Since October 2024, threat actors have been exploiting the Node.js runtime environment as a vector to deliver malware and other malicious payloads aimed at information theft and data exfiltration. The campaign employs malvertising techniques themed around cryptocurrency trading to lure users into downloading malicious installers. The attack chain is multi-staged, beginning with initial access through social engineering and malicious downloads, followed by establishing persistence via scheduled tasks. The malware gathers system information and uses PowerShell scripts for defense evasion, system reconnaissance, data collection, and payload delivery. A novel technique observed is inline JavaScript execution within Node.js, allowing attackers to run arbitrary code stealthily and evade detection. The malware families involved include ahkbot, remcos, latrodectus, stilachirat, and raccoono365, indicating a diverse and sophisticated toolkit. Indicators of compromise include multiple suspicious domains hosted on trycloudflare.com, used as command and control or payload distribution points. Although no specific Node.js vulnerabilities are exploited, the abuse of legitimate Node.js functionality and PowerShell scripting presents a significant risk vector. The complexity and stealth of the attack chain make detection challenging without focused monitoring and advanced endpoint protection.

European organizations face significant risks due to the widespread use of Node.js in web applications, development environments, and automation tools across sectors such as finance, technology, and manufacturing. The cryptocurrency trading theme specifically targets financial institutions and fintech companies prevalent in Europe. Successful compromise can lead to theft of sensitive data, intellectual property loss, and regulatory penalties under GDPR due to data exfiltration. The persistence mechanisms and defense evasion techniques increase dwell time and complicate incident response, raising the risk of extensive operational disruption and reputational damage. The abuse of PowerShell and Node.js facilitates lateral movement within networks, potentially impacting critical infrastructure and enterprise environments. Organizations lacking comprehensive monitoring of scripting environments or advanced endpoint protection are particularly vulnerable. Although the threat is rated medium severity, its sophistication and stealth warrant heightened vigilance to prevent significant confidentiality, integrity, and availability impacts.

European organizations should implement the following targeted measures: 1) Enforce application control policies restricting Node.js execution to approved scripts and directories, preventing unauthorized inline JavaScript execution. 2) Enhance network monitoring and DNS filtering to detect and block traffic to identified malicious domains (e.g., the listed trycloudflare.com subdomains), leveraging threat intelligence feeds. 3) Configure PowerShell constrained language mode and enable detailed script block logging and transcription to capture suspicious activity. 4) Deploy behavioral endpoint detection and response (EDR) solutions capable of identifying anomalous Node.js and PowerShell behaviors, including unusual process spawning and scheduled task creation. 5) Conduct focused user awareness training on recognizing malvertising and social engineering tactics, especially those related to cryptocurrency themes. 6) Regularly audit scheduled tasks and startup items to detect unauthorized persistence mechanisms. 7) Apply multi-factor authentication and least privilege principles to limit the impact of compromised credentials used during the attack chain. These measures address the unique abuse of Node.js and PowerShell in this campaign and leverage specific indicators and attack patterns to improve detection and response.