Pierluigi Paganini April 17, 2025

Microsoft warns of a malvertising campaign using Node.js to deliver info-stealing malware via fake crypto trading sites like Binance and TradingView.

Microsoft has observed Node.js increasingly used in malware campaigns since October 2024, including an ongoing crypto-themed malvertising attack as of April 2025.

Threat actors are increasingly using Node.js to deploy malware, shifting from traditional scripts like Python or PHP. Node.js allows attackers to blend malicious code with legitimate apps, bypass security tools, and persist in systems. Node.js is an open-source, cross-platform JavaScript runtime environment that allows JavaScript code to run outside of a web browser. Though less common today, Node.js-based threats are becoming a notable part of the evolving attack landscape.

In April Node.js attacks, threat actors use malvertising to lure users to fake sites offering malicious installers disguised as legitimate software. Once executed, the installer drops a malicious DLL (“CustomActions.dll”) that collects system data via WMI, ensures persistence via scheduled tasks, and uses PowerShell commands for defense evasion and further payload delivery.

Then the DLL launches a decoy by opening an msedge_proxy window that displays a legitimate cryptocurrency trading website.

“The created scheduled task runs PowerShell commands designed to exclude both the PowerShell process and the current directory from being scanned by Microsoft Defender for Endpoint.” reads the report published by Microsoft. “This action prevents subsequent PowerShell executions from being flagged, allowing the attack to continue undisturbed.”

This attack uses obfuscated PowerShell scripts to fetch code from remote URLs, gather detailed system and BIOS info, package it as JSON, and send it to the attacker’s C2 server.

In this attack phase, a PowerShell script downloads an archive from the command-and-control server containing the Node.js runtime and a compiled JavaScript file. The Node.js executable runs the script, which establishes network connections and likely extracts sensitive browser data.

Another notable technique observed by researchers in recent campaign employs inline JavaScript execution via Node.js to deploy malicious payloads. In a documented instance, attackers used a ClickFix social engineering tactic to trick users into running a PowerShell command that downloads and installs Node.js components. The script then executes JavaScript directly through Node.js, enabling network reconnaissance, disguising command-and-control traffic as legitimate Cloudflare activity, and achieving persistence by modifying registry run keys.

Microsoft also provided a set of recommendations to mitigate threats associated with Node.js misuse.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)