{"id":21343,"date":"2026-06-02T10:34:41","date_gmt":"2026-06-02T10:34:41","guid":{"rendered":"https:\/\/any.run\/cybersecurity-blog\/?p=21343"},"modified":"2026-06-02T12:58:01","modified_gmt":"2026-06-02T12:58:01","slug":"monoglyphrat-attacks-us-enterprise","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/","title":{"rendered":"From\u00a0Fake\u00a0Purchase\u00a0Orders\u00a0to\u00a0Remote Access:\u00a0Analyzing\u00a0the\u00a0JS.MonoGlyphRAT\u00a0Threat\u00a0to\u00a0US Enterprises"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">A previously unidentified cyberattack is quietly spreading through US businesses \u2014 and most security tools are not catching it. Researchers at <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> have identified a new backdoor called JS.MonoGlyphRAT, an advanced piece of malware delivered as an ordinary-looking JavaScript file disguised as a purchase order, quote, or business proposal. Once an employee opens the file, the attacker gains silent, persistent access to the company\u2019s systems.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This threat is currently active and primarily targeting organizations in the United States, with victims confirmed across the technology sector, managed security service providers (MSSPs), telecommunications, and education. It has also been observed in Germany, Sweden, Australia, and several other countries.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The financial consequences can quickly escalate beyond incident response costs. Organizations may face operational downtime, regulatory penalties, contractual liabilities, lost business opportunities, reputational damage, and increased cyber insurance expenses. Because MonoGlyphRAT functions as a loader capable of delivering additional malware, even a seemingly minor infection can become the first step toward a large-scale breach with significant business impact.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>It is actively targeting US businesses.<\/strong> JS.MonoGlyphRAT is an operational threat, with confirmed victims in the US technology, MSSP, and telecom sectors, delivered via convincing sales-themed phishing lures.<\/li>\n\n\n\n<li><strong>Most security tools are blind to it.<\/strong> The malware is currently classified as \u2018Unknown malware\u2019 on VirusTotal and ThreatFox. Standard signature-based antivirus provides little to no protection.<\/li>\n\n\n\n<li><strong>It is designed for persistence and deep access. <\/strong>The RAT establishes a permanent foothold via the Windows registry, runs silently in the background, and can pivot to download ransomware, exfiltrate data, or deploy further stages.<\/li>\n\n\n\n<li><strong>The attack begins with a single click.<\/strong> Employees in procurement, sales, and finance are the primary targets. A .js file disguised as a purchase order or quote is all it takes to compromise a machine.<\/li>\n\n\n\n<li><strong>The financial exposure is real and immediate.<\/strong> From ransomware deployment to data breach fines and incident response costs, a successful compromise can cost a mid-sized US business millions of dollars \u2014 plus reputational damage that is harder to quantify.<\/li>\n\n\n\n<li><strong>Behavioral detection is the key defense.<\/strong> The malware\u2019s most reliable detection artifacts are behavioral: unusual wscript.exe activity, PowerShell chains launched from a user directory, suspicious registry writes, and HTTP beaconing to non-standard ports. Hunt for these patterns actively.<\/li>\n\n\n\n<li><strong>ANY.RUN detects and analyzes this threat in real time.<\/strong> ANY.RUN\u2019s <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a> first identified and documented JS.MonoGlyphRAT, providing full behavioral analysis, C2 traffic capture, and MITRE ATT&amp;CK mapping. The ANY.RUN <a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktoti\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence suit<\/a> allows defenders to query related IOCs \u2014 including C2 IPs, domains, URI patterns, and Suricata rule IDs \u2014 to proactively hunt for this threat across their environments. Organizations using ANY.RUN can analyze suspicious .js files in seconds before they reach endpoints, dramatically reducing the window of exposure.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">What This Attack Means for Your Business<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">JS.MonoGlyphRAT is not a smash-and-grab attack. It is designed for persistence \u2014 staying hidden on infected machines for as long as possible while giving attackers full remote control. The financial consequences for affected organizations can be severe and varied:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ransomware deployment:<\/strong> The malware can silently download and execute ransomware or other destructive payloads, potentially locking businesses out of critical systems and demanding seven-figure ransoms.<\/li>\n\n\n\n<li><strong>Data theft and regulatory fines<\/strong>: Attackers can exfiltrate sensitive data \u2014 customer records, financial information, intellectual property \u2014 triggering GDPR, HIPAA, or SEC disclosure obligations and associated penalties.<\/li>\n\n\n\n<li><strong>Business email compromise (BEC) and fraud:<\/strong> With full access to an employee\u2019s machine, attackers can pivot to email systems and initiate fraudulent wire transfers or supplier fraud.<\/li>\n\n\n\n<li><strong>Operational disruption:<\/strong> A compromised endpoint in a network operations center or a managed service provider can cascade into downtime for dozens of downstream clients.<\/li>\n\n\n\n<li><strong>Incident response costs:<\/strong> The average cost of a data breach in the US exceeded $9.4 million in 2024. Detection, containment, forensics, legal counsel, and notification alone typically run into hundreds of thousands of dollars.<\/li>\n\n\n\n<li><strong>Reputational damage:<\/strong> Clients who learn their MSSP or technology vendor was compromised often terminate contracts, compounding the financial blow.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Because this malware cluster is currently unattributed in public threat intelligence feeds (flagged only as \u2018Unknown malware\u2019 on VirusTotal and ThreatFox), standard signature-based antivirus provides little protection. Behavioral detection and sandbox analysis are essential to identify and stop it.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Stop threats before they become costly incidents.<\/span><br>\nIntegrate ANY.RUN to detect, investigate, and block attacks like JS.MonoGlyphRAT early.<br><\/span><\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=monoglyphrat-attacks-us-enterprise&#038;utm_term=020626&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nGet for your team\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Technical Analysis of a WSH\/JScript Backdoor with Monoglyph Obfuscation and PowerShell Stagers<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">During analysis of Generic clusters of tracked activity, researchers identified an obfuscated JScript sample executed via Windows Script Host (WSH).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The malware uses a distinctive monoglyph obfuscation technique for identifiers: variable and function names are constructed from repeated characters in mixed case (e.g., IiIiIiIiiIII, KkkKKKkKkK, and so on), making the code difficult to read and hampering static analysis.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"866\" height=\"370\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_d4bdf6a9.png\" alt=\"\" class=\"wp-image-21353\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_d4bdf6a9.png 866w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_d4bdf6a9-300x128.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_d4bdf6a9-768x328.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_d4bdf6a9-370x158.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_d4bdf6a9-270x115.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_d4bdf6a9-740x316.png 740w\" sizes=\"auto, (max-width: 866px) 100vw, 866px\" \/><figcaption class=\"wp-element-caption\">Obfuscated JS file<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This cluster has not been publicly identified. In open threat intelligence sources, related samples are classified as unknown malware: <a href=\"https:\/\/threatfox.abuse.ch\/ioc\/1761698\/\" target=\"_blank\" rel=\"noreferrer noopener\">ThreatFox marks<\/a> one of the C2 addresses as \u2018Unknown malware\u2019 with threat type \u2018payload delivery\u2019, while <a href=\"https:\/\/www.virustotal.com\/gui\/file\/aa5b97546a5cb1e62fbacc5f8521a7fc593ed37b11604966a87b464b9bcc1eb2\/detection\" target=\"_blank\" rel=\"noreferrer noopener\">VirusTotal shows<\/a> Malicious activity (29\/59 detections) but no specific family name.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For tracking purposes, ANY.RUN researchers have designated this cluster JS.MonoGlyphRAT, named after the monoglyph identifier obfuscation method (IiiIIii\u2026, KkkKkKk\u2026, etc.).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The malware implements persistent RAT\/loader functionality running on the JS\/WScript platform. It achieves persistence via the HKCU Run registry key, collects system and process information via WMI, communicates with its C2 server over HTTP, receives commands through control headers, launches AES-encrypted PowerShell stagers, and supports file execution, remote shell access, payload download, and self-update.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"706\" height=\"638\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_e3d4a2e1.png\" alt=\"\" class=\"wp-image-21355\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_e3d4a2e1.png 706w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_e3d4a2e1-300x271.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_e3d4a2e1-370x334.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_e3d4a2e1-270x244.png 270w\" sizes=\"auto, (max-width: 706px) 100vw, 706px\" \/><figcaption class=\"wp-element-caption\">Malware activity in the system<\/figcaption><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\">Delivery Vector &amp; Victimology<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Based on filenames submitted to the sandbox, the presumed delivery vector is social engineering (phishing with malicious JS attachments) using sales-themed lures: purchase orders, requests for proposals (RFPs), requests for quotations (RFQs), and similar documents.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Sample filenames observed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PURCHASE ORDER_12258.js (Analysis session: <a href=\"https:\/\/app.any.run\/tasks\/e39d92e9-a8c3-4c71-8009-2087847fb669\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/e39d92e9-a8c3-4c71-8009-2087847fb669\/<\/a>)<\/li>\n\n\n\n<li>QUOTE_B2026.js (Analysis session: <a href=\"https:\/\/app.any.run\/tasks\/0bd61201-efaf-4b40-ae7b-4af1042a3d17\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/0bd61201-efaf-4b40-ae7b-4af1042a3d17\/<\/a>)<\/li>\n\n\n\n<li>CKML220066 &#8211; MSRS no. 812399.js (Analysis session: <a href=\"https:\/\/app.any.run\/tasks\/8b78c1a7-119b-4980-8639-7756e9bc3edc\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/8b78c1a7-119b-4980-8639-7756e9bc3edc\/<\/a>)<\/li>\n\n\n\n<li>QUOTATION2026115.js (Analysis session: <a href=\"https:\/\/app.any.run\/tasks\/040bddbf-3952-4b6d-afa4-56fefa0c3741\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/040bddbf-3952-4b6d-afa4-56fefa0c3741\/<\/a>)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Industries affected:<\/strong> Technology sector, MSSPs, Education, Telecommunications.