GachiLoader: Defeating Node.js Malware with API Tracing

Dec. 21, 2025, 7:35 p.m.

Description

A new malware distribution campaign utilizing compromised YouTube accounts to spread infostealers has been identified. The campaign employs GachiLoader, a heavily obfuscated Node.js loader, to deploy the Rhadamanthys infostealer. GachiLoader implements anti-analysis techniques and uses a novel PE injection method called Vectored Overloading. To aid analysis, researchers developed an open-source Node.js tracer tool. The campaign has affected over 100 videos with 220,000 views across 39 compromised accounts since December 2024. The malware evades detection, elevates privileges, and disables Windows Defender before retrieving its payload.

External References

https://otx.alienvault.com/pulse/69431f1ea8a0f2257edd336c
https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing
Tags
malware
obfuscation
rhadamanthys
infostealer
anti-analysis
node.js
youtube
2025-12-17
api tracing
gachiloader
kidkadi
pe injection

Date

  • Created: Dec. 17, 2025, 9:22 p.m.
  • Published: Dec. 17, 2025, 9:22 p.m.
  • Modified: Dec. 21, 2025, 7:35 p.m.

Indicators

  • ded68a8f5d0765740d469c08bd66270097f3474eab92ee1e65ddcdd6d15fca6e
  • 94.154.35.99
  • 178.16.52.231
  • 185.141.216.120
  • 180.178.189.34
  • 176.46.152.182
  • 62.60.226.233
  • 176.46.152.18
  • 78.16.53.193
  • 178.16.53.193
Download all indicators here!

Attack Patterns

Additional Informations

  • vault-360-nexus.com
  • wwpac3ey.q23nfcxbnqdytjgrxutmzawczv.cg