Intel Name: Nodeloader exposed: the node.js malware evading detection
Date of Scan: December 16, 2024
Impact: High
Summary: It was identified that a malware campaign utilizing Node.js applications on Windows to deliver cryptocurrency miners and information stealers. Dubbed NodeLoader, this malware family uses Node.js-compiled executables to distribute second-stage payloads, including XMRig, Lumma, and Phemedrone Stealer. While Node.js is widely used for developing web-based services like chat applications and online gaming platforms, it is less commonly employed for building native client-side applications for desktop systems. Consequently, antivirus solutions have limited signatures for Node.js-based malware. In this blog, we examine NodeLoader in detail and highlight the innovative techniques used by the threat actors.