<br><strong>Geographic distribution of victims:<\/strong> primarily the United States, Germany, and Sweden; to a lesser extent Australia, Costa Rica, Greece, Poland, and Turkey.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Execution Chain<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The following analysis is based on sandbox session: <a href=\"https:\/\/app.any.run\/tasks\/e39d92e9-a8c3-4c71-8009-2087847fb669\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/e39d92e9-a8c3-4c71-8009-2087847fb669\/<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"533\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/sandbox-1024x533.png\" alt=\"\" class=\"wp-image-21368\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/sandbox-1024x533.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/sandbox-300x156.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/sandbox-768x400.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/sandbox-1536x799.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/sandbox-370x193.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/sandbox-270x140.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/sandbox-740x385.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/sandbox.png 1845w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Malicious JS detonated in the sandbox<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Initialization<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The analyzed sample is a heavily obfuscated JS script (SHA256: 5446b24959c1c2707accfc257aaac61819c01d1ed65bca910a7e8be1787d200f).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The defining characteristic is the repeating pattern of object and function names in the code: sequences of the same letter in alternating case \u2014 for example, \u2018function iiiiiiiiiiiiii()\u2019, \u2018var IiIiiiiiiIiIIi\u2019, \u2018function Iiiiiiiiiiiiii(iIiiiiiiiiiiii, IIiiiiiiiiiiii)\u2019, and so on.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"472\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_97d5a418-1024x472.png\" alt=\"\" class=\"wp-image-21369\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_97d5a418-1024x472.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_97d5a418-300x138.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_97d5a418-768x354.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_97d5a418-370x171.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_97d5a418-270x124.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_97d5a418-740x341.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_97d5a418.png 1382w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The characteristic code obfuscation<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In the sandbox, the script runs under the wscript.exe process. Shortly after execution, a series of behavioral signatures fire with Malicious and Suspicious severity levels.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"614\" height=\"668\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b3b5cb6e.png\" alt=\"\" class=\"wp-image-21370\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b3b5cb6e.png 614w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b3b5cb6e-276x300.png 276w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b3b5cb6e-370x403.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b3b5cb6e-270x294.png 270w\" sizes=\"auto, (max-width: 614px) 100vw, 614px\" \/><figcaption class=\"wp-element-caption\">Malicious behavior detected in the sandbox<\/figcaption><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"614\" height=\"668\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9b348bc2.png\" alt=\"\" class=\"wp-image-21373\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9b348bc2.png 614w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9b348bc2-276x300.png 276w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9b348bc2-370x403.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9b348bc2-270x294.png 270w\" sizes=\"auto, (max-width: 614px) 100vw, 614px\" \/><figcaption class=\"wp-element-caption\">Malware behavioral signatures<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Network activity is also visible: the script sends HTTP requests to an unknown IP address.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"190\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3f7a2b66-1024x190.png\" alt=\"\" class=\"wp-image-21374\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3f7a2b66-1024x190.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3f7a2b66-300x56.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3f7a2b66-768x143.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3f7a2b66-370x69.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3f7a2b66-270x50.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3f7a2b66-740x138.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3f7a2b66.png 1113w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Network Block HTTP requests<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"846\" height=\"646\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bb57096c.png\" alt=\"\" class=\"wp-image-21375\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bb57096c.png 846w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bb57096c-300x229.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bb57096c-768x586.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bb57096c-370x283.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bb57096c-270x206.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bb57096c-740x565.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bb57096c-80x60.png 80w\" sizes=\"auto, (max-width: 846px) 100vw, 846px\" \/><figcaption class=\"wp-element-caption\">One of the malware&#8217;s HTTP requests<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><br>Observed URLs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxp[:\/\/]158[.]94[.]211[.]76:34567\/ceoznp<\/li>\n\n\n\n<li>hxxp[:\/\/]158[.]94[.]211[.]76:34567\/ceoznp?ia=GEZHOV8LBB7PY4KX&amp;df=0<\/li>\n\n\n\n<li>hxxp[:\/\/]158[.]94[.]211[.]76:34567\/ceoznp?ia=GEZHOV8LBB7PY4KX<\/li>\n\n\n\n<li>hxxp[:\/\/]158[.]94[.]211[.]76:34567\/ceoznp?ia=UDP3HIP4P5SH3U5R&amp;df=0<\/li>\n\n\n\n<li>hxxp[:\/\/]158[.]94[.]211[.]76:34567\/ceoznp?ia=UDP3HIP4P5SH3U5R<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Reduce breach costs<\/span> with faster threat detection.<br>\nAnalyze suspicious files and uncover malicious infrastructure with ANY.RUN. <br><\/span><\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/login.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=monoglyphrat-attacks-us-enterprise&#038;utm_term=020626&#038;utm_content=login\" rel=\"noopener\" target=\"_blank\">\nStart now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h4 class=\"wp-block-heading\">WSH Bindings<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The malware creates wrapper objects for interacting with WScript and WMI. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1234\" height=\"254\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-1024x211.png\" alt=\"\" class=\"wp-image-21376\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-1024x211.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-300x62.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-768x158.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-370x76.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-270x56.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1-740x152.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/1.png 1234w\" sizes=\"auto, (max-width: 1234px) 100vw, 1234px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"294\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-1024x294.png\" alt=\"\" class=\"wp-image-21377\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-1024x294.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-300x86.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-768x220.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-370x106.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-270x77.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2-740x212.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/2.png 1071w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"753\" height=\"80\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3.png\" alt=\"\" class=\"wp-image-21378\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3.png 753w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-300x32.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-370x39.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-270x29.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/3-740x79.png 740w\" sizes=\"auto, (max-width: 753px) 100vw, 753px\" \/><figcaption class=\"wp-element-caption\">Wrappers for working with WinHost API, WScript, and ActiveX\/COM<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">These provide the following capabilities:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Process execution;<\/li>\n\n\n\n<li>PowerShell payload execution;<\/li>\n\n\n\n<li>WMI data collection;<\/li>\n\n\n\n<li>File system operations;<\/li>\n\n\n\n<li>C2 HTTP communication;<\/li>\n\n\n\n<li>Registry value writing;<\/li>\n\n\n\n<li>Persistence mechanisms and self-copying to the installation path.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Installation and Persistence<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">On the first run, the script copies itself into a subdirectory of %USERPROFILE%. After a successful C2 exchange, it adds itself to the Windows autorun mechanism by writing to the registry:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"357\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_225920d9-1024x357.png\" alt=\"\" class=\"wp-image-21381\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_225920d9-1024x357.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_225920d9-300x105.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_225920d9-768x268.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_225920d9-370x129.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_225920d9-270x94.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_225920d9-740x258.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_225920d9.png 1187w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Persistence mechanisms<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"326\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_90685c1e-1024x326.png\" alt=\"\" class=\"wp-image-21382\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_90685c1e-1024x326.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_90685c1e-300x95.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_90685c1e-768x244.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_90685c1e-370x118.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_90685c1e-270x86.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_90685c1e-740x235.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_90685c1e.png 1233w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Changing Windows Registry for persistence<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">C2 Implementation and Capabilities<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">C2 connection parameters are defined in a static configuration within the main RAT class.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"446\" height=\"54\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3af869dc.png\" alt=\"\" class=\"wp-image-21385\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3af869dc.png 446w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3af869dc-300x36.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3af869dc-370x45.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3af869dc-270x33.