Security Affairs
Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The New Version of JsOutProx is Attacking Financial Institutions in APAC and MENA via Gitlab Abuse

Resecurity researchers warn that a new Version of JsOutProx is targeting financial institutions in APAC and MENA via Gitlab abuse. Resecurity has detected a new version of JSOutProx, which is targeting financial services and organizations in the APAC and MENA regions. JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET. It employs the […]

JsOutProx

Resecurity researchers warn that a new Version of JsOutProx is targeting financial institutions in APAC and MENA via Gitlab abuse.

Resecurity has detected a new version of JSOutProx, which is targeting financial services and organizations in the APAC and MENA regions. JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET. It employs the .NET (de)serialization feature to interact with a core JavaScript module running on the victim’s machine. Once executed, the malware enables the framework to load various plugins, which conduct additional malicious activities on the target. This malware was first identified in 2019 and was initially attributed to SOLAR SPIDER’s phishing campaigns, which delivered the JSOutProx RAT to financial institutions across Africa, the Middle East, South Asia, and Southeast Asia.

The spike in this activity was identified around February 8, 2024, when a major system integrator based in the Kingdom of Saudi Arabia reported an incident targeting customers of one of their major banks in the region. Resecurity assisted multiple victims in acquiring relevant malicious code artifacts as a result of Digital Forensics & Incident Response (DFIR) engagement and helped recover the payload. In the most recent episode on April 2, 2024, multiple banking customers were targeted through an impersonation attack. The actors employed a fake SWIFT payment notification (for enterprise customers) and a Moneygram template (for private customers), using misleading notifications to confuse victims and execute malicious code.

The discovery of the new version of JSOutProx, coupled with the exploitation of platforms like GitHub and GitLab, emphasizes the relentless efforts and sophisticated consistency of these malicious actors. Marking its 5-year anniversary, JSOutProx continues to be a significant and evolving threat, especially to customers of financial institutions. In a worrying expansion of scope, this year has seen these threat actors broaden their horizons to the MENA region, thereby intensifying their cybercriminal footprint. As these threats escalate in complexity and reach, Resecurity remains vigilant in its pursuit to track JSOutProx and safeguard financial institutions and their customers globally from such nefarious activities.

Additional technical details are available in the report published by Resecurity:

https://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)