .toString() of a decoy function
  • Code quality: Low — the whole script collapses to a downloader, an LNK dropper, and a PowerShell call once de-obfuscated.
  • Anti-analysis: The DuDuId self-defend trap is stock javascript-obfuscator and will fire if the de-obfuscator alters function .toString() expectations.

Deploy / ATT&CK

Tactic Technique Evidence
Initial Access T1204.002 Invoice-themed filename (Order-June-ref225265496pdf.js) ^[/intel/analyses/0bc60a0e11587e0a20fbd34f0fab12cc989abb6355bce40f5682608b5f5b60e7.html]
Execution T1059.005 WScript/CScript .js execution as first stage
Execution T1059.001 PowerShell -nop -ep bypass -file invocation
Persistence T1547.009 .lnk creation with Hidden attribute and TargetPath set to staged payload
Defense Evasion T1027 Multi-layer javascript-obfuscator self-defend obfuscation
Command & Control T1071.001 HTTPS GET to https://itegroup.sbs/account/sat/update.ps1

Infrastructure

  • URL: https://itegroup.sbs/account/sat/update.ps1
  • TLD: .sbs (cheap, mass-registration TLD)
  • No observed backup domains / DGA / hardcoded IPs in single analysed sample.

Related

  • spamita — Italian three-stage JS→RC4-PS→XOR→.NET dropper with aspnet_compiler sandbox gate
  • unclassified-js-dropper — Portuguese-language WScript→PowerShell→.NET cluster (HostGator C2)
  • javascript-obfuscator — Concept page for the obfuscator tooling shared across JS dropper families