T1059.007 JavaScript in MITRE ATT&CK Explained

What Is T1059.007 JavaScript in MITRE ATT&CK?

T1059.007 JavaScript is a sub-technique of Command and Scripting Interpreter (T1059) in the MITRE ATT&CK framework, under the Execution tactic. It refers to the use of JavaScript-based scripting languages by adversaries to execute code across web browsers, operating systems, and application environments.

JavaScript is a high-level scripting language defined by the ECMAScript specification and is widely used to enable interactive behavior in web applications. Its flexibility and ubiquity across browsers and platforms make it a common execution mechanism in both client-side and application-level contexts.

This sub-technique also includes JScript, Microsoft’s implementation of the ECMAScript standard, which is integrated into Windows components such as the Windows Script Engine, Component Object Model (COM), and HTML Application (HTA) files. JScript is commonly used to provide scripting functionality within Windows-based environments.

On macOS systems, JavaScript for Automation (JXA) represents Apple’s JavaScript-based scripting language within the Open Scripting Architecture (OSA). Introduced in macOS 10.10, JXA enables interaction with applications, operating system services, and native APIs. JXA scripts can be executed using the osascript utility, compiled into applications or script files with osacompile, or executed in memory through frameworks such as OSAKit.

To read about other sub-techniques of the T1059 Command and Scripting Interpreter technique, you can visit the related hub blog.

Adversary Use of T1059.007 JavaScript

Adversaries use T1059.007 JavaScript to execute malicious code across multiple environments by abusing widely supported scripting engines. Because JavaScript-based interpreters are embedded in browsers, operating systems, and application frameworks, their use can blend into legitimate activity and evade detection mechanisms focused on standalone executables.

In attack campaigns, JavaScript is commonly leveraged to deliver phishing payloads, execute scripts in browsers or HTA files, download and launch secondary malware, and interact with system components through COM or native APIs. On macOS, JXA is often used to control applications, execute system commands, and perform in-memory execution, while on Windows, JScript frequently appears in script-based loaders and installer-driven execution chains.

By abusing the cross-platform availability and trusted status of JavaScript interpreters, adversaries can achieve stealthy execution, payload delivery, and defense evasion across both Windows and macOS environments.

Procedure Examples Used by Adversaries in Red Report 2026

Adversaries leverage JavaScript for a variety of malicious purposes.

For instance, as of June 2025, a widespread website compromise campaign was observed by security researchers [1], involving the injection of highly obfuscated JavaScript. The threat actors leveraged a sophisticated technique known as JSFireTruck (a variation of JJEncode) to hide their malicious intent, specifically targeting traffic originating from search engines for traffic monetization and malware delivery (malvertising).

The campaign's primary goal is to bypass security analysis and silently redirect users to malicious domains by injecting a full-screen, hidden iFrame.

Stealthy Injection and Execution via IFrame

The injected JavaScript first deobfuscates a hidden payload. It then checks the document.referrer property, ensuring the user originated from a search engine before proceeding. This operational security check helps the threat actor evade direct analysis. The final action is the dynamic injection of a malicious iFrame into the compromised HTML page.

The following snippet of the decoded JavaScript shows the use of the innerHTML property to inject a malicious iFrame. The code is designed to find an element on the page (ElementID) and replace its content with the full-screen redirector [1].

The CSS properties set within the iFrame (width: 100%, height: 100%, z-index: 30000, position: fixed) are critical. They ensure the malicious content completely covers the legitimate website, making the user interact only with the attacker's content, thus achieving a form of clickjacking or silent redirection.

Backup Payload Execution via URL Hash

If the traffic does not originate from a search engine, the malicious JavaScript utilizes a fallback mechanism by checking the URL hash (#) [1].

This technique allows the threat actor to serve a second-stage payload directly in the URL for targeted or manual execution. The JavaScript uses the built-in browser function atob() to decode the payload before injecting it into the DOM.

This dual-path execution demonstrates the actor's intent to maximize stealth (by checking the referrer) while maintaining flexibility for targeted payload delivery (via the URL hash).

Procedure Examples Used by Adversaries in Red Report 2025

Downloading, Loading and Executing Malicious Payloads

In October 2024, security researchers analyzed the WarmCookie malware family, also known as BadSpace, which emerged in April 2024. This malware was distributed via malspam and malvertising campaigns, often utilizing malicious JavaScript downloaders hosted on compromised servers [2].

In this campaign, JavaScript plays a critical role in WarmCookie's infection chain. The malware leverages malicious JavaScript downloaders hosted on compromised servers to execute the next stage of the attack. These JavaScript files are obfuscated to evade detection and are typically delivered via malspam or malvertising campaigns.

