From Fake Purchase Orders to Remote Access: Analyzing the JS.MonoGlyphRAT Threat to US Enterprises

JS.MonoGlyphRAT is an actively observed JavaScript-based RAT/loader that leverages monoglyph identifier obfuscation and Windows Script Host to gain persistence and remote control after users open seemingly benign purchase-order/quote .js attachments; it communicates with C2 over HTTP using custom headers (X-S/X-A), supports AES-encrypted payload delivery, PowerShell stagers, in-memory .NET execution with AMSI bypass, and has confirmed victims across US technology, MSSPs, telecoms and education — ANY.RUN provides sandbox analysis and IOCs to help detect and hunt the infection.