From JinxLoader to Astolfo Loader: The Evolution of a Cyber Threat

Summary

JinxLoader is a relatively new Go-based malware loader typically distributed via phishing emails and designed to deploy additional malware such as next-stage payloads on compromised Windows and Linux systems. First observed in November 2023, it enables the management of multiple infected hosts from a centrally managed server panel. Common payloads dropped include the spyware Formbook and its successor XLoader.

JinxLoader operates as a Malware-as-a-Service (MaaS) operation, a popular business model that makes sophisticated malicious tools accessible to a broader range of wanna-be cybercriminals. Initially sold by a Hack Forums user known as @Rendnza, it is now operated by a second Hack Forums user with the handle @Delfin, who is re-selling the original Golang compiled version. A third user known as @AstolfoLoader recently rebranded it as Astolfo Loader (aka Jinx V3), opting to rewrite it in C++ presumably for performance and file-size reasons.

In this blog, we’ll take a closer look at the dual operation of JinxLoader and Astolfo Loader as a recent example of the ongoing evolution of MaaS operations.

Affected Operating Systems

Technical Analysis

What is JinxLoader?

JinxLoader was originally developed as a native Go-based executable, designed to facilitate the management of large malicious botnets by compromising Windows and L­­inux systems. The malware pays homage to League of Legends character Jinx, who “lives to wreak havoc without care for the consequences.” The fictional character is featured on its ad poster and also on its C2 login panel.

Initially advertised for sale by a user of the hacking website Hack Forums known as @Rendnza, JinxLoader’s first observed use in the wild occurred in late November 2023. Hack Forums is a public Internet (aka surface-net) forum dedicated to discussions related to hacker culture and computer security, and currently ranks as one of the top five websites in the "Hacking" category in terms of web-traffic.

The original JinxLoader tool was marketed on the forum as having the “capacity to drop, remove and run PowerShell,” with the malware authors claiming to prioritize stability and simplicity. The tool cost USD $60 and featured a user-friendly interface and a native backend. The malware author advertised its anti-analysis features via their user page on Hack Forums, noting the tool’s “ability to detect virtualized and datacenter networks,” and claiming that “JinxLoader is suited to fight against analysis and detection.”

Figure 1: User profile for @Rendnza on Hack Forums advertising the sale of JinxLoader V2.

However, recent developments indicate that the original JinxLoaderV2 code has been sold off to two separate buyers, and @Rendnza closed their Hack Forums account in early February 2024. Two new users operating under the aliases @Delfin and @AstolfoLoader appear to be the purchasers of JinxLoaderV2. While @Delfin claims to be selling JinxLoaderV2 unchanged, @AstolfoLoader opted to rebrand the malware and modify the stub to C++ (Jinx V3), instead of using the original Go-compiled binary.

Figure 2: User profile for @AstolfoLoader on Hack Forums advertising the sale of Astolfo Loader. (”Astolofo Loader” pink text shown on their user profile page above is likely a typo.)

Figure 3: Hack Forums post by @AstolfoLoader confirming @Delfin was the “other buyer.”

Named after “Astolfo,” a character from the Fate anime series, Astolfo Loader remains functionally similar to JinxLoader but benefits from the smaller size and improved performance, achieved by rewriting the loader client in C++. This change to C++ significantly reduces the file size from 5.5 MB to 120 KB for the x64 version, and 110 KB for the x86 version.

Figure 4: Hack Forums side-by-side features comparison of JinxLoaderV2 and Astolfo Loader.

The price of Astolfo Loader includes the entry price ($50) and the monthly hosting price ($100). While self-hosting options are not mentioned, @AstolfoLoader provided options to privately DM them for the pricing.

	JinxLoader (@Delfin)	Astolfo Loader (@AstolfoLoader)
Per Build	N/A	$50
1 Month	$60	$100
6 Months	$120	$600
Lifetime	$200	N/A
Self-Hosting	N/A	Option to message seller

Attack Vector

JinxLoader and Astolfo Loader, like many MaaS offerings, operate via a subscription/licensing model. The “as-a-service" model enables a wide array of initial access vectors to be used, allowing affiliates and operators who lease the malware to tailor their campaigns according to the specific characteristics and vulnerabilities of their intended targets.

Previously, JinxLoader has been observed being distributed through phishing emails containing a password-protected RAR file containing JinxLoader. RAR files are compressed files or data containers that can be created using WinRAR, a file archiver and extraction utility, and can contain both files and folders.

