T1059.007 - JavaScript
Sub-technique
Tactics:
Execution
Execution
Platforms:
Linux macOS Windows
Linux macOS Windows
Detection:
Not specified
Not specified
Description:
Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)
JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)
Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).
JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)
JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)
Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).
Used by Actors (20)
Turla
Nation-state
Nation-state
FIN7
Criminal
Criminal
FIN6
Unknown
Unknown
Molerats
Nation-state
Nation-state
APT32
Nation-state
Nation-state
Kimsuky
Nation-state
Nation-state
MuddyWater
Nation-state
Nation-state
MUSTANG PANDA
Nation-state
Nation-state
INDRIK SPIDER
Unknown
Unknown
TA505
Unknown
Unknown
Higaisa
Nation-state
Nation-state
Evilnum
Unknown
Unknown
TA578
Unknown
Unknown
Earth Lusca
Unknown
Unknown
TA577
Unknown
Unknown
MoustachedBouncer
Nation-state
Nation-state
Winter Vivern
Unknown
Unknown
Silence
Unknown
Unknown
Leafminer
Unknown
Unknown
Cobalt Group
Unknown
Unknown
Malware (20)
GRIFFON other
KOPILUWAK other
AppleSeed other
EnvyScout other
Gootloader other
HexEval Loader other
InvisiMole other
Avaddon other
SocGholish other
SpicyOmelette other
BeaverTail other
DarkWatchman other
Xbash other
NanHaiShu other
Latrodectus other
Chaes other
Bundlore other
Metamorfo other
KONNI other
BlackByte Ransomware other
Metadata
| MITRE ID: | T1059.007 |
| STIX ID: | attack-pattern--0f4a0c76-ab2d-... |
| Platforms: | Linux, macOS, Windows |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 04:00 |