Malvertising Campaign Deploys Node.js Malware

Microsoft has identified a new malvertising campaign that is using cryptocurrency themed ads as a lure in order to deliver Node.js-related malware to victims. The malware uses a scheduled task to maintain persistence and has the ability to exfiltrate data and deliver additional payloads. 

Why it Matters: The campaign is a typical malvertising scheme in which the attackers use a series of malicious ads to lure victims to a malicious website. The ads use various crypto themes as lures and eventually entice the victims to download what appears to be a legitimate software package. The package is malicious, of course, and delivers some malware that’s built on Node.js, the popular JavaScript runtime environment. Node.js malware is becoming an increasingly popular attack technique.

Key Details

• Microsoft identified the campaign in October and said it is still active as of April 2025

• “In this campaign, the downloaded installer contains a malicious DLL that gathers system information and sets up a scheduled task for persistence. This sets the stage for its other techniques and activities, such as defense evasion, data collection, and payload delivery and execution,” Microsoft’s researchers said.

• “When launched, the installer loads the DLL, which then gathers basic system information through a Windows Management Instrumentation (WMI) query and creates a scheduled task to ensure persistence of a PowerShell command. Simultaneously, the DLL launches a decoy by opening an msedge_proxywindow that displays a legitimate cryptocurrency trading website,” the researchers said. 

• The malware uses some PowerShell commands to prevent Microsoft Defender from detecting its operations

• The malware collects various information from the infected machine, including Windows information, BIOS data, system information, and OS information

• The malware also downloads a a second stage file that adds certificates to the device and can read and potentially steal browser data

Microsoft said they have also observed attackers using malicious scripts run directly through Node.js to run malware. 

“One observed instance of this method was through a ClickFix social engineering attack, which attempts to deceive users into executing a malicious PowerShell command. This command initiates the download and installation of multiple components, including the Node.js binary (node.exe) and additional required modules. Once all the files are in place, the PowerShell script uses the Node.js environment to execute a JavaScript code directly in the command, rather than running it from a file,” Microsoft said.