In a recent wave of cyberattacks observed since October 2024, Microsoft Defender Experts (DEX) have reported a uptick in the use of Node.js—a popular JavaScript runtime environment—by threat actors to deliver sophisticated malware payloads, particularly targeting cryptocurrency enthusiasts and traders.
These campaigns, still active as of April 2025, highlight a notable shift in attacker tactics, leveraging both compiled JavaScript and direct command-line execution to evade traditional security measures and exfiltrate sensitive data1.
Node.js: From Development Staple to Cyber Threat Vector
Node.js, known for its versatility in building both front-end and back-end applications, is now being exploited by cybercriminals to blend malicious code with legitimate software.
This approach allows malware to bypass conventional endpoint security controls, persist within target environments, and execute complex attack chains with minimal detection.
Malvertising and Initial Access
The primary attack vector identified involves malvertising—malicious advertisements that redirect users to fraudulent websites.
These sites, often themed around cryptocurrency trading platforms like Binance or TradingView, entice users to download installers masquerading as legitimate software.
Unbeknownst to victims, these installers are typically built using Wix and contain a malicious DLL (CustomActions.dll) that initiates the infection process.
Upon execution, the DLL gathers system information via Windows Management Instrumentation (WMI) queries and establishes persistence by creating a scheduled task to run PowerShell commands.
To maintain the illusion of legitimacy, a decoy window is launched, displaying the actual trading platform’s website.
Defense Evasion and Persistence
The scheduled task executes PowerShell commands that exclude both the PowerShell process and the current working directory from Microsoft Defender for Endpoint scans.
This maneuver allows subsequent malicious scripts to run undetected.
Attackers further utilize obfuscated PowerShell commands to fetch and execute additional scripts from remote command-and-control (C2) servers, enhancing their ability to evade detection.
Data Collection and Exfiltration
Once established, the malware collects a comprehensive set of system, BIOS, OS, and user data—including registered owner, installed software, email addresses, hardware specifications, and network details.
This information is structured into nested hash tables, converted to JSON, and sent via HTTP POST to the attacker’s C2 infrastructure.
Payload Delivery and Execution
The next stage involves downloading an archive from the C2 server containing the Node.js runtime (node.exe), a compiled JavaScript file (.jsc), and supporting modules.
Proxy settings are disabled in the Windows registry to facilitate outbound connections.
The Node.js executable then launches the malicious .jsc file, which loads additional libraries, establishes network connections, and may exfiltrate sensitive browser data—potentially enabling credential theft and further compromise.
Emerging Techniques: Inline Script Execution
A noteworthy evolution in these campaigns is the use of inline JavaScript execution.
Attackers deploy PowerShell scripts to download Node.js binaries and required modules, then execute JavaScript code directly via Node.js, bypassing the need for physical script files.
This technique aids in network discovery, disguises C2 traffic as legitimate Cloudflare activity, and achieves persistence through registry modifications.
Detection, Mitigation, and Recommendations
Microsoft Defender XDR and Microsoft Sentinel provide advanced detection capabilities, including hunting queries for suspicious Node.js activity, PowerShell task scheduling, and anomalous network communications.
Key MITRE ATT&CK techniques observed include T1189 (Drive-by Compromise), T1053.005 (Scheduled Task), T1027 (Obfuscated Files), and T1041 (Exfiltration Over C2 Channel)1.
Recommended actions for organizations include:
- Educating users about the risks of downloading software from unverified sources
- Monitoring unauthorized Node.js execution
- Enforcing comprehensive PowerShell logging
- Implementing endpoint detection and response (EDR/XDR) solutions
- Restricting outbound C2 communications via firewall rules
- Enabling cloud-delivered protection and tamper protection features in antivirus solutions1
As Node.js-based malware campaigns become increasingly sophisticated, organizations must adapt their security postures to detect and mitigate these emerging threats, ensuring robust protection for users and critical data assets.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=These campaigns, still active as of April 2025, highlight a notable shift in attacker tactics, leveraging both compiled JavaScript.){kind=link}