{
  "name": "Downloader Malware Written in JPHP Interpreter",
  "slug": "downloader-malware-written-in-jphp-interpreter",
  "description": "A newly discovered malware utilizes JPHP, a PHP interpreter running on Java Virtual Machine, to create a downloader. The malware is distributed in a ZIP file containing Java Runtime Environment and libraries, enabling execution without a separate Java environment. It communicates with a C2 server, disables Windows Defender's behavior monitoring, and uses Telegram for additional C2 connections. The malware can download and execute additional payloads, potentially including data breach-type malware like Strrat and Danabot. This case highlights how threat actors exploit lesser-known technologies like JPHP for malware distribution, emphasizing the importance of scrutinizing executable files and scripts from various sources.",
  "published": "2025-04-17T14:34:28+00:00",
  "created_at": "2025-04-17T14:34:28+00:00",
  "modified_at": "2025-04-17T17:39:39+00:00",
  "created_at_opencti": "2025-04-17T14:34:28+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-04-17",
    "danabot",
    "jphp",
    "php",
    "strrat"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "89.23.96.126"
      },
      {
        "id": "",
        "name": "e4d7f08ef085428cd9d32b325774cfbcaf44bec61e6ad37b5d82d09b1b92b065"
      },
      {
        "id": "",
        "name": "0997201124780f11a16662a0d718b1a3ef3202c5153191f93511d7ecd0de4d8d"
      },
      {
        "id": "",
        "name": "4b50e7fba5e33bac30b98494361d5ab725022c38271b3eb89b9c4aab457dca78"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:4f230dc1f190e6ec",
        "name": "Strrat",
        "slug": "strrat"
      },
      {
        "id": "legacy:malware:847c67cbde743e06",
        "name": "Danabot",
        "slug": "danabot"
      }
    ],
    "attack_patterns": [
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ]
  },
  "external_refs": [
    "https://asec.ahnlab.com/en/86859",
    "https://otx.alienvault.com/pulse/68012d9425b7ccf942f5f065"
  ]
}