Keypoints
- Pronsis Loader uses NSIS installers that drop JPHP-compiled executables (.phb/.exe) into %Temp% and invoke them via an NSIS plug-in (Nact.dll export install).
- JPHP .phb modules contain 0xCAFEBABE headers allowing extraction and decompilation to identify entry modules (launcher.conf → .bootstrap → appmodules).
- The loader downloads payload archives (e.g., todaydatabase.zip) to %Temp%, extracts them, and executes nested payloads such as Latrodectus and Lumma Stealer.
- Defense evasion is implemented by placing a base64-encoded PowerShell command into a batch file that runs Add-MpPreference -ExclusionPath $env:USERPROFILE to exclude user profile from Defender scanning.
- Latrodectus deployment chain: todaydatabase.exe → drops todaydatabaseovlresig.exe → extracts 7zip containing autorun.bat → copies payload to %TEMP% and to %AppData%Custom_update, creates startup shortcut and scheduled task (Updater) for persistence, and creates mutex ‘runnung’.
- Lumma Stealer chain: NSIS installer drops a JPHP executable (EducationGraduate_Setup.exe) which downloads individualcoordinatepro.zip from hosted open directories, decodes an encrypted DLL (Zazkanqh.wav) via embedded XOR routine, and launches the stealer; associated C2 and hosting IPs were enumerated.
- Investigators used older 7‑Zip versions to extract NSIS scripts and located multiple open directories and IP addresses (e.g., 91.208.206.5, 193.233.203.37) hosting payloads and encrypted components.
MITRE Techniques
- [T1203] Execution – Exploitation for client execution as mapped in the article: ‘Exploitation of software vulnerabilities to execute code.’
- [T1053] Persistence – Scheduled Task/Job to maintain persistence: ‘Scheduled Task/Job to maintain persistence.’
- [T1562] Defense Evasion – Impairing defenses such as excluding paths from antivirus scans: ‘Impairing defenses, such as excluding paths from Windows Defender scans.’
- [T1071] Command and Control – Application layer protocol for C2 communications: ‘Application Layer Protocol for communication with C2 servers.’
- [T1081] Credential Access – Credentials from browser or application data: ‘Credentials from browser or application data.’
- [T1041] Exfiltration – Exfiltration over C2 channel: ‘Exfiltration over Command and Control channel.’
Indicators of Compromise
- [File hash] Installer and payload hashes – FullWorker-Install_sib.xyz SHA256: fee966680f41a4e28497ebf9d6e10486b427efff21f88163462a6c19b7d2bdc0, FailWorker-Install.exe SHA256: 7e3ccfeb074c4666a4a34ae23c0606432f77c641e1cf62fc034a6575dd23abd1, and multiple additional JPHP-compiled file hashes.
- [File name] Dropped/executed files – todaydatabase.zip (downloaded to %Temp%), todaydatabase.exe / todaydatabaseovlresig.exe, EducationGraduate_Setup.exe (JPHP), and autorun.bat used during Latrodectus deployment.
- [Domain/URL] C2 and payload URLs – hxxps://restoreviner[.]com/test/, hxxps://peronikilinfer[.]com/test/, and hxxps://locatedblsoqp[.]shop/api (Lumma Stealer C2).
- [IP address] Hosting and repository hosts – 91[.]208[.]206[.]5 (hosting open directories for Lumma files), 193[.]233[.]203[.]37, and 16 other related IPs used to store payloads and archives.
- [Other artifacts] Persistence/mutex indicators – Scheduled Task name ‘Updater’ (runs every 10 minutes) and mutex ‘runnung’ used by Latrodectus.
Practical technical procedure (concise rewrite):
Researchers extracted the NSIS installer (FullWorker-Install_sib.xyz) using older 7‑Zip builds to access the NSI script, which primarily drops many benign-looking files into %Temp% alongside a malicious JPHP-compiled executable (FailWorker-Install.exe). The installer invokes an NSIS plug-in (Nact.dll export install) to execute the JPHP loader; inside the JPHP package the launcher.conf points to a .bootstrap entry in the appmodules/app directory, and .phb modules containing 0xCAFEBABE headers are extracted and decompiled into .class files to reveal the loader logic and payload URLs.
The loader downloads payload archives (e.g., todaydatabase.zip) to %Temp%, extracts them, and runs nested executables (todaydatabase.exe → todaydatabaseovlresig.exe). Latrodectus is deployed by a chain that extracts a 7zip payload containing autorun.bat, copies payloads to %TEMP% and into %AppData%Custom_update (randomized filename), creates a startup shortcut via PowerShell, sets a scheduled task named ‘Updater’ to run every 10 minutes for persistence, and establishes a mutex ‘runnung’. Defense-evasion is performed by decoding a base64 string to a PowerShell command that runs Add-MpPreference -ExclusionPath $env:USERPROFILE via a .bat file executed with cmd.exe to exclude the user profile from Windows Defender scanning.
Lumma Stealer instances follow a similar installer-to-download flow: a Nullsoft/NSIS installer drops a JPHP executable in %Temp% which downloads individualcoordinatepro.zip from open directories (notably hosted on 91.208.206.5). The .NET executable individualcoordinate.exe decodes an encrypted DLL (Zazkanqh.wav) using an embedded XOR routine (or manual XOR), loads the decoded DLL (the Lumma payload), and contacts the identified C2 (e.g., locatedblsoqp[.]shop). Analysts enumerated multiple open directories and IPs used as repositories for Lumma-related files to support detection and takedown efforts.