Nodejs in Malware Campaigns: A Growing Threat to Cybersecurity

Since October 2024, Microsoft has observed a concerning rise in the use of Node.js in malware campaigns, with an alarming increase in crypto-themed malvertising attacks as of April 2025. As cybercriminals adapt and innovate, they are leveraging the versatility and stealthiness of Node.js to circumvent security defenses and deploy more sophisticated attacks. This shift from traditional malware methods, such as Python or PHP-based exploits, highlights the evolving nature of cybersecurity threats and the need for continuous vigilance in the face of new tactics and tools.

Node.js, a cross-platform, open-source JavaScript runtime environment, has found its place in malware campaigns due to its ability to run JavaScript outside the confines of a web browser. While not as common in malicious campaigns as other scripting languages, Node.js is quickly becoming a significant part of the attack landscape.

A New Era of Malvertising Attacks

In April 2025, Microsoft reported a rise in malvertising attacks that utilize Node.js. These attacks typically involve luring victims to fake websites that offer malicious installers disguised as legitimate software. Once executed, the installer drops a malicious Dynamic Link Library (DLL) file named “CustomActions.dll.” This DLL file plays a crucial role in the attack, performing multiple functions to maintain persistence on the system and evade detection.

The DLL collects system data using Windows Management Instrumentation (WMI), ensuring that the malicious software remains on the system by creating scheduled tasks. Through these tasks, PowerShell commands are executed, avoiding detection by Microsoft Defender for Endpoint. This evasion technique prevents subsequent PowerShell executions from being flagged, allowing the attack to continue undetected.

As the attack progresses, the malicious DLL opens a decoy by launching a browser window displaying a legitimate cryptocurrency trading site, tricking users into thinking everything is normal. The malware then uses obfuscated PowerShell scripts to communicate with a remote Command-and-Control (C2) server, sending back detailed system and BIOS information in JSON format.

Additionally, these attacks leverage the power of Node.js to download further malicious code. In one instance, an attacker used a PowerShell command to install Node.js components and execute inline JavaScript directly through Node.js. This method enables attackers to conduct network reconnaissance, disguise their C2 traffic as legitimate Cloudflare activity, and achieve persistence by modifying the system’s registry keys.

What Undercode Says:

Node.js’s rise in malicious campaigns marks a significant shift in the tactics used by cybercriminals. Historically, scripting languages like Python and PHP have been the go-to tools for malware developers. However, Node.js provides a unique advantage, allowing attackers to hide malicious code within legitimate applications, bypass security software, and execute commands with greater stealth. Its cross-platform nature means that it can target a variety of systems, from Windows to Linux and macOS, making it an ideal tool for wide-reaching attacks.

The complexity of these attacks is also noteworthy. They often involve multiple layers of obfuscation, evasion techniques, and persistence strategies, making them harder to detect and mitigate. PowerShell’s involvement in these attacks further complicates detection, as it is a legitimate system tool often used by administrators for various tasks. Attackers can exploit PowerShell’s capabilities to execute commands without triggering security alarms.

Moreover, these Node.js-based campaigns also demonstrate a growing trend of social engineering tactics. The ClickFix example highlights how attackers manipulate users into running malicious scripts disguised as routine actions. By leveraging the trust users place in legitimate-looking software and websites, cybercriminals can bypass even the most robust security defenses.

The shift to Node.js and the use of malvertising are part of a broader trend in which attackers are adopting more sophisticated methods to evade detection and maximize the impact of their campaigns. As cybersecurity professionals continue to develop new defenses, threat actors will inevitably evolve their techniques to stay one step ahead.

Fact Checker Results:

Node.js in Malware: Node.js has indeed become a tool for more advanced malware campaigns, offering unique advantages such as stealth and persistence.
Crypto-Themed Malvertising: The reported crypto-themed malvertising campaigns involving Node.js are verified by Microsoft’s findings.
PowerShell Evasion: The use of PowerShell to evade detection is a well-documented tactic, particularly in sophisticated malware campaigns.