More recently, BlackBerry researchers identified a HTML phishing lure used to deliver Astolfo Loader (JinxV3). These HTML files contained embedded JavaScript (JS) that extracts the victim’s email address from the URL and makes a POST request to a compromised website, which delivers the next stage of the execution chain — a heavily obfuscated JavaScript file that ultimately deploys Astolfo Loader onto the victim’s machine.

This embedded JavaScript employs various anti-analysis techniques, such as inserting debugger statements, infinite loops, and event listeners to obstruct inspection of the page contents. It also hijacks console methods, which disrupts normal logging and hampers debugging and analysis efforts made by “pesky researchers” (as @AstolfoLoader likes to call us).

Analysis

Both Astolfo Loader and JinxLoader share a fundamental purpose: the efficient delivery of additional malware. While both loaders can execute PowerShell commands and, in Astolfo Loader’s case, run commands from a command prompt, their primary goal is to remain lightweight and functional. They allow for the deployment of additional payloads either en-masse or to a single host via a web interface, providing a degree of flexibility for their operators.

Hashes (md5, sha-256)	5c466bf05800362a5e237ebc543c4f65 1b936178c97f935fd669773f5d627359bff2e45b3317422c314d1447696cabbe
Compilation Stamp	2024-09-04T14:09:19Z
File Type/ Signature	PE32 executable (GUI) Intel 80386
File Size	675000 bytes (675kb)
Compiler Name/Version	Microsoft Visual C++ Compiler

Astolfo Loader puts a strong focus on anti-analysis measures early in its execution to hinder reverse engineering and sandbox detection. These techniques are designed to disrupt both automated and manual analysis attempts, ensuring the loader can proceed to its core functionality without interference.

However, some of the anti-analysis/anti-virtual machine (VM) checks observed in the sample suggest ongoing refinement, hinting at a potential further evolution in the loader’s evasion strategies. Below is a list of some of the key anti-analysis checks employed by Astolfo Loader during its initial stages of execution:

Type	Details
Processes	processhacker, tcpview, autorun, filemon, procmon, regmon, procexp, idaq, idaq64, wireshark, dumpcap, hookexplorer, importrec, petools, lordpe, sysinspector, proc_analyzer, sysanalyzer, sniff_hit, joeboxcontrol, joeboxserver, resourcehacker, dbg, Fiddler, debugger, srvpost, 11db, strace, ltrace, gdb
Hard Disk	wmic diskdrive get model Looking for “QEMU HARDDISK” or “DADY HARDDISK”
WMI Port Connector	SELECT * FROM Win32_PortConnector via WMI through COM interfaces
WMI Video Controller	SELECT * FROM Win32_VideoController, looking for “vmware”, “virtualbox”, “virtual”, “qemu”, “vbox” but if “Microsoft Basic Display Adapter” return not a VM
Screen Size	Checks that the width of the screen is at least 800 pixels (px) and the height is at least 600 pixels: Display_width = GetSystemMetrics(0); Display_height = GetSystemMetrics(1); if (Display_width >= 800 && Display_height >= 600 ) return 0
Parallel Drivers	Checks for the presence of the Parallels drivers “prl_sf”, “prl_tg”, or “prl_eth” in the System32 directory.
Time Based Evasion	The function uses QueryPerformanceFrequency to check performance counters for timing discrepancies typical of virtual machines or sandboxes. It delays execution by sleeping for extended periods, evading short-lived analysis environments.

Astolfo Loader includes the ability to receive and execute specific "tasks" from its command-and-control (C2) server. These tasks can be seen in the table below:

Figure 5: Astolfo Loader “tasks” dropdown.

Command	Details
runp	Execute PowerShell via cmd.exe /c Cmd.exe /c powershell
install	Download other malware via PowerShell powershell -Command \"Invoke-WebRequest -Uri '' -OutFile $env:TEMP\\DllHelper.exe\"
installp	Install Persistence - CurrentVersion\Run Registry Value: “Registration form”
load	Create “uninstall.bat” which is used to terminate and remove the malware from the infected device: :loop taskkill /F /IM ".exe" >nul 2>&1 del ".exe" if exist ".exe goto loop del "%~f0"
remove	Execute uninstall.bat batch file cmd.exe /c uninstall.bat
cmd	Execute any command Cmd.exe /c

Network Infrastructure

Before establishing a connection to its C2 server, Astolfo Loader performs an HTTP GET request using Winhttp.dll functions to the legitimate IP information site ipinfo.io to retrieve the country code based on the intended victim’s IP address. This country code is then compared to Astolfo Loader’s predefined blacklist. If the country code matches one from the list below, the loader halts further execution, to avoid infecting systems in these countries.

