Security researchers have uncovered a dangerous new piece of malware making its way through US businesses — and most traditional security tools are completely missing it. Dubbed JS.MonoGlyphRAT, this remote access trojan arrives disguised as an ordinary business document: a purchase order, a supplier quote, or a request for proposal. Once opened, attackers gain silent, persistent access to the victim’s entire corporate network.
The malware was identified and named by analysts at ANY.RUN, who documented it in a detailed threat report shared with Cyber Security News. It is actively targeting organizations across the United States, with confirmed victims in the technology sector, managed security service providers (MSSPs), telecommunications, and education. Cases have also been spotted in Germany, Sweden, Australia, and several other countries.
What Makes JS.MonoGlyphRAT Different
The malware takes its name from a signature obfuscation technique in which variable and function names are constructed from repeated characters in mixed case — for example, IiIiIiIiiIII or KkkKKKkKkK. This renders the code nearly unreadable to human analysts and defeats standard signature-based detection.
Crucially, JS.MonoGlyphRAT currently registers as “Unknown malware” on major threat intelligence platforms including VirusTotal and ThreatFox. Standard antivirus programs relying on known signatures simply cannot detect it. The only reliable detection method is behavioral monitoring in real time or sandbox-based analysis — watching what the code does rather than what it looks like.
The Attack Chain
The attack begins with a phishing email. Employees in procurement, sales, or finance receive a message containing a JavaScript file with a name like PURCHASE ORDER_12258.js or QUOTE_B2026.js — filenames crafted to look like routine business documents that a busy professional might open without hesitation.
When the victim opens the file, Windows Script Host (WSH) silently executes it. The malware:
- Copies itself into a subfolder within the user’s profile directory
- Creates a registry run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) for persistence across reboots
- Collects system information: username, domain, OS version, and hardware profile
- Contacts its command-and-control (C2) server over HTTP on non-standard ports (e.g., port 34567) to stay off the radar
Command and Control Protocol
JS.MonoGlyphRAT communicates through custom HTTP response headers: the X-S header carries the active session ID, while X-A delivers the command code. All data exchanged is encrypted using AES-128 and XOR encoding, with part of the key hardcoded into the malware itself, making forensic analysis significantly harder.
Once the connection is established, attackers can download additional payloads, run encrypted PowerShell commands, load malicious code entirely in memory without leaving disk artifacts, and remotely update or remove the implant. The malware can even patch Windows’ built-in security scanning to suppress future detection attempts.
Confirmed Indicators of Compromise
Key IoCs include the C2 IP addresses 158.94.211.76 and 91.92.243.79, and the domain aryamint.com and its subdomain scan.aryamint.com. The SHA-256 hash of a confirmed sample is 5446b24959c1c2707accfc257aaac61819c01d1ed65bca910a7e8be1787d20b.
Detection and Defense Recommendations
Security teams should look for the following behavioral signals rather than relying on signature-based tools:
wscript.exeexecuting JavaScript files from user directories (e.g., AppData, Documents)- PowerShell processes launched with encoded command flags (
-EncodedCommand) - New registry run keys pointing to
.jsfiles - HTTP POST traffic to unusual ports with patterns like
a=iz&b=in the body - Outbound connections to unknown IPs on ports 34567 or similar non-standard ports
Organizations should deploy sandbox-based analysis solutions such as ANY.RUN for suspicious attachments, enforce email filtering to block .js attachments by default, and train employees — particularly in finance and procurement — to verify unexpected document requests through a secondary channel before opening any attachments.
Given its current evasion of major platforms and active spread across multiple countries and sectors, JS.MonoGlyphRAT represents an immediate and serious threat. Organizations operating in the US technology, telecom, and education sectors should treat this as a priority alert.