PhoneLink-Themed JScript Loader Using GitHub Raw Config and `.org/in.mp3` Second Stage
A JScript-based loader posing as “Phone Link” persists via Scheduled Tasks, fetches a config from GitHub raw, then downloads a second stage disguised as `in.mp3` to `%LOCALAPPDATA%\backup.bat`, and beacons to `breachsaver[.]com`. This alert provides enterprise‑grade detection, IOCs, and step‑by‑step remediation to contain and evict the threat.
Rudra Verma, Senior Security Architect & Researcher