Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises

A stealthy new threat is quietly making its way through US businesses, and most traditional security tools are completely missing it.

Researchers have uncovered a previously unknown piece of malware that disguises itself as an everyday business document — a purchase order, a quote, or a request for proposal.

Once an unsuspecting employee opens the attached file, attackers silently gain persistent access to the entire company network.

The malware, named JS.MonoGlyphRAT, is delivered as an ordinary-looking JavaScript file attached to phishing emails.

It is actively targeting organizations across the United States, with confirmed victims in the technology sector, managed security service providers (MSSPs), telecommunications, and education.

Cases have also been spotted in Germany, Sweden, Australia, and several other countries, making this a growing concern well beyond US borders.

Analysts at ANY.RUN identified this malware cluster and published a detailed report shared with Cyber Security News (CSN).

The team named it after its signature obfuscation method, where variable and function names are constructed from repeated characters in mixed case — for example, IiIiIiIiiIII or KkkKKKkKkK — making the code extremely difficult to read and analyze with standard security tools.

What makes JS.MonoGlyphRAT especially dangerous is that it currently shows up as “Unknown malware” on major threat intelligence platforms like VirusTotal and ThreatFox.

Standard antivirus programs that rely on known signatures simply cannot detect it. The only reliable way to catch it is by watching for suspicious behavior on a system in real time rather than matching files against a known signature database.

The financial consequences of a successful infection can reach well into the millions. Organizations face risks including ransomware deployment, data theft, regulatory penalties, business email compromise, and extended operational downtime.

Since MonoGlyphRAT can download and deploy additional malicious payloads, even a single compromised machine can become the starting point of a far larger and costlier breach for the entire organization.

Hackers Use Fake Purchase Orders

The attack begins with a single email. Employees in procurement, sales, or finance receive a message containing a JavaScript file named something like PURCHASE ORDER_12258.js or QUOTE_B2026[.]js.

These filenames are designed to look like routine business documents that someone in a buying or selling role would open without a second thought.

Once the file runs through Windows Script Host (WSH), it silently copies itself into a subfolder within the user’s profile directory and registers itself in the Windows registry.

This gives attackers a permanent foothold, as the malware starts automatically every time the computer reboots without showing any visible sign to the user.

The malware then reaches out to its command-and-control (C2) server over HTTP on non-standard ports to stay off the radar.

It collects key system details including the username, domain, operating system version, and hardware profile, then sends that data back to the attacker and enters a silent waiting state ready for further instructions.

How JS.MonoGlyphRAT Operates Under the Radar

Once the connection is established, attackers can download additional payloads, run encrypted PowerShell commands, load malicious code entirely in memory without leaving files on disk, and remotely update or remove the implant.

The malware can also patch Windows’ built-in security scanning to suppress detection attempts going forward.

All C2 communication runs through custom HTTP response headers — X-S carries the active session ID, and X-A delivers the command code.

Data exchanged between the infected machine and the attacker is encrypted using AES-128 and XOR encoding, with part of the key hardcoded directly into the malware. This layered approach makes forensic investigation significantly more difficult.

Security teams are strongly advised to monitor for behavioral signals rather than relying solely on antivirus signatures.

Key warning signs include wscript.exe executing JavaScript files from user directories, PowerShell processes launched with encoded command flags, new registry run keys pointing to .js files, and HTTP POST traffic to unusual ports with patterns like a=iz&b=.

Detecting this threat early requires behavioral monitoring and sandbox-based analysis, not traditional signature matching.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.