Once executed, the JavaScript deobfuscates and runs a PowerShell command, which retrieves and executes the WarmCookie DLL payload. This use of JavaScript as a downloader highlights its utility in initiating malware infections by bridging the gap between delivery and execution stages, making it an effective tool for attackers.

In the Water Makara spear phishing campaign, discovered in October 2024, JavaScript is employed as a core component of the attack chain to facilitate malware delivery and evasion [3]. The attackers embed heavily obfuscated JavaScript commands within LNK files and HTML attachments, leveraging techniques like Base64 encoding and variable renaming to bypass security defenses. Once executed via legitimate utilities such as mshta.exe, the JavaScript decodes and reconstructs malicious URLs or payloads dynamically, enabling the download and execution of the Astaroth information-stealing banking trojan.

Additionally, the campaign utilizes JavaScript's GetObject function to retrieve and execute objects from attacker-controlled C&C servers. This sophisticated use of JavaScript allows the attackers to exploit legitimate tools and evade detection, making the campaign highly effective against its Brazilian targets.

Procedure Examples Used by Adversaries in Red Report 2024

Drive-by Compromise (T1189)

When it comes to the Drive by Compromise (T1189) technique, it is common for adversaries to leverage JavaScripting.

For instance, as disclosed in October 2023, adversaries are leveraging JavaScript within the Binance Smart Chain (BSC) as part of a sophisticated attack method named 'EtherHiding' to distribute malicious code [4]. This tactic involves hacking WordPress sites and then using them to load malicious JavaScript code that fetches further harmful scripts stored on the BSC.

Because smart contracts on the blockchain are immutable and distributed, they cannot be easily removed or censored once malicious code is uploaded. This makes the attack particularly resilient to takedown attempts. Furthermore, the decentralized nature of blockchain allows hackers to easily modify their malicious payloads or command and control server addresses without incurring any costs, thereby maintaining their operations efficiently and evasively. The victims are typically unaware of these processes running in the background when they visit compromised sites, which display fake update prompts that, if interacted with, can lead to the downloading of malicious executables.

Defense Evasion

In the malware campaign reported in December 2023, attackers utilized a JavaScript code block to perform targeted injections to capture banking data [5]. The script conducts a preliminary check to ensure it executes only if the 'adrum' token is not present in the URL, which is likely a measure to block specific security solutions that might use this token as a marker. The execution flow is contingent on the document's loading status; it either invokes specific obfuscated functions immediately if the document is already loaded or defers execution until after the 'DOMContentLoaded' event.

The object history.hLizsIory, which features prominently in this code, seems to serve as a facade for the underlying malicious operations, with methods like Loaded() and checks against a test_ property. These could trigger the script's core functionality, which might include reporting load status back to a command-and-control server, manipulating the DOM to capture user input, or even inserting additional scripts for further exploitation.

The script's design is cunningly adaptive, performing checks to selectively trigger execution and avoid running in environments where it might be detected. It's capable of responding to the browser's load status and can adjust its behavior on the fly, this finesse in operation allows it to evade many traditional security scans that look for more blatant or static forms of malicious activity. The script presents a formidable challenge for defense mechanisms by handling exceptions quietly and blending into the expected flow of browser events.

Validate Your Defenses Against the Red Report 2026 Threats

References

[1] H. Shah, B. Duncan, and P. K. Chhaparwal, “JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique,” Unit 42, Jun. 12, 2025. Available: https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation/. [Accessed: Dec. 02, 2025]

[2] E. Brumaghin, “Threat Spotlight: WarmCookie/BadSpace,” Cisco Talos Blog, Oct. 23, 2024. Available: https://blog.talosintelligence.com/warmcookie-analysis/. [Accessed: Nov. 27, 2024]

[3] “Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign Targets Brazil With Astaroth Malware,” Trend Micro, Oct. 14, 2024. Available: https://www.trendmicro.com/en_in/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html. [Accessed: Nov. 27, 2024]

[4] B. Toulas, “Hackers use Binance Smart Chain contracts to store malicious scripts,” BleepingComputer, Oct. 13, 2023. Available: https://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/. [Accessed: Dec. 21, 2023]

[5] B. Toulas, “New Web injections campaign steals banking data from 50,000 people,” BleepingComputer, Dec. 19, 2023. Available: https://www.bleepingcomputer.com/news/security/new-web-injections-campaign-steals-banking-data-from-50-000-people/. [Accessed: Dec. 21, 2023]