Country Code	Country Name
RU	Russia
UA	Ukraine
BY	Belarus
KZ	Kazakhstan
GE	Georgia
AM	Armenia
AZ	Azerbaijan
EE	Estonia
LV	Latvia
LT	Lithuania
MD	Moldova
TM	Turkmenistan
UZ	Uzbekistan
KG	Kyrgyzstan
TJ	Tajikistan

In addition to this geolocation check, Astolfo Loader also decrypts 39 different blocked IP addresses. It then makes a second GET request to public IP address check site checkip.amazonaws.com/ to obtain the victim’s external IP address. This IP is then compared with the decrypted list, likely as an additional measure to identify if the process is being executed from specific datacenters blocked by the malware author, as mentioned in the original advertisement on the Hack Forums site.

Once the geolocation and IP address checks are completed, the loader proceeds to connect to the following malicious C2 servers:

Domain Name	Samples’ Hashes (MD5, SHA256)	First/Last Seen
hxxp://xscapezo[.]capetown:6171	5c466bf05800362a5e237ebc543c4f65,1b936178c97f935fd669773f5d627359bff2e45b3317422c314d1447696cabbe	2024-08-31/ 2024-09-22
hxxp://serverdops[.]ddns[.]net:6171	5c466bf05800362a5e237ebc543c4f65,1b936178c97f935fd669773f5d627359bff2e45b3317422c314d1447696cabbe	2024-08-15/ 2024-09-25

Conclusions

The explosion in popularity of MaaS operations has made it increasingly easy for cybercriminals to access and deploy complex malware without the need for deep technical expertise. Services like JinxLoader and its successor, Astolfo Loader (Jinx V3), exemplify how such tools can proliferate quickly and affordably and can be purchased via popular public hacking forums that are accessible to virtually anyone with an Internet connection.

Despite Astolfo Loader being a C++ adaptation, the original JinxLoader continues to operate under @Delfin as originally intended, offering additional flexibility and ease of use to its operators. This demonstrates how the proliferation of MaaS and the sites that foster such services facilitate the rapid spread of malware variants, making it simple for threat actors to acquire and deploy malicious software at scale.

The interconnected and constantly evolving nature of these threats necessitates a comprehensive and proactive cyber threat intelligence approach to safeguarding your digital assets.

How BlackBerry Can Help

BlackBerry has verified that its cybersecurity endpoint protection software, powered by Cylance® AI, protects our customers against the threats detailed in this blog.

Detecting and responding to increasingly evasive malware requires visibility across all security solutions. BlackBerry® cybersecurity solutions such as CylanceMDR™ provide automated, up-front protection against attacks, while also spotting indicators of compromise (IoCs) and delivering faster contextual understanding of alerts and events.

Get immediate, continuous resilience for your growing business without the overhead of an in-house Security Operations Center (SOC). Our expert team, armed with an advanced AI platform, integrates with your existing security environment to provide complete lifecycle defense. With our innovative AI and exceptional team of experts, you can trust us to help you stay a step ahead of potential threats such as JinxLoader and its variants.

APPENDIX 1 – Indicators of Compromise

Hashes (md5, sha-256),	5c466bf05800362a5e237ebc543c4f65 1b936178c97f935fd669773f5d627359bff2e45b3317422c314d1447696cabbe
PDB Path	N/A
Mutex in the System	Local\8ECDC8B3-D134-40A7-A8C1-32265D09AD3C
Network Indicators	hxxp://serverdops[.]ddns[.]net:6171 hxxp://xscapezo[.]capetown:6171

Hashes (md5, sha-256),	4501a538be3100c424f65e3642a434c3 f51f984211d289d1d611952855749a5fefea4bebec377073182bde8ce12af2a8
PDB Path	C:\Users\potca\source\repos\AstofloLoaderStub\Release\AstofloLoaderStub.pdb
Mutex in the System	Local\AD8C6F3C-8D19-4C2D-90BB-CD2FC2740A00
Network Indicators	hxxp://154[.]216[.]17[.]65/

