New research from cybersecurity experts at Forcepoint X-Labs reveals that businesses are facing a sharp rise in email attacks where criminals are hiding malicious software inside seemingly normal files. This report, shared with Hackread.com, points to a trend in the third quarter of 2025, citing a major increase in campaigns using JavaScript attachments to sneak malware past defences.
The Lure
Forcepoint Security Researcher Mayur Sewani notes that the attackers are “cloaking their lures in everyday business communications.” This means the malicious emails are carefully designed to look like average business communications, such as fake purchase orders, shipment notices, or quotes. They basically prey on the recipient’s trust, appearing as legitimate requests.
Some of the repeating subject lines the research team found include “RE: Payment Swift MT103” and “DHL Shipment Notification,” usually localised to the recipient’s language. The research notes that attackers use these lures in many different languages, such as Spanish (Solicitud de cotización), to target non-English speaking businesses.
Hiding in Plain Sight
The attack typically begins with a compressed archive file (ZIP, RAR, 7z, or TAR) containing a JavaScript file. This JavaScript is heavily obfuscated, meaning the code is purposefully scrambled to make it hard for security tools to read and stop.
Once a user is tricked into opening it, the script acts as a downloader, silently launching the next stage of the attack by using legitimate Windows tools like PowerShell and WMI (Windows Management Instrumentation) to operate ‘Living off the Land’ (LotL) and execute its commands without showing a window.
The malware delivery chain uses a technique called steganography, which involves concealing one file, message, or information within another file. In these attacks, the malicious code is hidden inside a harmless-looking image file, such as a PNG file. The malicious payload is encoded in Base64 within the image’s data stream. The downloader script then extracts and decodes this Base64 data to reconstruct the final binary.
The Final Payloads
The question here remains- What are they delivering? The final payloads are typically Remote Access Trojans (RATs) and information-stealing programs. Examples found during the investigation include DarkCloud, Remcos, Agent Tesla, and Formbook, all designed to steal critical data.
The final payload is either a DLL or EXE binary. After installation, these payloads initiate Command and Control (C2) communication to exfiltrate stolen credentials, banking information, and system data.
It is worth noting that these attacks are quite complex, using methods like process hollowing (where malicious code runs inside a trusted program like RegASM.exe to hide its activity) and functions to evade detection by virtual machines used for security analysis.
Sewani advises that organisations should “combine advanced email filtering, endpoint protection, and user awareness” to protect themselves from this threat.
