T1027

Obfuscated Files or Information

discovered 2025-09-16

Wave 4 payload is an obfuscator.io-style single-line ~160 KB script using a custom lowercase-first base64 alphabet (abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=) PLUS a per-string RC4 layer. Static base64 decode of the string table only recovers primitives such as charCodeAt/fromCharCode; sensitive strings (C2, headers, file list) remain RC4-protected. This differs from Wave 3's WaCk/JScrambler string-array obfuscation.

View on MITRE ATT&CK

Seen in packages

Campaigns