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3af869dc-435x54.png 435w\" sizes=\"auto, (max-width: 446px) 100vw, 446px\" \/><figcaption class=\"wp-element-caption\">C2 connection parameters in the malware config<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">HTTP C2 addresses are hardcoded; the connectionMode parameter determines the communication scheme: header C2 mode (commands delivered via HTTP response headers) or legacy mode.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"170\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef5b15d3-1024x170.png\" alt=\"\" class=\"wp-image-21386\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef5b15d3-1024x170.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef5b15d3-300x50.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef5b15d3-768x127.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef5b15d3-370x61.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef5b15d3-270x45.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef5b15d3-740x123.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef5b15d3.png 1135w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">C2 address and communication mode selection<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">On initial connection, the client collects basic host telemetry:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>USERDOMAIN<\/li>\n\n\n\n<li>USERNAME<\/li>\n\n\n\n<li>Win32_SystemEnclosure.SerialNumber (via WMI)<\/li>\n\n\n\n<li>Win32_OperatingSystem.Caption (via WMI)<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"179\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef365b82-1024x179.png\" alt=\"\" class=\"wp-image-21387\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef365b82-1024x179.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef365b82-300x53.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef365b82-768x135.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef365b82-370x65.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef365b82-270x47.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef365b82-740x130.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ef365b82.png 1204w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Basic telemetry collection<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This data is sent to the C2 in an HTTP POST request.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"834\" height=\"713\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_94486d31.png\" alt=\"\" class=\"wp-image-21388\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_94486d31.png 834w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_94486d31-300x256.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_94486d31-768x657.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_94486d31-370x316.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_94486d31-270x231.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_94486d31-740x633.png 740w\" sizes=\"auto, (max-width: 834px) 100vw, 834px\" \/><figcaption class=\"wp-element-caption\">HTTP C2 Check-in<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"836\" height=\"375\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2b504c04.png\" alt=\"\" class=\"wp-image-21389\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2b504c04.png 836w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2b504c04-300x135.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2b504c04-768x344.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2b504c04-370x166.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2b504c04-270x121.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2b504c04-740x332.png 740w\" sizes=\"auto, (max-width: 836px) 100vw, 836px\" \/><figcaption class=\"wp-element-caption\">POST-request example<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The server responds with two control headers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>X-S: &lt;session ID&gt;<\/li>\n\n\n\n<li>X-A: &lt;command_id&gt;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If the response status code is not 200, or if the X-S header is absent, the RAT client considers the connection failed and enters a shutdown state.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"439\" height=\"246\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_be7480ff.png\" alt=\"\" class=\"wp-image-21394\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_be7480ff.png 439w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_be7480ff-300x168.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_be7480ff-370x207.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_be7480ff-270x151.png 270w\" sizes=\"auto, (max-width: 439px) 100vw, 439px\" \/><figcaption class=\"wp-element-caption\">HTTP C2 check-in response w\/ control headers (X-S, X-A)<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">After successful registration, MonoGlyphRAT enters a beacon loop.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"795\" height=\"643\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9e90411d.png\" alt=\"\" class=\"wp-image-21397\" style=\"aspect-ratio:1.236427703523694;width:795px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9e90411d.png 795w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9e90411d-300x243.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9e90411d-768x621.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9e90411d-370x299.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9e90411d-270x218.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9e90411d-740x599.png 740w\" sizes=\"auto, (max-width: 795px) 100vw, 795px\" \/><figcaption class=\"wp-element-caption\">C2 interaction in beacon loop mode<\/figcaption><\/figure>\n<\/div>\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"839\" height=\"358\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_20330d99.png\" alt=\"\" class=\"wp-image-21400\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_20330d99.png 839w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_20330d99-300x128.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_20330d99-768x328.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_20330d99-370x158.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_20330d99-270x115.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_20330d99-740x316.png 740w\" sizes=\"auto, (max-width: 839px) 100vw, 839px\" \/><figcaption class=\"wp-element-caption\">HTTP beacon-request example<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The beacon URL format is: <br>http:\/\/&lt;c2_host&gt;\/&lt;endpoint&gt;?ia=&lt;session_id&gt;[&amp;&lt;param&gt;=&lt;value&gt;]\n\n\n\n<p class=\"wp-block-paragraph\">If the response status is below 300, the response is passed to the command dispatcher. Otherwise, the connection is considered broken and the client attempts to reconnect.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The command dispatcher reads the command code from the \u2018X-A\u2019 header. Supported commands:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-332\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"10\"\n           data-wpID=\"332\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000015 wpdt-bc-2196F3\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:18.913857677903%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tCommand\t\t\tID                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000015 wpdt-bc-2196F3\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:81.086142322097%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDescription                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t-7                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tReceive\t\t\tMonoGlyphRAT client update from C2                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t-6                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tUninstall\t\t\t\u2014 remove self from host                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t-5                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tTerminate\t\t\tclient process                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t-4                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tRestart\t\t\tclient                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t-3\t\t\t\u2026 0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tC2\t\t\tconnection management: disconnect \/ reconnect \/ sleep \/ wake                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t1                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDownload,\t\t\tdecrypt, and execute payload from C2                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t2                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDecrypt\t\t\tand execute PowerShell command                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t3                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDownload\t\t\tencrypted stage and execute in-memory                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t4                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tCollect\t\t\tand send host telemetry to C2                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-332'>\ntable#wpdtSimpleTable-332{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-332 td, table.wpdtSimpleTable332 th { white-space: normal !important; }\n.wpdt-fs-000015 { font-size: 15px !important;}\n.wpdt-bc-2196F3 { background-color: #2196F3 !important;}\n.wpdt-fs-000013 { font-size: 13px !important;}\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"571\" height=\"806\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3faf0192.png\" alt=\"\" class=\"wp-image-21403\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3faf0192.png 571w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3faf0192-213x300.png 213w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3faf0192-370x522.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_3faf0192-270x381.png 270w\" sizes=\"auto, (max-width: 571px) 100vw, 571px\" \/><figcaption class=\"wp-element-caption\">Switch-case on C2 command number in X-A<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The following POST-requests from the client also add parameters to the URL (along with \u2018?ia=&lt;session_id&gt;\u2019):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201c&amp;ex=&lt;token&gt;\u201d: file download<\/li>\n\n\n\n<li>\u201c&amp;sb=&lt;token&gt;\u201d: loader\/stage<\/li>\n\n\n\n<li>\u201c&amp;vc=&lt;token&gt;\u201d: payload URL for stage<\/li>\n\n\n\n<li>\u201c&amp;df=0\u201d: host telemetry upload<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">X-A: -7 \u201cUpdate client\u201d<\/h4>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"272\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b19b9f8b-1024x272.png\" alt=\"\" class=\"wp-image-21404\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b19b9f8b-1024x272.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b19b9f8b-300x80.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b19b9f8b-768x204.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b19b9f8b-370x98.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b19b9f8b-270x72.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b19b9f8b-740x196.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_b19b9f8b.png 1052w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Deobfuscated implementation code for the \u2018Update client\u2019 command (X-A: -7)<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">X-A: 1 \u201cExecute file\u201d<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1019\" height=\"326\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_5228e28f.png\" alt=\"\" class=\"wp-image-21407\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_5228e28f.png 1019w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_5228e28f-300x96.