S0648: JSS Loader
JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since at least 2020.[1][2]
Analyst context for executives and security teams
JSS Loader matters because it represents a Windows remote access trojan associated in ATT&CK with FIN7 and with common intrusion paths such as spearphishing attachments, malicious file execution, scripting, scheduled tasks, and tool transfer. For leaders, the value is not the malware name alone; it is a check on whether the organization can see and respond to a Windows phishing-to-persistence chain before it becomes a broader incident.
Executive priority
Prioritize this as a readiness and control-validation issue for Windows endpoint defense, email security, SOC monitoring, and incident response. The ATT&CK object has no official detection guidance, so executives should ask whether teams can produce evidence for: malicious attachment handling, user-driven file execution, suspicious PowerShell/Visual Basic/JavaScript activity, scheduled task creation or modification, and external file transfer into the environment. Industries should not infer exposure solely from this object, but the FIN7 relationship makes it relevant to organizations that track financially motivated intrusion risk.
Technical view
Validate coverage around the related ATT&CK techniques: T1566.001 Spearphishing Attachment, T1204.002 Malicious File, T1059.001 PowerShell, T1059.005 Visual Basic, T1059.007 JavaScript, T1053.005 Scheduled Task, and T1105 Ingress Tool Transfer. Because the malware platform is Windows and official detection text is not provided, SOC teams should focus on behavior-based visibility rather than a single signature: script interpreter launches, suspicious parent-child process chains from user-opened files, creation or modification of scheduled tasks, downloaded payloads or tools, and network activity consistent with external file retrieval or remote access behavior.
Likely telemetry
- Email security logs for attachments, delivery, detonation, user interaction, and quarantine decisions
- Windows endpoint process creation telemetry, including parent-child process relationships
- PowerShell logging and command-line telemetry where enabled
- Windows Script Host, Visual Basic, JScript, or JavaScript execution telemetry
- Scheduled task creation, modification, and execution events
Detection direction
- Do not rely on an ATT&CK-provided analytic for this object; none is supplied in the official fields.
- Tune detections for suspicious execution chains from email attachments or user-opened files into script interpreters, PowerShell, or dropped binaries.
- Validate scheduled task monitoring for both command-line and GUI/API-created tasks, since scheduled tasks are associated with execution, persistence, and privilege escalation.
- Correlate email events, endpoint execution, script logs, file writes, and outbound network activity to reduce false positives from legitimate administration or software deployment.
- Treat PowerShell, Visual Basic, and JavaScript detections carefully: these tools have legitimate business and administrative use, so context such as initiating user, parent process, file origin, and destination should drive triage.
Mitigation priorities
- Strengthen phishing attachment controls and user-reporting workflows before endpoint execution occurs.
- Ensure Windows endpoints have sufficient logging and EDR coverage for process creation, script execution, scheduled task changes, file creation, and outbound network activity.
- Harden scripting and task-scheduling abuse paths according to organizational policy, balancing administrative requirements with least privilege and monitoring.
- Prepare IR playbooks that connect email investigation, endpoint containment, credential review, and scheduled task cleanup for suspected loader activity.
- Use threat intelligence and malware references to inform hunting, but require local telemetry before making exposure or attribution decisions.
Analyst notes and limits
The object identifies JSS Loader as a RAT with .NET and C++ variants used by FIN7 since at least 2020. The relationship set provides the most useful defensive context: phishing attachment and malicious file execution for initial execution, scripting for execution, scheduled tasks for execution/persistence/privilege escalation, and ingress tool transfer for bringing files into the environment.
Official ATT&CK detection content is not provided for this malware object, and tactics are not specified on the malware itself. This take is therefore based on the supplied description, Windows platform field, external references, and stated ATT&CK relationships. Local environment telemetry is required to determine actual detection coverage, exposure, or incident relevance.
JSS Loader
JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since at least 2020.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | JSS Loader has the ability to launch scheduled tasks to establish persistence.CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | JSS Loader can download and execute VBScript files.CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1059.007 | JavaScript Sub-technique | JSS Loader can download and execute JavaScript files.CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | JSS Loader has been delivered by phishing emails containing malicious Microsoft Excel attachments.CitationeSentire FIN7 July 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | JSS Loader has the ability to download malicious executables to a compromised host.CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | JSS Loader has been executed through malicious attachments contained in spearphishing emails.CitationeSentire FIN7 July 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | JSS Loader has the ability to download and execute PowerShell scripts.CitationCrowdStrike Carbon Spider August 2021 |
Groups, software, and campaigns
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 33af31fc562f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
eSentire FIN7 July 2021
eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.
Open source URL -
[2]
CrowdStrike Carbon Spider August 2021
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
Open source URL -
[3]
mitre-attack S0648Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.