NodeJS backdoors delivering proxyware and monetization schemes

Sept. 24, 2025, 12:33 p.m.

Description

This report details a campaign involving NodeJS backdoors used to distribute proxyware and monetization schemes. The attackers employ Inno setup installers to drop PowerShell scripts that download and execute NodeJS packages with malicious JavaScript. The backdoors collect system information, communicate with command and control servers, and can execute various commands including PowerShell scripts and additional Node.js code. The campaign is associated with multiple proxyware applications like Infatica, Honeygain, earnFM, and PacketLab. The attackers also use browser extensions to track user navigation and potentially redirect to malicious URLs. The infrastructure involves numerous domains and cloud services for hosting malware and command and control.

External References

https://medium.com/walmartglobaltech/nodejs-backdoors-delivering-proxyware-and-monetization-schemes-1562917ed107
https://otx.alienvault.com/pulse/68d3c8c4a7e20db27a3b4562
Tags
backdoor
powershell
proxyware
browser extension
nodejs
honeygain
infatica
2025-09-24
packetlab
monetization

Date

  • Created: Sept. 24, 2025, 10:32 a.m.
  • Published: Sept. 24, 2025, 10:32 a.m.
  • Modified: Sept. 24, 2025, 12:33 p.m.

Attack Patterns

  • PacketLab
  • earnFM
  • Infatica
  • Honeygain