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_5228e28f-768x246.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_5228e28f-370x118.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_5228e28f-270x86.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_5228e28f-740x237.png 740w\" sizes=\"auto, (max-width: 1019px) 100vw, 1019px\" \/><figcaption class=\"wp-element-caption\">Deobfuscated implementation code for the \u2018Execute file\u2019 command (X-A:1)<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">C2 response body format:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>[0:12] \u2014 file token<\/li>\n\n\n\n<li>[12:44] \u2014 AES encryption key<\/li>\n\n\n\n<li>[44:] \u2014 hex-encoded file extension<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The extracted parameters are passed to SystemUtilities.DownloadAesEncryptedFile, which interpolates them into a PowerShell command executed via the WSH\/WMI wrapper objects.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"328\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_1d6403bc-1024x328.png\" alt=\"\" class=\"wp-image-21406\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_1d6403bc-1024x328.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_1d6403bc-300x96.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_1d6403bc-768x246.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_1d6403bc-370x119.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_1d6403bc-270x86.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_1d6403bc-740x237.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_1d6403bc.png 1227w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Preparation of the PS command to execute the C2 file payload<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Encryption parameters used:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Mode: AES-128-CBC<\/li>\n\n\n\n<li>Padding: PKCS #7<\/li>\n\n\n\n<li>Key: 16 bytes, supplied per-task in the C2 response body<\/li>\n\n\n\n<li>IV: \u2018sixteenbyteslong\u2019 \u2014 static across samples, stored as reverse-hex<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">X-A: 2 \u201cExecute shell\u201d<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"904\" height=\"211\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bc4d4381.png\" alt=\"\" class=\"wp-image-21405\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bc4d4381.png 904w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bc4d4381-300x70.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bc4d4381-768x179.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bc4d4381-370x86.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bc4d4381-270x63.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_bc4d4381-740x173.png 740w\" sizes=\"auto, (max-width: 904px) 100vw, 904px\" \/><figcaption class=\"wp-element-caption\">Deobfuscated implementation code for the \u2018Execute shell\u2019 command (X-A:2)<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">C2 response body format:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>[0:32] \u2014 AES encryption key<\/li>\n\n\n\n<li>[32:] \u2014 hex-encoded encrypted PowerShell command<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Parameters are passed to SystemUtilities.RunEncryptedPowerShellCommand, which constructs and executes a PowerShell command in the same manner as the Execute File handler.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"255\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_c4f725d8-1024x255.png\" alt=\"\" class=\"wp-image-21408\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_c4f725d8-1024x255.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_c4f725d8-300x75.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_c4f725d8-768x191.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_c4f725d8-370x92.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_c4f725d8-270x67.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_c4f725d8-740x184.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_c4f725d8.png 1232w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Preparation of the PS command to execute the C2 shell payload<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">X-A: 3 \u2014 In-Memory .NET Execution<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">This is the most sophisticated C2 handler. C2 response body format:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>[0:12] \u2014 loader token<\/li>\n\n\n\n<li>[12:44] \u2014 loader AES encryption key<\/li>\n\n\n\n<li>[44:] \u2014 loader host \/ argument encrypted blob (hex-encoded)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The handler builds two URLs (loaderUrl and payloadUrl), encodes them as reversed hex, then downloads and executes an additional payload in memory within a newly created .NET process.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"345\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ffdf55c0-1024x345.png\" alt=\"\" class=\"wp-image-21410\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ffdf55c0-1024x345.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ffdf55c0-300x101.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ffdf55c0-768x259.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ffdf55c0-370x125.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ffdf55c0-270x91.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ffdf55c0-740x249.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_ffdf55c0.png 1105w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Deobfuscated implementation code for the \u2018in-memory execution\u2019 command (X-A:3)<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The PowerShell command used for execution:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reconstructs loaderUrl from its obfuscated form<\/li>\n\n\n\n<li>Downloads the additional payload<\/li>\n\n\n\n<li>Decrypts the payload<\/li>\n\n\n\n<li>Patches AmsiScanBuffer to bypass AMSI<\/li>\n\n\n\n<li>Assembles the decrypted bytes into a memory buffer<\/li>\n\n\n\n<li>Reflectively loads a .NET Assembly via [System.Reflection.Assembly]::Load()<\/li>\n\n\n\n<li>Transfers execution to the entry point: [Software.Program].GetMethod(\u2018Main\u2019).Invoke()<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">AMSI patching is implemented using LoadLibrary(\u2018amsi.dll\u2019), GetProcAddress(\u2018AmsiScanBuffer\u2019), VirtualProtect(), and Marshal.Copy().<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"583\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8e362a5c-1024x583.png\" alt=\"\" class=\"wp-image-21411\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8e362a5c-1024x583.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8e362a5c-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8e362a5c-768x437.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8e362a5c-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8e362a5c-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8e362a5c-740x421.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8e362a5c.png 1298w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Preparation for .NET in-memory payload execution<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"311\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_65215582-1024x311.png\" alt=\"\" class=\"wp-image-21413\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_65215582-1024x311.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_65215582-300x91.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_65215582-768x234.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_65215582-370x113.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_65215582-270x82.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_65215582-740x225.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_65215582.png 1151w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><br>AMSI patching<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"956\" height=\"113\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_295e541d.png\" alt=\"\" class=\"wp-image-21414\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_295e541d.png 956w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_295e541d-300x35.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_295e541d-768x91.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_295e541d-370x44.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_295e541d-270x32.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_295e541d-740x87.png 740w\" sizes=\"auto, (max-width: 956px) 100vw, 956px\" \/><figcaption class=\"wp-element-caption\"><br>.NET reflective loading<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"147\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_eada54b-1024x147.png\" alt=\"\" class=\"wp-image-21415\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_eada54b-1024x147.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_eada54b-300x43.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_eada54b-768x110.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_eada54b-370x53.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_eada54b-270x39.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_eada54b-740x106.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_eada54b.png 1174w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Handler function code LoadAesEncryptedDotNetStage<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">X-A: 4 \u201cHost telemetry\u201d<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"953\" height=\"460\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2089c6ee.png\" alt=\"\" class=\"wp-image-21416\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2089c6ee.png 953w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2089c6ee-300x145.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2089c6ee-768x371.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2089c6ee-370x179.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2089c6ee-270x130.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2089c6ee-740x357.png 740w\" sizes=\"auto, (max-width: 953px) 100vw, 953px\" \/><figcaption class=\"wp-element-caption\">Deobfuscated implementation code for the \u2018get host telemetry&#8217; command (X-A:4)<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">C2 response body format:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>[0:32] \u2014 XOR key from server<\/li>\n\n\n\n<li>[32] \u2014 extended telemetry flag<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"499\" height=\"393\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8bb29d42.png\" alt=\"\" class=\"wp-image-21417\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8bb29d42.png 499w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8bb29d42-300x236.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8bb29d42-370x291.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8bb29d42-270x213.png 270w\" sizes=\"auto, (max-width: 499px) 100vw, 499px\" \/><figcaption class=\"wp-element-caption\">C2 request-responce with command ID = 4<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">In the request body:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cX-A: 4\u201d \u2014 \u201cGet host telemetry\u201d command<\/li>\n\n\n\n<li>\u201c766BBAE98154B60B381CE91BFB5473ED\u201d \u2014 XOR encryption key (in hex)<\/li>\n\n\n\n<li>\u201c1\u201d &#8211; get extended info flag<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">When the flag is set to \u20181\u2019, the client collects an extended host profile:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"295\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8d959dfc-1024x295.png\" alt=\"\" class=\"wp-image-21418\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8d959dfc-1024x295.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8d959dfc-300x86.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8d959dfc-768x221.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8d959dfc-370x107.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8d959dfc-270x78.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8d959dfc-740x213.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8d959dfc.png 1204w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Host telemetry collection code<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The data collected: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>USERDOMAIN \/ USERNAME<\/li>\n\n\n\n<li>Win32_SystemEnclosure.SerialNumber<\/li>\n\n\n\n<li>Win32_OperatingSystem.Caption<\/li>\n\n\n\n<li>Win32_ComputerSystem.TotalPhysicalMemory<\/li>\n\n\n\n<li>Win32_ComputerSystem.Model<\/li>\n\n\n\n<li>Win32_Processor.Name<\/li>\n\n\n\n<li>Win32_VideoController.Name<\/li>\n\n\n\n<li>Win32_Process.Name (unique entries list, via separate WMI call)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The collected data is XOR-encoded and sent as a JSON payload via POST:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \u201cb\u201d: \u201c&lt;xored_host_info&gt;\u201d,\n    \u201cc\u201d: \u201c&lt;xored_process_list&gt;\u201d\n}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The POST-request: <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/&lt;endpoint&gt;?ia=&lt;session_id&gt;&amp;df=0\nContent-Type: application\/json\n&lt;JSON host info payload in request body&gt;<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"653\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9364bb4c-1024x653.png\" alt=\"\" class=\"wp-image-21419\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9364bb4c-1024x653.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9364bb4c-300x191.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9364bb4c-768x489.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9364bb4c-370x236.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9364bb4c-270x172.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9364bb4c-740x472.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_9364bb4c.png 1384w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">POST-request with collected host info<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">MonoGlyphRAT C2 protocol operation scheme:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"539\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8906b5c4-1024x539.png\" alt=\"\" class=\"wp-image-21420\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8906b5c4-1024x539.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8906b5c4-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8906b5c4-768x405.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8906b5c4-1536x809.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8906b5c4-370x195.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8906b5c4-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8906b5c4-740x390.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_8906b5c4.png 1568w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">MonoGlyphRAT C2 protocol operation scheme:<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The RAT client configuration is set statically in the JS script code:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"899\" height=\"492\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2a754f0a.png\" alt=\"\" class=\"wp-image-21421\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2a754f0a.png 899w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2a754f0a-300x164.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2a754f0a-768x420.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2a754f0a-370x202.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2a754f0a-270x148.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/JS.MonoGlyphRAT_html_2a754f0a-740x405.png 740w\" sizes=\"auto, (max-width: 899px) 100vw, 899px\" \/><figcaption class=\"wp-element-caption\">MonoGlyphRAT configuration example<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Threat Landscape<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Based on available sources, JS.MonoGlyphRAT is supported by a stable infrastructure cluster \u2014 IP addresses, C2 domains, and non-standard URI paths \u2014 that remains without attribution (classified as Unknown RAT\/malware in public feeds).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN TI related samples query:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522destinationIP:%255C%2522158.94.211.76%255C%2522%2520or%2520url:%255C%2522%255C%255C?ia=*&amp;df=*%255C%2522%2520or%2520domainName:%255C%2522aryamint.com$%255C%2522%2520or%2520destinationIP:%255C%252291.92.243.79%255C%2522%2520or%2520url:%255C%2522\/gATIjh%255C%2522%2520or%2520url:%255C%2522\/ceoznp%255C%2522%2520or%2520suricataID:%255C%252285006579%255C%2522%2520or%2520suricataID:%255C%252285006580%255C%2522%2520or%2520suricataID:%255C%252285006581%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">destinationIP:&#8221;158.94.211.76&#8243; or url:&#8221;\\?ia=<em>&amp;df=<\/em>&#8221; or domainName:&#8221;aryamint.com$&#8221; or destinationIP:&#8221;91.92.243.79&#8243; or url:&#8221;\/gATIjh&#8221; or url:&#8221;\/ceoznp&#8221; or suricataID:&#8221;85006579&#8243; or suricataID:&#8221;85006580&#8243; or suricataID:&#8221;85006581&#8243;<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Within the kill chain, MonoGlyphRAT occupies the role of a first- or mid-stage RAT\/loader: it establishes persistence on the victim host, sets up a persistent C2 session, and can download and execute additional stage payloads (files, shell commands, in-memory .NET execution).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Attribution to a specific campaign or threat actor cannot be confirmed on the current dataset. While there are consistent infrastructure artifacts, network traffic patterns, and a shared execution chain, these are insufficient for reliable actor attribution.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">MITRE ATT&amp;CK Mapping<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-333\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"19\"\n           data-wpID=\"333\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-fs-000014 wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:9.070958302853%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tTactic                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-fs-000014 wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:23.70153621068%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tTechnique                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-fs-000014 wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:67.227505486467%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tProcedure                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tInitial\t\t\tAccess                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1204.002\t\t\t\u2013 User Execution: Malicious File                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tUser\t\t\texecutes a JS script disguised as a business document                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tExecution                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1059.007\t\t\t\u2013 JavaScript                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tCore\t\t\timplant written in JavaScript, executed via wscript.exe                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tExecution                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1059.001\t\t\t\u2013 PowerShell                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tScript\t\t\tgenerates PowerShell wrappers, launched via powershell -nop -enc;\t\t\tused for download, AES decryption, command execution, and staging                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tExecution                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1620\t\t\t\u2013 Reflective Code Loading                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDecrypted\t\t\t.NET assembly loaded into memory via reflection; payload never\t\t\twritten to disk                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tPersistence                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1547.001\t\t\t\u2013 Registry Run Keys                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tScript\t\t\tcopies itself to %USERPROFILE% and registers via HKCU\\...\\Run                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDiscovery                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1082\t\t\t\u2013 System Information Discovery                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tClient\t\t\tcollects host fingerprint: domain, username, serial number, OS,\t\t\tRAM, model, CPU, GPU, OS architecture                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDiscovery                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1057\t\t\t\u2013 Process Discovery                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tRunning\t\t\tprocess list collected via WMI Win32_Process.Name on C2 command                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tC&C                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1071.001\t\t\t\u2013 Web Protocols                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tC2\t\t\tover HTTP: check-in, beacon loop, tasking, telemetry upload,\t\t\tpayload delivery; control via X-S \/ X-A headers                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tC&C                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1571\t\t\t\u2013 Non-Standard Port                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tC2\t\t\tendpoints served on non-standard HTTP ports                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tC&C                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1105\t\t\t\u2013 Ingress Tool Transfer                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tMalware\t\t\tdownloads additional files and stages from C2 in encrypted form;\t\t\tdecrypted and executed locally                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tC&C                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1132.002\t\t\t\u2013 Non-Standard Data Encoding                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C12\"\n                    data-col-index=\"2\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tXOR\t\t\tfor telemetry, reversed hex for strings\/URLs, hex-encoded keys,\t\t\tAES-encrypted task bodies                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tExfiltration                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1041\t\t\t\u2013 Exfiltration Over C2                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C13\"\n                    data-col-index=\"2\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tCollected\t\t\ttelemetry sent over the same HTTP C2 channel used for commands                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A14\"\n                    data-col-index=\"0\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDefense\t\t\tEvasion                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B14\"\n                    data-col-index=\"1\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1027\t\t\t\u2013 Obfuscated Files or Information                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C14\"\n                    data-col-index=\"2\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tMonoglyph\t\t\tidentifier obfuscation, encoded strings, AES\/XOR, hidden\t\t\tPowerShell