forge-jsx4

forge-jsx4 is the Wave 3 successor in the forge-jsx RAT campaign, published by rafael_silva after forge-jsxy takedown. Poses as an Autodesk Forge SDK (description unchanged: 'Node.js integration layer for Autodesk Forge'). C2 config confirmed identical to all prior waves via AES-256-GCM decryption (same XOR-obfuscated key scheme): publicHost 204.10.194.247, relayPort 9877, apiPort 8765, defaultExplorerPassword 'secret'. KEY_A and MASK_A byte arrays are exact matches to forge-jsxy. Full Phase 5 feature set present: chromiumExtensionDbHarvest.js, secretScan/ directory (secp256k1/solanaKeypair/bip39), forgeBulkDc.js/forgeRtcAgent.js (WebRTC), Discord screenshot exfil, Hugging Face uploads, relayAgentAutoUpgrade.js. Durable directory hardcoded as .forge-jsxy (copy-paste OPSEC failure from Wave 2). Version numbering starts at v1.0.122; gap v1.0.92-v1.0.121 implies an unidentified intermediate package published between May 26 and June 21, 2026.