Yet Another NodeJS Backdoor (YaNB): A Modern Challenge
May 21, 2025, 8:57 p.m.
Description
A resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications has been observed, tricking users into executing NodeJS-based backdoors and deploying sophisticated Remote Access Trojans. The attack begins with a malicious NodeJS script connecting to attacker-controlled infrastructure, remaining passive until further commands are received. An advanced NodeJS RAT variant capable of tunneling malicious traffic through SOCKS5 proxies and using XOR-based encryption was uncovered. The campaign, known as KongTuke, uses compromised websites as initial access points. The malware employs anti-VM mechanisms, collects system information, and establishes persistence. It includes features for command execution, payload dropping, and covert communication. The RAT's functionality includes detailed system reconnaissance, remote command execution, and network traffic tunneling.
Tags
Date
- Created: May 16, 2025, 8:51 a.m.
- Published: May 16, 2025, 8:51 a.m.
- Modified: May 21, 2025, 8:57 p.m.
Indicators
- 64.94.84.217
- https://rwanda-ventures-soil-trains.trycloudflare.com/cloudfla
- https://rebecca-nylon-invention-ii.trycloudflare.com/cloudfll
- https://lack-behind-came-verification.trycloudflare.com/cloudfla
- https://compaq-hr-buyerswhere.trycloudflare.com/cloudfla
- https://compaq-hr-buyers-where.trycloudflare.com/cloudfla
- rwanda-ventures-soil-trains.trycloudflare.com
- rebecca-nylon-invention-ii.trycloudflare.com
- lack-behind-came-verification.trycloudflare.com
- compaq-hr-buyerswhere.trycloudflare.com
- compaq-hr-buyers-where.trycloudflare.com
Attack Patterns
- NodeJS RAT
- KongTuke
- KongTuke