stagers                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A15\"\n                    data-col-index=\"0\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDefense\t\t\tEvasion                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B15\"\n                    data-col-index=\"1\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1027.010\t\t\t\u2013 Command Obfuscation                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C15\"\n                    data-col-index=\"2\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tPowerShell\t\t\tcommands built dynamically, launched via -enc (Base64 UTF-16LE);\t\t\tparameters\/URLs additionally obscured via hex\/reverse-encoding                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A16\"\n                    data-col-index=\"0\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDefense\t\t\tEvasion                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B16\"\n                    data-col-index=\"1\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1027.013\t\t\t\u2013 Encrypted\/Encoded File                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C16\"\n                    data-col-index=\"2\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tPayloads\t\t\tand stages transferred AES-encrypted; key from C2 body, static IV\t\t\t\u2018sixteenbyteslong\u2019                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A17\"\n                    data-col-index=\"0\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDefense\t\t\tEvasion                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B17\"\n                    data-col-index=\"1\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1140\t\t\t\u2013 Deobfuscate\/Decode Files or Information                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C17\"\n                    data-col-index=\"2\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDuring\t\t\texecution: hex\/Base64 decode, reversed string restoration, XOR,\t\t\tAES-CBC decryption                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A18\"\n                    data-col-index=\"0\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDefense\t\t\tEvasion                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B18\"\n                    data-col-index=\"1\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1562.001\t\t\t\u2013 Disable or Modify Tools                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C18\"\n                    data-col-index=\"2\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tStage\t\t\tloader implements AMSI bypass by patching AmsiScanBuffer, reducing\t\t\tdetection likelihood for subsequent .NET payloads                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"A19\"\n                    data-col-index=\"0\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tDefense\t\t\tEvasion                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"B19\"\n                    data-col-index=\"1\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tT1070.004\t\t\t\u2013 File Deletion                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000013\"\n                                            data-cell-id=\"C19\"\n                    data-col-index=\"2\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\tOn\t\t\tuninstall\/update, malware deletes installed JS copy, temp files,\t\t\tor older client version                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-333'>\ntable#wpdtSimpleTable-333{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-333 td, table.wpdtSimpleTable333 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-fs-000013 { font-size: 13px !important;}\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">How ANY.RUN Helps Defend Against JS.MonoGlyphRAT<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Defending against threats like JS.MonoGlyphRAT requires visibility across the entire attack chain, from the initial phishing attachment to command-and-control communications and follow-on payload delivery. ANY.RUN&#8217;s security solutions help organizations identify and stop such activity at multiple stages.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Using <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a>, analysts can safely execute suspicious JavaScript attachments and immediately observe malicious behaviors associated with MonoGlyphRAT, including the execution of wscript.exe, PowerShell spawning, registry-based persistence, C2 communications, and payload delivery attempts. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">AI Summary in the Sandbox analysis results automatically highlights key malicious actions, helping analysts understand the attack chain faster and reducing investigation time. In addition, AI Recommendations provide actionable guidance for further analysis, threat hunting, and incident response, helping teams move from detection to remediation more efficiently.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/any.run\/cybersecurity-blog\/soc-ready-reporting\/\">Tier 1 Reports<\/a> provide ready-made analysis summaries that explain malware behavior, attack techniques, indicators of compromise, and detection opportunities in a structured, easy-to-consume format. This enables teams to quickly understand threats without requiring extensive reverse engineering expertise.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"827\" height=\"1024\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/report-827x1024.png\" alt=\"\" class=\"wp-image-21436\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/report-827x1024.png 827w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/report-242x300.png 242w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/report-768x951.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/report-370x458.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/report-270x334.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/report-740x916.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/report.png 850w\" sizes=\"auto, (max-width: 827px) 100vw, 827px\" \/><figcaption class=\"wp-element-caption\">Tier 1 report (part) example<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> enables defenders to investigate indicators associated with the malware cluster, including IP addresses, domains, URLs, process chains, Suricata detections, and behavioral artifacts. Analysts can quickly determine whether their organization has encountered related infrastructure or attack patterns and pivot across connected indicators to uncover broader malicious activity.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For proactive defense, <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a> help security teams enrich SIEM, EDR, XDR, SOAR, and other security controls with continuously updated threat data. By automatically incorporating fresh indicators linked to emerging malware campaigns, organizations can improve detection coverage and block malicious infrastructure before attackers establish persistence.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Together, ANY.RUN&#8217;s Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds provide security teams with the visibility needed to detect, investigate, and respond to MonoGlyphRAT infections early, reducing the likelihood of costly incidents, operational disruption, and follow-on attacks such as ransomware deployment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusions<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">JS.MonoGlyphRAT is a fully featured persistent RAT\/loader built around Windows Script Host, PowerShell, and a custom HTTP C2 protocol. Its purpose is to establish persistence on the victim host, register with the C2, receive operator commands, and download additional payloads and stages.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The defining characteristic of this cluster is monoglyph obfuscation of JavaScript identifiers: class and variable names are constructed from repeated characters in mixed case, making the code difficult to read and hampering manual analysis.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">C2 communication is conducted via HTTP headers X-S and X-A, where X-S carries the session identifier and X-A acts as a command selector. The C2 response body contains task parameters: tokens, encryption keys, and encrypted PowerShell or stager payloads.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Functionally, MonoGlyphRAT supports a broad capability set: host telemetry collection, active process enumeration, HKCU Run persistence, AES-encrypted payload download and execution, PowerShell task execution, in-memory .NET code execution, client self-update, and installed copy removal. The implant can also serve as an intermediate platform for delivering subsequent payloads.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From a Threat Intelligence perspective, a distinct code\/infrastructure cluster is consistently observed; public TI sources currently classify related IOCs as \u2018Unknown malware\u2019, so attribution to a known group or family remains unconfirmed. The working designation JS.MonoGlyphRAT is proposed for analysis and indicator-sharing purposes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In defensive practice, the most valuable detection artifacts are behavioral:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>wscript.exe executing JS files from user-writable directories<\/li>\n\n\n\n<li>Registry write to HKCU Run pointing to a .js file<\/li>\n\n\n\n<li>Process chain: wscript.exe \u2192 powershell.exe -nop \u2013enc \u2026<\/li>\n\n\n\n<li>HTTP POST requests to non-standard ports<\/li>\n\n\n\n<li>Presence of query parameters ia=, df=, ex=, sb=, vc= and HTTP response headers X-S: and X-A:<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise (IOCs)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Network Artifacts:<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">hxxp[:\/\/]158[.]94[.]211[.]76:34567\/ceoznp<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">158[.]94[.]211[.]76<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">91[.]92[.]243[.]79<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">scan[.]aryamint[.]com<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">aryamint[.]com<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>HTTP \/ C2 protocol Artifacts:<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HTTP Header: \u2018X-A:\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HTTP Header: \u2018X-S:\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">POST body pattern: \u2018a=iz&amp;b=&lt;data&gt;\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Query parameter: \u2018ia=&lt;session_id&gt;\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Query parameter: \u2018ex=&lt;token&gt;\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Query parameter: \u2018sb=&lt;token&gt;\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Query parameter: \u2018vc=&lt;token&gt;\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Query parameter: \u2018df=0\u2019 or \u2018df=&lt;token&gt;\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Query parameter: \u2018kp=&lt;token&gt;\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Query parameter: \u2018tw=&lt;token&gt;\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Query parameter: \u2018fp=1\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Host-based Artifacts<\/strong>:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">File path: %USERPROFILE%\\&lt;random letters&gt;\\&lt;random letters&gt;.js<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Registry key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\&lt;random