SWIFT COPY.JS: A 4MB JavaScript Dropper Uses Unicode Sushi to Smuggle AgentTesla
title: "SWIFT COPY.JS: A 4MB JavaScript Dropper Uses Unicode Sushi Emoji to Smuggle AgentTesla Past 90% of AV Engines" subtitle: "A BEC-themed JS file encodes a PE payload as Cherokee, Ethiopic, Ogham, and emoji Unicode characters mapped through CP437 -- achieving 72% AV evasion and exfiltrating via Telegram" tags: ["AgentTesla", "JavaScript", "BEC", "Unicode", "obfuscation", "Telegram", "credential-theft", "stealer"]
SWIFT COPY.JS: A 4MB JavaScript Dropper Uses Unicode Sushi to Smuggle AgentTesla
Open the file in a text editor and you will see Cherokee syllables, Ethiopic characters, Ogham letters, Runic symbols, and sushi emoji. All 1,650 lines of them. This is not a corrupted file. It is a PE binary encoded as Unicode characters from 103 different scripts, mapped through IBM Code Page 437 back to x86 machine code. The technique works: only 10 out of 36 AV engines detect it.
SWIFT COPY.JS appeared on MalwareBazaar on March 12, 2026, delivered as an email attachment using a SWIFT banking transfer lure. It drops AgentTesla -- the prolific keylogger/stealer -- and exfiltrates stolen credentials through a Telegram bot. The bot was already logged out by the time we investigated, suggesting the operator rotates tokens after sample exposure.
Key Findings
- 72% AV evasion: Only 10/36 engines detect the sample (ReversingLabs), classified as Win32.Trojan.Leonem
- Unicode/CP437 encoding: 103 unique Unicode characters from Cherokee, Ethiopic, Canadian Aboriginal, Ogham, Runic, Thai, Lao, Tibetan, Georgian, Armenian, and other scripts encode the PE payload
- Telegram C2: Bot ID
7954414643with tokenAAFXkW1GI1wusrWmH9gD_yPwAhi75Z0wU-c-- already logged out at investigation time - Geofencing: Checks
HKCU\Control Panel\International\Geo\Nationbefore full execution - Part of a wave: 50+ JS-tagged samples on MalwareBazaar from March 11-12 delivering AgentTesla, RemcosRAT, Formbook, XWorm, and PhantomStealer
The Encoding Scheme
The obfuscation is creative and effective:
Layer 1 -- 1,650 lines concatenate Unicode characters into a variable called EEQLUPLFNR (with up to 21 trailing R's for variant names). Characters span code points from U+00B1 to U+1F363 (that last one is the sushi emoji).
Layer 2 -- Line 826 is a single 3.87MB line containing the deobfuscation engine, ActiveX object creation, and PowerShell invocation. It uses obfuscator.io-style hex string tables with array rotation.
Layer 3 -- .Replace('EEQLUPLFN','') strips the marker strings, leaving pure Unicode payload. A complete Unicode-to-CP437 byte mapping table reconstructs the original PE binary bytes.
Layer 4 -- COM object names are split: "She99ll".split("99").join("") becomes "Shell". Variables like QQQQQWE, MNBYTUIOP, kittul, and awwwank carry critical values.
The result: wscript.exe processes the JS, spawns powershell.exe with an encoded command, drops two files disguised as images (Mands.png and Vile.png in C:\Users\PUBLIC\), and executes AgentTesla in memory via WriteProcessMemory.
Campaign Context
This sample is part of a broader wave. The reporter lowmal3 uploaded three BEC-themed JS droppers on the same day:
- SWIFT COPY.JS (this sample) -- banking transfer lure
- sefscibv.JS -- invoice lure
- NEW PO 513406997.JS -- purchase order lure
All three target financial and procurement personnel. Across MalwareBazaar, 50+ JavaScript droppers were uploaded March 11-12, delivering at least five different malware families through the same JS wrapper technique.
IOCs
Sample:
| Type | Value |
|---|---|
| SHA256 | b648c7224ac754c0c54788d8cd5b9ac2cc6ef73b66ba4ec16ecd0abdf7de19ec |
| MD5 | 474cc004796084314973979e8b9a217b |
| Size | 4,171,421 bytes (4.17 MB) |
| Type | JavaScript (UTF-8 with CRLF) |
C2:
hxxps://api[.]telegram[.]org/bot7954414643:AAFXkW1GI1wusrWmH9gD_yPwAhi75Z0wU-c/
Bot Status: LOGGED OUT (token revoked)
Dropped Files:
C:\Users\PUBLIC\Mands.png (136 KB, encoded payload)
C:\Users\PUBLIC\Vile.png (316 KB, encoded payload)
Behavioral:
| Indicator | Value |
|---|---|
| Obfuscation Marker | EEQLUPLFNR (36 variants) |
| Registry Check | HKCU\Control Panel\International\Geo\Nation |
| Process Chain | wscript.exe -> powershell.exe |
| Injection | WriteProcessMemory + SeDebugPrivilege |
| Telegram Bot ID | 7954414643 |
MITRE ATT&CK
| Technique | ID | Application |
|---|---|---|
| Spearphishing Attachment | T1566.001 | SWIFT COPY.JS via email |
| JavaScript | T1059.007 | WScript.exe executes JS dropper |
| PowerShell | T1059.001 | Encoded PowerShell command |
| Obfuscated Files | T1027 | Unicode/CP437 encoding |
| Process Injection | T1055 | WriteProcessMemory for in-memory execution |
| Keylogging | T1056.001 | AgentTesla keystroke capture |
| Credentials from Web Browsers | T1555.003 | Chrome, Firefox, Edge credential theft |
| System Location Discovery | T1614 | Geo\Nation registry check |
| Exfiltration Over C2 Channel | T1041 | Data sent via Telegram Bot API |
Conclusion
The Unicode/CP437 encoding technique is the standout here. It achieves 72% AV evasion not through runtime complexity but through encoding creativity -- the PE binary is hidden in plain sight as multilingual Unicode text that no string scanner knows how to interpret. The sushi emoji is the cherry on top. But the underlying payload is commodity AgentTesla, the C2 is a Telegram bot (already burned), and the delivery is a standard BEC email lure. The innovation is entirely in the wrapper. Defenders should flag oversized JS files (>1MB) in email attachments, disable Windows Script Host for non-admin users, and monitor for wscript.exe spawning powershell.exe -- that process chain is the kill switch regardless of how creative the encoding gets.