> Family · Unclassified JS Dropper Family_

~/packetpursuit $ cat /intel/families/unclassified-js-dropper.md

typeentityfamilyunclassified-js-dropperconfidencemediumcreated2026-06-02updated2026-06-07scriptdropperc2anti-vmanti-debugevasiondefense-evasionpersistence

Unclassified JS Dropper Family

Placeholder entity for Brazilian Portuguese-language WScript droppers that stage themselves to C:\Users\Public\, emit obfuscated PowerShell via base64 string concatenation, check for debugger/sandbox processes, and download second-stage assemblies from HostGator reseller subdomains.

Capabilities

  • wscript-temp-downloads-relocation
  • public-path-persistence-staging
  • jscript-powershell-obfuscated-chain
  • base64-encoded-powershell-payload
  • process-name-sandbox-evasion
  • debugger-enumeration-restart
  • powershell-executionpolicy-bypass
  • http-download-hostgator-c2
  • reflectively-loaded-dotnet-assembly
  • msbuild-proxy-invocation

Build / RE

  • Language: JScript for Windows Script Host
  • Obfuscation: Manual — dead functions, Unicode garbage strings, semicolon noise, no commercial packer
  • Anti-analysis: Process-name enumeration (get-process handle, wireshark, any.run, etc.), connectivity check to www.google.com, Restart-Computer -Force on detection
  • Code quality: Low — verbose, repetitive dead code, no control-flow flattening

Deploy / ATT&CK

Tactic Technique Evidence
Execution T1059.005 (Visual Basic / JScript) WScript .js file ^[/intel/analyses/0e4141aac553fa9b2e3a224ad54ce65ba61ddbf9c1e856d363b59cad111ef0d4.html]
Execution T1059.001 (PowerShell) -ExecutionPolicy Bypass -File via ShellExecute ^[/intel/analyses/0e4141aac553fa9b2e3a224ad54ce65ba61ddbf9c1e856d363b59cad111ef0d4.html]
Defense Evasion T1497 (Virtualization / Sandbox Evasion) Process-name checks; restart on detection ^[/intel/analyses/0e4141aac553fa9b2e3a224ad54ce65ba61ddbf9c1e856d363b59cad111ef0d4.html]
Defense Evasion T1218 (System Binary Proxy Execution) wscript.exe proxy execution ^[/intel/analyses/0e4141aac553fa9b2e3a224ad54ce65ba61ddbf9c1e856d363b59cad111ef0d4.html]
Command & Control T1071.001 (Web Protocols) HTTPS to HostGator reseller subdomains ^[/intel/analyses/0e4141aac553fa9b2e3a224ad54ce65ba61ddbf9c1e856d363b59cad111ef0d4.html]

Sibling Analyses

  • 0e4141aac553fa9b2e3a224ad54ce65ba61ddbf9c1e856d363b59cad111ef0d4 — WScript→PowerShell→.NET assembly loader with debugger/sandbox gate (see unclassified-js-dropper report)

Related

  • itegroup-sbs-dropper — Invoice-themed JS dropper using javascript-obfuscator with PowerShell C2 cradle (iteGroup.sbs)
  • spamita — Italian JS dropper family with three-stage obfuscation (JS→RC4-PS→XOR→.NET in-memory)
  • Similar build/chain: Troldesh / Xorist stealer clusters targeting Brazilian hosts