letters&gt;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Crypto IV:<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Static string: \u2018sixteenbyteslong\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Encoded IV: \u201876E6F6C63756479726E6565647879637\u2019 (reversed hex)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Detection patterns:<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Process tree: \u2018wscript.exe -&gt; powershell.exe -nop \u2013enc &#8230;&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Registry key record: \u2018HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*\u2019, value contains: \u2018wscript.exe | .js\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HTTP POST body: \u2018a=iz&amp;b=&#8230;\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HTTP response headers: \u2018X-S:\u2019 + \u2018X-A:\u2019<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HTTP query parameters:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2018?ia=&lt;session_id&gt;&amp;ex=\u2019<\/li>\n\n\n\n<li>\u2018?ia=&lt;session_id&gt;&amp;sb=\u2019<\/li>\n\n\n\n<li>\u2018?ia=&lt;session_id&gt;&amp;vc=\u2019<\/li>\n\n\n\n<li>\u2018?ia=&lt;session_id&gt;&amp;df=\u2019<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">JavaScript strings:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MSXML2.XMLHTTP<\/li>\n\n\n\n<li>Scripting.FileSystemObject<\/li>\n\n\n\n<li>Wscript.Shell<\/li>\n\n\n\n<li>winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2<\/li>\n\n\n\n<li>powershell<\/li>\n\n\n\n<li>-nop<\/li>\n\n\n\n<li>-enc<\/li>\n\n\n\n<li>76E6F6C63756479726E6565647879637<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN &nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Trusted by over 600,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy. &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a> accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions. &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> and <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a> strengthen detection by providing the context your team needs to anticipate and stop today\u2019s most advanced attacks. ANY.RUN is&nbsp;<a href=\"https:\/\/any.run\/compliance\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktocompliance\" target=\"_blank\" rel=\"noreferrer noopener\">SOC 2 Type II<\/a>&nbsp;attested, reflecting strong security controls and a commitment to protecting customer data.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=monoglyphrat-attacks-us-enterprise&amp;utm_term=020626&amp;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Try ANY.RUN to strengthen your proactive defense<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">FAQ<\/h2>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1780390594353\"><strong class=\"schema-faq-question\"><br><strong>What is JS.MonoGlyphRAT?<\/strong><\/strong> <p class=\"schema-faq-answer\"><br>JS.MonoGlyphRAT is a newly identified backdoor and loader malware written in JavaScript and executed via Windows Script Host. It was named by ANY.RUN researchers after its signature obfuscation technique \u2014 using repeating characters in mixed case for all variable and function names. The malware gives attackers persistent remote access to infected machines and can download additional malicious payloads.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1780390613633\"><strong class=\"schema-faq-question\"><br><strong>Who is being targeted?<\/strong><\/strong> <p class=\"schema-faq-answer\"><br>Current victims are concentrated in the United States, Germany, and Sweden. The hardest-hit industries are technology companies, managed security service providers (MSSPs), telecommunications firms, and educational institutions. Other affected countries include Australia, Costa Rica, Greece, Poland, and Turkey.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1780390623962\"><strong class=\"schema-faq-question\"><br><strong>How does the infection start?<\/strong><\/strong> <p class=\"schema-faq-answer\"><br>The malware is delivered via phishing emails with malicious JavaScript file attachments. The files are disguised as business documents \u2014 purchase orders, quotes, and RFPs \u2014 to trick employees in procurement, sales, and finance roles into opening them.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1780390640664\"><strong class=\"schema-faq-question\"><br><strong>Why aren\u2019t antivirus tools catching it?<\/strong><\/strong> <p class=\"schema-faq-answer\"><br>As of the time of research, JS.MonoGlyphRAT is classified as \u2018Unknown malware\u2019 in public threat intelligence platforms including VirusTotal and ThreatFox. Signature-based antivirus tools cannot detect threats they have no signatures for. Detection requires behavioral analysis \u2014 monitoring what the file actually does when executed, rather than matching it against a database of known bad files.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1780390648280\"><strong class=\"schema-faq-question\"><br><strong>What can attackers do once they are inside?<\/strong><\/strong> <p class=\"schema-faq-answer\"><br>Once installed, the attacker has extensive control: they can collect detailed system information, monitor running processes, execute arbitrary commands via PowerShell, download and run additional malware (including ransomware), run code entirely in memory to avoid leaving files on disk, and update or remove the implant remotely. The malware is specifically designed to maintain access for extended periods without being detected.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1780390662279\"><strong class=\"schema-faq-question\"><br><strong>What are the most important indicators of compromise (IOCs) to watch for?<\/strong><\/strong> <p class=\"schema-faq-answer\"><br>Key detection signals include: JavaScript files executing via wscript.exe from user directories; a process chain of wscript.exe spawning powershell.exe with -nop and -enc flags; new registry Run keys pointing to .js files under %USERPROFILE%; HTTP POST traffic to non-standard ports containing the pattern a=iz&amp;b=; and HTTP responses containing the headers X-S: and X-A:.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1780390678176\"><strong class=\"schema-faq-question\"><br><strong>7. Is there a known threat actor behind this campaign?<\/strong><\/strong> <p class=\"schema-faq-answer\"><br>At this time, attribution to a specific threat actor or nation-state group has not been confirmed. Researchers have identified a consistent infrastructure cluster \u2014 recurring IP addresses, C2 domains, URI patterns, and code artifacts \u2014 but the available data is insufficient for reliable attribution. ANY.RUN is continuing to track the cluster and will update the community as new intelligence emerges.<\/p> <\/div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>A previously unidentified cyberattack is quietly spreading through US businesses \u2014 and most security tools are not catching it. Researchers at ANY.RUN have identified a new backdoor called JS.MonoGlyphRAT, an advanced piece of malware delivered as an ordinary-looking JavaScript file disguised as a purchase order, quote, or business proposal. Once an employee opens the file, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":21428,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[8],"tags":[57,10,34,40,51,102],"class_list":["post-21343","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior","tag-rat","tag-usa"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>JS.MonoGlyphRAT Analysis: Financial Risks for Businesses<\/title>\n<meta name=\"description\" content=\"Learn how JS.MonoGlyphRAT targets organizations, enables remote access, and creates costly security risks.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"raptur3\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"23 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/\"},\"author\":{\"name\":\"raptur3\",\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"headline\":\"From\u00a0Fake\u00a0Purchase\u00a0Orders\u00a0to\u00a0Remote Access:\u00a0Analyzing\u00a0the\u00a0JS.MonoGlyphRAT\u00a0Threat\u00a0to\u00a0US Enterprises\",\"datePublished\":\"2026-06-02T10:34:41+00:00\",\"dateModified\":\"2026-06-02T12:58:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/\"},\"wordCount\":3594,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/Global-Alert-scaled.png\",\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\",\"RAT\",\"USA\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#respond\"]}]},{\"@type\":[\"WebPage\",\"FAQPage\"],\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/\",\"name\":\"JS.MonoGlyphRAT Analysis: Financial Risks for Businesses\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/Global-Alert-scaled.png\",\"datePublished\":\"2026-06-02T10:34:41+00:00\",\"dateModified\":\"2026-06-02T12:58:01+00:00\",\"description\":\"Learn how JS.MonoGlyphRAT targets organizations, enables remote access, and creates costly security risks.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#breadcrumb\"},\"mainEntity\":[{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390594353\"},{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390613633\"},{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390623962\"},{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390640664\"},{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390648280\"},{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390662279\"},{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390678176\"}],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#primaryimage\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/Global-Alert-scaled.png\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/Global-Alert-scaled.png\",\"width\":2560,\"height\":1243,\"caption\":\"JS.MonoGlyphRAT attacks US business\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/category\\\/malware-analysis\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"From\u00a0Fake\u00a0Purchase\u00a0Orders\u00a0to\u00a0Remote Access:\u00a0Analyzing\u00a0the\u00a0JS.MonoGlyphRAT\u00a0Threat\u00a0to\u00a0US Enterprises\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/any.run\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\\\/\\\/any.run\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/www.any.run\\\/\",\"https:\\\/\\\/x.com\\\/anyrun_app\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/30692044\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"raptur3\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/rapture3.png\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/rapture3.png\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/rapture3.png\",\"caption\":\"raptur3\"},\"description\":\"Network Analyst at ANY.RUN. Keen to become a 'cybersec Swiss Army knife' man. Enjoys reading and writing deep-dive tech research.\",\"url\":\"#molongui-disabled-link\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390594353\",\"position\":1,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390594353\",\"name\":\"What is JS.MonoGlyphRAT?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"<br>JS.MonoGlyphRAT is a newly identified backdoor and loader malware written in JavaScript and executed via Windows Script Host. It was named by ANY.RUN researchers after its signature obfuscation technique \u2014 using repeating characters in mixed case for all variable and function names. The malware gives attackers persistent remote access to infected machines and can download additional malicious payloads.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390613633\",\"position\":2,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390613633\",\"name\":\"Who is being targeted?