Threat actors misuse Node.js to deliver malware and other malicious payloads

Description

Since October 2024, threat actors have been leveraging Node.js to deliver malware and payloads for information theft and data exfiltration. A recent malvertising campaign uses cryptocurrency trading themes to lure users into downloading malicious installers. The attack chain includes initial access, persistence, defense evasion, data collection, and payload delivery. The malware gathers system information, sets up scheduled tasks, and uses PowerShell for various malicious activities. Another emerging technique involves inline JavaScript execution through Node.js. Recommendations include educating users, monitoring Node.js execution, enforcing PowerShell logging, and implementing endpoint protection.