A new stealthy JavaScript loader named RATDispenser is being used to infect devices with remote access trojans in phishing attacks. The loader uses JavaScript attachments, which HP found to have low detection rates. The infection begins with a phishing email containing a malicious JavaScript attachment named with a.TXT.js’ double-extension. As Windows hides extensions by default, if a recipient saves the file to their computer, it will appear as a harmless text file. In 94% of cases analyzed by the HP Threat Research team, the loader does not communicate with an actor-controlled server and is solely used as a first-stage.”]