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"<br>Current victims are concentrated in the United States, Germany, and Sweden. The hardest-hit industries are technology companies, managed security service providers (MSSPs), telecommunications firms, and educational institutions. Other affected countries include Australia, Costa Rica, Greece, Poland, and Turkey.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390623962\",\"position\":3,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390623962\",\"name\":\"How does the infection start?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"<br>The malware is delivered via phishing emails with malicious JavaScript file attachments. The files are disguised as business documents \u2014 purchase orders, quotes, and RFPs \u2014 to trick employees in procurement, sales, and finance roles into opening them.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390640664\",\"position\":4,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390640664\",\"name\":\"Why aren\u2019t antivirus tools catching it?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"<br>As of the time of research, JS.MonoGlyphRAT is classified as \u2018Unknown malware\u2019 in public threat intelligence platforms including VirusTotal and ThreatFox. Signature-based antivirus tools cannot detect threats they have no signatures for. Detection requires behavioral analysis \u2014 monitoring what the file actually does when executed, rather than matching it against a database of known bad files.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390648280\",\"position\":5,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390648280\",\"name\":\"What can attackers do once they are inside?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"<br>Once installed, the attacker has extensive control: they can collect detailed system information, monitor running processes, execute arbitrary commands via PowerShell, download and run additional malware (including ransomware), run code entirely in memory to avoid leaving files on disk, and update or remove the implant remotely. The malware is specifically designed to maintain access for extended periods without being detected.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390662279\",\"position\":6,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390662279\",\"name\":\"What are the most important indicators of compromise (IOCs) to watch for?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"<br>Key detection signals include: JavaScript files executing via wscript.exe from user directories; a process chain of wscript.exe spawning powershell.exe with -nop and -enc flags; new registry Run keys pointing to .js files under %USERPROFILE%; HTTP POST traffic to non-standard ports containing the pattern a=iz&amp;b=; and HTTP responses containing the headers X-S: and X-A:.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390678176\",\"position\":7,\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/monoglyphrat-attacks-us-enterprise\\\/#faq-question-1780390678176\",\"name\":\"7. Is there a known threat actor behind this campaign?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"<br>At this time, attribution to a specific threat actor or nation-state group has not been confirmed. Researchers have identified a consistent infrastructure cluster \u2014 recurring IP addresses, C2 domains, URI patterns, and code artifacts \u2014 but the available data is insufficient for reliable attribution. ANY.RUN is continuing to track the cluster and will update the community as new intelligence emerges.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"JS.MonoGlyphRAT Analysis: Financial Risks for Businesses","description":"Learn how JS.MonoGlyphRAT targets organizations, enables remote access, and creates costly security risks.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/","twitter_misc":{"Written by":"raptur3","Est. reading time":"23 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/"},"author":{"name":"raptur3","@id":"https:\/\/any.run\/"},"headline":"From\u00a0Fake\u00a0Purchase\u00a0Orders\u00a0to\u00a0Remote Access:\u00a0Analyzing\u00a0the\u00a0JS.MonoGlyphRAT\u00a0Threat\u00a0to\u00a0US Enterprises","datePublished":"2026-06-02T10:34:41+00:00","dateModified":"2026-06-02T12:58:01+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/"},"wordCount":3594,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"image":{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#primaryimage"},"thumbnailUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Global-Alert-scaled.png","keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior","RAT","USA"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#respond"]}]},{"@type":["WebPage","FAQPage"],"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/","url":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/","name":"JS.MonoGlyphRAT Analysis: Financial Risks for Businesses","isPartOf":{"@id":"https:\/\/any.run\/"},"primaryImageOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#primaryimage"},"image":{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#primaryimage"},"thumbnailUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Global-Alert-scaled.png","datePublished":"2026-06-02T10:34:41+00:00","dateModified":"2026-06-02T12:58:01+00:00","description":"Learn how JS.MonoGlyphRAT targets organizations, enables remote access, and creates costly security risks.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#breadcrumb"},"mainEntity":[{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390594353"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390613633"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390623962"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390640664"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390648280"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390662279"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390678176"}],"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#primaryimage","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Global-Alert-scaled.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/06\/Global-Alert-scaled.png","width":2560,"height":1243,"caption":"JS.MonoGlyphRAT attacks US business"},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"From\u00a0Fake\u00a0Purchase\u00a0Orders\u00a0to\u00a0Remote Access:\u00a0Analyzing\u00a0the\u00a0JS.MonoGlyphRAT\u00a0Threat\u00a0to\u00a0US Enterprises"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/x.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"raptur3","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png","caption":"raptur3"},"description":"Network Analyst at ANY.RUN. Keen to become a 'cybersec Swiss Army knife' man. Enjoys reading and writing deep-dive tech research.","url":"#molongui-disabled-link"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390594353","position":1,"url":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390594353","name":"What is JS.MonoGlyphRAT?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"<br>JS.MonoGlyphRAT is a newly identified backdoor and loader malware written in JavaScript and executed via Windows Script Host. It was named by ANY.RUN researchers after its signature obfuscation technique \u2014 using repeating characters in mixed case for all variable and function names. The malware gives attackers persistent remote access to infected machines and can download additional malicious payloads.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390613633","position":2,"url":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390613633","name":"Who is being targeted?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"<br>Current victims are concentrated in the United States, Germany, and Sweden. The hardest-hit industries are technology companies, managed security service providers (MSSPs), telecommunications firms, and educational institutions. Other affected countries include Australia, Costa Rica, Greece, Poland, and Turkey.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390623962","position":3,"url":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390623962","name":"How does the infection start?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"<br>The malware is delivered via phishing emails with malicious JavaScript file attachments. The files are disguised as business documents \u2014 purchase orders, quotes, and RFPs \u2014 to trick employees in procurement, sales, and finance roles into opening them.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390640664","position":4,"url":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390640664","name":"Why aren\u2019t antivirus tools catching it?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"<br>As of the time of research, JS.MonoGlyphRAT is classified as \u2018Unknown malware\u2019 in public threat intelligence platforms including VirusTotal and ThreatFox. Signature-based antivirus tools cannot detect threats they have no signatures for. Detection requires behavioral analysis \u2014 monitoring what the file actually does when executed, rather than matching it against a database of known bad files.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390648280","position":5,"url":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390648280","name":"What can attackers do once they are inside?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"<br>Once installed, the attacker has extensive control: they can collect detailed system information, monitor running processes, execute arbitrary commands via PowerShell, download and run additional malware (including ransomware), run code entirely in memory to avoid leaving files on disk, and update or remove the implant remotely. The malware is specifically designed to maintain access for extended periods without being detected.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390662279","position":6,"url":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390662279","name":"What are the most important indicators of compromise (IOCs) to watch for?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"<br>Key detection signals include: JavaScript files executing via wscript.exe from user directories; a process chain of wscript.exe spawning powershell.exe with -nop and -enc flags; new registry Run keys pointing to .js files under %USERPROFILE%; HTTP POST traffic to non-standard ports containing the pattern a=iz&amp;b=; and HTTP responses containing the headers X-S: and X-A:.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390678176","position":7,"url":"https:\/\/any.run\/cybersecurity-blog\/monoglyphrat-attacks-us-enterprise\/#faq-question-1780390678176","name":"7. Is there a known threat actor behind this campaign?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"<br>At this time, attribution to a specific threat actor or nation-state group has not been confirmed. Researchers have identified a consistent infrastructure cluster \u2014 recurring IP addresses, C2 domains, URI patterns, and code artifacts \u2014 but the available data is insufficient for reliable attribution. ANY.RUN is continuing to track the cluster and will update the community as new intelligence emerges.","inLanguage":"en-US"},"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21343","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=21343"}],"version-history":[{"count":31,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21343\/revisions"}],"predecessor-version":[{"id":21438,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21343\/revisions\/21438"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/21428"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=21343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=21343"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=21343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}