Tag: node.js

21 Attack Reports | 0 Vulnerabilities

Attack reports

EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons

EtherRAT, a Node.js-based backdoor linked to a North Korean APT group, was detected in a retail customer's environment. It allows arbitrary command execution, extensive system information gathering, and asset theft. The malware uses 'EtherHiding' to store C2 addresses in Ethereum smart contracts, m…
backdoor
node.js
ethereum
etherrat
etherhiding
2026-03-26
cdn-like beaconing
cis language check
host fingerprinting
it support scams
sys_info module
Published: March 26, 2026
Downloadable IOCs: 10

Developer-targeting campaign using malicious Next.js repositories

A coordinated campaign is targeting developers through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. The attack uses multiple entry points that lead to runtime retrieval and local execution of attacker-controlled JavaScript, transitioning into s…
javascript
node.js
remote code execution
command-and-control
visual studio code
next.js
2026-02-24
developer-targeting
environment variable exfiltration
Published: February 24, 2026
Downloadable IOCs: 4

Threat Actors Expand Abuse of Microsoft Visual Studio Code

North Korean threat actors have evolved their techniques in the Contagious Interview campaign, now abusing Microsoft Visual Studio Code task configuration files. The infection chain begins when a victim opens a malicious Git repository, often disguised as part of a recruitment process. If trust is …
backdoor
macos
javascript
node.js
c2
github
contagious interview
visual studio code
2026-01-21
gitlab
Published: January 21, 2026
Downloadable IOCs: 8

GachiLoader: Defeating Node.js Malware with API Tracing

A new malware distribution campaign utilizing compromised YouTube accounts to spread infostealers has been identified. The campaign employs GachiLoader, a heavily obfuscated Node.js loader, to deploy the Rhadamanthys infostealer. GachiLoader implements anti-analysis techniques and uses a novel PE i…
malware
obfuscation
rhadamanthys
infostealer
anti-analysis
node.js
youtube
2025-12-17
api tracing
gachiloader
kidkadi
pe injection
Published: December 17, 2025
Downloadable IOCs: 10

Stories from the SOC: Mystery of the postponed proxyware install

A suspicious PowerShell alert led to the discovery of an attack chain aimed at installing proxyware on a compromised system. The infection originated from a disk-cleaning utility installed three days prior, which included malicious scripts and established a connection to a C2 server. The attack uti…
powershell
node.js
c2 server
in-memory execution
proxyware
2025-11-24
download cradle
unauthorized software
disk-cleaning utility
Published: November 24, 2025
Downloadable IOCs: 5

The Tsundere botnet uses the Ethereum blockchain to infect its targets

The Tsundere botnet, discovered in mid-2025, is an active threat targeting Windows users. It utilizes the Ethereum blockchain to retrieve C2 addresses and employs Node.js for its operations. The botnet spreads through MSI installers and PowerShell scripts, often disguised as popular games. It uses …
powershell
javascript
node.js
botnet
msi
ethereum
websocket
2025-11-20
123 stealer
aes-256
tsundere bot
koneko
tsundere
Published: November 20, 2025
Downloadable IOCs: 21

New Stealit Campaign Abuses Node.js Single Executable Application

A new Stealit malware campaign has been discovered that utilizes Node.js' Single Executable Application feature to distribute payloads. The campaign bundles malicious scripts into standalone binaries, allowing execution without requiring a pre-installed Node.js runtime. The malware is distributed a…
obfuscation
rat
cryptocurrency
anti-analysis
node.js
information theft
2025-10-11
single executable application
stealit
Published: October 11, 2025
Downloadable IOCs: 12

Fake Online Speedtest Application

An analysis of several Windows applications masquerading as legitimate utilities reveals a covert malware operation. These apps, including fake speed testers and AI search tools, install a Node.js runtime and execute obfuscated JavaScript via scheduled tasks. The malware communicates with a command…
node.js
scheduled tasks
evilai
fake applications
2025-09-25
javascript payload
Published: September 25, 2025
Downloadable IOCs: 170

NodeJS backdoors delivering proxyware and monetization schemes

This report details a campaign involving NodeJS backdoors used to distribute proxyware and monetization schemes. The attackers employ Inno setup installers to drop PowerShell scripts that download and execute NodeJS packages with malicious JavaScript. The backdoors collect system information, commu…
backdoor
powershell
proxyware
browser extension
nodejs
honeygain
infatica
2025-09-24
packetlab
monetization
Published: September 24, 2025
Downloadable IOCs: 0

AppSuite, OneStart & ManualFinder: The Nexus of Deception

This analysis reveals connections between three seemingly distinct malicious programs: AppSuite, OneStart, and ManualFinder. The investigation uncovers shared server infrastructure and similar installation patterns, indicating that these programs are likely created by the same threat actor. OneStar…
powershell
node.js
infrastructure
appsuite
manualfinder
2025-09-16
browser-extension
cloudfront
onestart
desktopbar
browserassistant
Published: September 16, 2025
Downloadable IOCs: 0

