fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

8.8K
active users

#javascript

185 posts129 participants15 posts today

Does this #webdev pattern mean anything to you? Is it a #JavaScript framework's typical home page?

<!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

I'm seeing many different suspicious #spam domains use this as their home page HTML.

🚨 Control-Flow Flattening Obfuscated #JavaScript Drops #SnakeKeylogger.
The #malware uses layered obfuscation to hide execution logic and evade traditional detection.
⚠️ Our data shows banking is the most affected sector among our users, nearly matching all the other industries combined. As part of widespread #MaaS #phishing campaigns, Snake targets high-value industries including fintech, healthcare, and energy, making instant threat visibility and behavioral analysis essential.

🔗 Execution chain:
Obfuscated JS ➡️ ScriptRunner.exe ➡️ EXE ➡️ CMD ➡️ extrac32.exe ➡️ PING delay ➡️ Snake

The attack begins with a loader using control-flow flattening (#MITRE T1027.010) to obscure its logic behind nested while-loops and string shifts.

👾 The loader uses COM automation via WshShell3, avoiding direct #PowerShell or CMD calls and bypassing common detection rules.

❗️ Obfuscated CMD scripts include non-ASCII (Japanese) characters and environment variables like %…%, further complicating static and dynamic analysis.

Two CMD scripts are dropped into ProgramData to prepare the execution environment. This stage involves #LOLBAS abuse: legitimate DLLs are copied from SysWOW64 into “/Windows /” and Public directories. The operation is performed using extrac32.exe, known #LOLBin and JS script functionality. This combination helps bypass detection by imitating trusted system behavior.

📌 Persistence is established by creating a Run registry key pointing to a .url file containing the execution path.
🐍 Snake is launched after a short delay using a PING, staggering execution.

👨‍💻 See execution on a live system and download actionable report:
app.any.run/tasks/0d53bef9-c62

Explore #ANYRUN’s threat database to proactively hunt for similar threats and techniques and improve the precision and efficiency of your organization's security response:
🔹 intelligence.any.run/analysis/
🔹 intelligence.any.run/analysis/
🔹 intelligence.any.run/analysis/
🔹 intelligence.any.run/analysis/

#IOCs:
54fcf77b7b6ca66ea4a2719b3209f18409edea8e7e7514cf85dc6bcde0745403
ae53759b1047c267da1e068d1e14822d158e045c6a81e4bf114bd9981473abbd
efd8444c42d4388251d4bc477fb712986676bc1752f30c9ad89ded67462a59a0
dbe81bbd0c3f8cb44eb45cd4d3669bd72bf95003804328d8f02417c2df49c481
183e98cd972ec4e2ff66b9503559e188a040532464ee4f979f704aa5224f4976
reallyfreegeoip[.]org
104[.]21[.]96[.]1
https[:]//reallyfreegeoip[.]org/xml/78[.]88[.]249[.]143
registryValue: Iaakcppq.url

👨‍💻 Gain full visibility with #ANYRUN to make faster, smarter security decisions.

💡 TIL: A single `%` character can break a website

Was helping a friend debug her React app and discovered this fun URL fact:

The `%` symbol in URLs is special - it starts percent-encoding sequences (like `%20` for spaces). But if it's not followed by valid hex digits, browsers throw "URIError: malformed URI sequence" errors.

Wrote up the full explanation if you're curious about the technical details → shinglyu.com/web/2025/07/22/wh

photo of Shing
shinglyu.comWhy the % Sign Breaks Your Website (And How to Fix It) | Shing's BlogShing Lyu's blog