JavaScript Loader RATDispenser Infects Windows PCs with RATs

RATDispenser, a novel secretive JavaScript loader, is being employed in phishing campaigns to infect devices with a range of Remote Access Trojans (RATs).

The new loader quickly formed distribution agreements with at least eight malware families, all of which were developed to steal data and give attackers access over victim machines.

As explained by BleepingComputer, in 94% of the cases investigated by security researchers at HP Threat, the JavaScript loader does not communicate with a server controlled by the attacker and is only utilized as a first-stage malware dropper.

Rather than using Microsoft Office documents to deliver payloads, RATDispenser employs JavaScript attachments. According to the researchers, these attachments have a low detection rate.

RATDispenser M.O.

The attack starts with a phishing email message that includes a malicious JavaScript attachment with the double-extension ‘.TXT.js’.

Because Windows hides extensions by default, if the potential target saves the malicious document on their machine, it will appear as an inoffensive text file.


This text file has been severely obfuscated to remain undetected by security programs, and it will be decrypted when the user clicks on it and opens it. When the loader is launched, it creates a VBScript file in the TEMP

Read More: