Microsoft has identified a malvertising campaign that employs Node.js to distribute malware disguised as cryptocurrency trading software. Detected in late 2024, this scheme convinces users to install a rogue installer from fraudulent sites. The malware embeds a dynamic-link library which collects system information and maintains persistence through scheduled tasks. PowerShell commands are used to download further malicious scripts while avoiding detection. Ultimately, the campaign collects extensive data and sends it to a command-and-control server, leveraging the Node.js runtime to siphon sensitive information from browsers.
The ongoing malvertising campaign uses Node.js to deliver malicious payloads related to cryptocurrency trading, enabling information theft and data exfiltration.
The malicious installer masquerades as legitimate software, employing a dynamic-link library to harvest system information and set up persistence.
Collection
[
|
...
]