APPENDIX 2 – Applied Countermeasures

Yara Rules

import "pe" rule cybercrime_AstlofloLoader : JinxV2 CPP { meta: description = "Detects Astolfo Loader samples (JinxV3) C++ samples" author = "The BlackBerry Threat Research and Intelligence Team" distribution = "TLP:AMBER+STRICT" version = "1.0" last_modified = "2024-09-30" hash1_md5 = "5c466bf05800362a5e237ebc543c4f65" hash1_sha256 = "1b936178c97f935fd669773f5d627359bff2e45b3317422c314d1447696cabbe" strings: $s1 = "Win32_VideoController" $s2 = "Microsoft Basic Display Adapter" $s3 = "vmware" $s4 = "virtualbox" $s5 = "virtual" $s6 = "qemu" $s7 = "vbox" $s8 = "prl_sf" $s9 = "prl_tg" $s10 = "prl_eth" $s11 = "Win32_PortConnector" wide $s12 = "wmic diskdrive get model" $s13 = "QEMU HARDDISK" $s14 = "DADY HARDDISK" $s15 = "svchost.exe" $s16 = "cmd.exe" $s17 = "runp" $s18 = "powershell" $s19 = "installp" $s20 = "taskkill /F /IM" $s21 = "powershell -Command \"Invoke-WebRequest -Uri" $s22 = "Content-Type:" $s23 = "User-Agent:" $s24 = "Content-Length:" $s25 = "Win32_Processor" $s26 = "SELECT * FROM Win32_OperatingSystem" $s27 = "https://checkip.amazonaws.com/" $s28 = "https://ipinfo.io/country" condition: uint16(0) == 0x5a4d and all of ($s*) }

Suricata Rules

Enterprise cybersecurity company Proofpoint has already released a Suricata rule to detect JinxLoaderV2 based on its User-Agent string. This rule remains applicable to Astolfo Loader, as the malware continues to use the same encoded hex string in its User-Agent.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Encoded JinxV2DEV User-Agent Observed (4a696e785632444556)"; flow:established,to_server; http.user_agent; content:"4a696e785632444556"; bsize:18; reference:md5,d4d464e22776e552d215e5fe39373280; classtype:trojan-activity; sid:2049659; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_12_12, deployment Perimeter, confidence High, signature_severity Critical, updated_at 2023_12_12;) Credit: https://rules.emergingthreats.net/open/suricata/rules/emerging-malware.rules

APPENDIX 3 – Detailed MITRE ATT&CK® Mapping

Tactic	Technique: Sub-Technique	Context
Resource Development	Acquire Infrastructure: Botnet T1583.005	A compromised machine will act as a bot and listen for commands for download, creation, installation, and execution.
Initial Access	Phishing: Spearphishing Attachment T1566.001	Astolfo Loader was delivered as the final stage of a phishing lure.
Execution	Command and Scripting Interpreter: JavaScript T1059.007	Astolfo was embedded within heavily obfuscated JavaScript.
Defense Evasion Discovery	Debugger Evasion T1622	Astolfo Loader calls tasklist and checks the list of running processes against a list of analysis tools including debuggers.
Defense Evasion	Obfuscated Files or Information: Encrypted/Encoded File T1027.013	The Astolfo Loader payload was embedded within obfuscated JavaScript.
Defense Evasion	Deobfuscate/Decode Files or Information T1140	Astolfo Loader decodes embedded XOR strings.
Defense Evasion Discovery	Virtualization/Sandbox Evasion T1497	Astolfo Loader determines whether it is in a virtual environment by checking for the following items: Hard Disk WMI Port Connector WMI Video Controller Screen Size Virtual Machine Artefacts
Defense Evasion Discovery	Virtualization/Sandbox Evasion: Time Based Evasion T1497.003	Astolfo Loader uses performance counter checks to detect timing discrepancies typical of virtual machines or sandboxes. It delays execution by sleeping for extended periods, bypassing short-lived analysis environments.
Discovery	Process Discovery T1057	Astolfo Loader calls tasklist and compares the output with a list of decoded analysis process names.
Command-and-Control	Non-Standard Port T1571	The Astolfo loader connects back to its C2 via port 6171.

Further Reading:

• Threat Analysis Insight: RisePro Information Stealer
• Lynx on the Prowl: Targeting SMBs with Double-Extortion Tactics
• Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors

Back