WScript LNK PowerShell Cradle

A multi-stage execution chain observed in invoice-themed JavaScript droppers:

1. Victim double-clicks a .js file (often named to look like a PDF).
2. The JScript/WScript stage downloads a remote .ps1 payload via WinHttpRequest / XMLHttp.
3. The script drops a .lnk shortcut (usually targeting a Startup SpecialFolder) pointing at the staged payload, setting TargetPath and Hidden attributes for persistence.
4. The script spawns powershell.exe -nop -ep bypass -file <path> to execute the second-stage PowerShell payload.

Obfuscation Layers

Samples in this category are typically heavily obfuscated with javascript-obfuscator self-defend options, making static de-obfuscation a prerequisite for recovering the exact download URL and LNK target path.

Defensive Notes

• Block .js execution outside of corporate script paths (AppLocker / WSH restrictions).
• Monitor powershell.exe spawned by wscript.exe / cscript.exe.
• Alert on .lnk creation in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup by non-standard processes.

Related

• itegroup-sbs-dropper — Invoice-themed JS dropper using this chain
• unclassified-js-dropper — Brazilian Portuguese variant with additional .NET reflective-loading stage
• spamita — Italian three-stage JS→RC4-PS→XOR→.NET dropper
• javascript-obfuscator — Underlying obfuscation tooling