spamita
Italian-language spam dropper family delivering multi-stage payloads via obfuscated JavaScript. Identified by the OpenCTI label spam-ita and observed masquerading as invoice documents.
Overview
spamita samples are JavaScript droppers targeting Italian-speaking victims through business-themed lures (e.g. "Invio proforma" — sending proforma invoice). The JavaScript embeds a base64-encoded PowerShell payload that decrypts itself via RC4, then XOR-decrypts a .NET assembly and loads it reflectively in memory.
The family name derives from the spam-ita OpenCTI label and has no public industry alias as of 2026-05-30.
Build-Stack Typically Observed
- Obfuscated JavaScript (likely generated by
javascript-obfuscatornpm package) - RC4-encrypted PowerShell intermediate stage
- XOR-encrypted .NET assembly final payload
- In-memory reflective loading via
System.Reflection.Assembly::Load
Deploy / TTPs Typically Observed
| Technique | Observation |
|---|---|
| Anti-analysis / sandbox evasion | Process name check for aspnet_compiler before payload execution ^[report.md] |
| Defense evasion | No disk writes after initial JS execution; fully in-memory payload chain |
| Execution | WScript.Shell → PowerShell → .NET assembly |
| Social engineering | Italian invoice-themed filenames |
Capabilities
javascript-obfuscator-string-arrayrc4-encrypted-powershell-stagexor-decrypt-dotnet-assemblyreflective-dotnet-assembly-loadaspnet-compiler-process-gate-sandbox-evasioninvoice-themed-spam-delivery
Notable Analyses
129ef9250b91767463dc5d219be2db7f389a5bb7e72dc2d41cbd9fdbeca20941—Invio proforma.js, three-stage JS→PS→.NET dropper ^[report.md]
Related
- javascript-obfuscator — obfuscation pattern observed
- rc4-encrypted-powershell — staging technique
- xored-dotnet-in-memory-assembly — payload loading technique
- aspnet-compiler-sandbox-evasion — anti-sandbox gate