AI-Generated Code and Fake Apps Used for Far-Reaching Attacks

A new malware campaign called EvilAI is spreading globally by disguising itself as legitimate AI-enhanced productivity tools. The malware uses AI-generated code and professional interfaces to evade detection, targeting organizations across sectors like manufacturing, government, and healthcare. It …
obfuscation
persistence
node.js
trojan
credential theft
command and control
2025-09-12
ai-generated code
evilai
fake applications
Published: September 12, 2025
Downloadable IOCs: 14

Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique

Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websit…
phishing
social engineering
windows
macos
node.js
clickfix
beavertail
invisibleferret
2025-09-01
apt-q-1
Published: September 1, 2025
Downloadable IOCs: 18

Proxyware Malware Being Distributed on YouTube Video Download Site

A malicious campaign is targeting users through fake YouTube video download sites, distributing Proxyware malware. The attack involves a downloader disguised as WinMemoryCleaner, which installs NodeJS and runs malicious JavaScript. This script then installs various Proxyware programs, including Dig…
malware
javascript
youtube
downloader
c&c
digitalpulse
proxyware
task scheduler
nodejs
2025-08-22
honeygain
bandwidth
infatica
Published: August 22, 2025
Downloadable IOCs: 0

A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor

This analysis details a campaign involving two threat groups, UNC5518 and UNC5774, deploying the CORNFLAKE.V3 backdoor. UNC5518 compromises legitimate websites to serve fake CAPTCHA pages, luring visitors to execute a downloader script. UNC5774 then uses this access to deploy CORNFLAKE.V3, a sophis…
backdoor
node.js
clickfix
php
2025-08-21
cornflake.v3
windytwist.sea
kerberoasting
Published: August 21, 2025
Downloadable IOCs: 0

MaaS Appeal: An Infostealer Rises From The Ashes

NOVABLIGHT is a NodeJS-based Malware-as-a-Service (MaaS) information stealer developed by a French-speaking threat group. It's sold as an educational tool but used for credential theft and cryptowallet compromise. The malware features heavy obfuscation, multiple anti-analysis techniques, and variou…
obfuscation
infostealer
anti-analysis
electron
credential theft
data exfiltration
maas
nodejs
2025-07-31
nova sentinel
malicord
novablight
Published: July 31, 2025
Downloadable IOCs: 8

Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal

A sophisticated malware campaign called JSCEAL is targeting cryptocurrency users through fake apps impersonating popular trading platforms. The attackers use malicious ads to lure victims into downloading installers that deploy a multi-stage infection chain. This includes PowerShell scripts for pro…
evasion
malvertising
powershell
cryptocurrency
stealer
node.js
multi-stage
fake apps
2025-07-31
jsceal
jsc
Published: July 31, 2025
Downloadable IOCs: 268

Yet Another NodeJS Backdoor (YaNB): A Modern Challenge

A resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications has been observed, tricking users into executing NodeJS-based backdoors and deploying sophisticated Remote Access Trojans. The attack begins with a malicious NodeJS script connecting to attacker-controlled infrastructure…
backdoor
rat
persistence
captcha
anti-vm
xor encryption
system reconnaissance
2025-05-16
nodejs
socks5 proxy
nodejs rat
kongtuke
Published: May 16, 2025
Downloadable IOCs: 11

Threat actors misuse Node.js to deliver malware and other malicious payloads

Since October 2024, threat actors have been leveraging Node.js to deliver malware and payloads for information theft and data exfiltration. A recent malvertising campaign uses cryptocurrency trading themes to lure users into downloading malicious installers. The attack chain includes initial access…
node.js
remcos
latrodectus
stilachirat
ahkbot
2025-04-15
raccoono365
Published: April 15, 2025
Downloadable IOCs: 0

Malicious Packages Identified in the Wild: Insights and Trends from November 2024 Onward

FortiGuard Labs has analyzed malicious software packages detected from November 2024 to March 2025, revealing various attack techniques used to exploit system vulnerabilities. Key findings include 1,082 packages with low file counts, 1,052 packages with suspicious install scripts, and 1,043 package…
obfuscation
python
typosquatting
node.js
backdoors
data exfiltration
vulnerability exploitation
2025-03-10
install scripts
software packages
Published: March 10, 2025
Downloadable IOCs: 11

NodeLoader Exposed: The Node.js Malware Evading Detection

Zscaler ThreatLabz discovered a malware campaign using Node.js applications for Windows to distribute cryptocurrency miners and information stealers. Named NodeLoader, this malware family employs Node.js compiled executables to deliver second-stage payloads like XMRig, Lumma, and Phemedrone Stealer…
social engineering
node.js
lumma stealer
evasion techniques
information stealers
2024-12-13
game streaming
cryptocurrency miners
nodeloader
Published: December 13, 2024
Downloadable IOCs: 0

Distribution of Infostealer Made With Electron

AhnLab Security Intelligence Center (ASEC) has discovered an Infostealer malware strain developed using the Electron framework, which allows the creation of applications using JavaScript, HTML, and CSS. The malware is distributed through Nullsoft Scriptable Install System (NSIS) installer format. O…
infostealer
javascript
node.js
electron
Published: April 30, 2024
Downloadable IOCs: 1
Click here to see more Attack Reports