Since October 2024, Microsoft Defender Experts (DEX) has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. While traditional scripting languages like Python, PHP, and AutoIT remain widely used in threats, threat actors are now leveraging compiled JavaScript—or even running the scripts directly in the command line using Node.js—to facilitate malicious activity. This shift in threat actor techniques, tactics, and procedures (TTPs) might indicate that while Node.js-related malware aren’t as prevalent, they’re quickly becoming a part of the continuously evolving threat landscape.
Node.js is an open-source, cross-platform JavaScript runtime environment that allows JavaScript code to run outside of a web browser. It’s widely used and trusted by developers because it lets them build frontend and backend applications. However, threat actors are also leveraging these Node.js characteristics to try to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments.
Among the most recent attacks we’ve observed leveraging Node.js include a malvertising campaign related to cryptocurrency trading that attempts to lure users into downloading a malicious installer disguised as legitimate software. The said campaign is still active as of April 2025. This blog provides details of its attack chain, along with an example of the emerging inline script execution technique. This blog also includes recommendations to help users and defenders reduce the impact of these attacks in their environments.
Malvertising has been one of the most prevalent techniques in Node.js attacks we’ve observed in customer environments. Attackers use malvertising campaigns to lure targets to fraudulent websites, where the targets then unknowingly download a malicious installer disguised as legitimate software. These fake websites often take advantage of popular themes such as financial services, software updates, and trending applications.
In this campaign, the downloaded installer contains a malicious DLL that gathers system information and sets up a scheduled task for persistence. This sets the stage for its other techniques and activities, such as defense evasion, data collection, and payload delivery and execution.
Figure 1. Overview of the malvertising campaign leveraging Node.js
Initial access and persistence
This campaign uses malicious ads with a cryptocurrency trading theme to lure the target user into visiting a website and downloading a malicious installer disguised as a legitimate file from cryptocurrency-trading platforms like Binance or TradingView. This installer is a Wix-built package containing a malicious CustomActions.dll. When launched, the installer loads the DLL, which then gathers basic system information through a Windows Management Instrumentation (WMI) query and creates a scheduled task to ensure persistence of a PowerShell command. Simultaneously, the DLL launches a decoy by opening an msedge_proxy window that displays a legitimate cryptocurrency trading website.
Defense evasion
The created scheduled task runs PowerShell commands designed to exclude both the PowerShell process and the current directory from being scanned by Microsoft Defender for Endpoint. This action prevents subsequent PowerShell executions from being flagged, allowing the attack to continue undisturbed.
Figure 2. Command line used for the exclusions
Data collection and exfiltration
With the exclusions set, an obfuscated PowerShell command is then launched through scheduled tasks to continuously fetch and run scripts from remote URLs. These scripts gather detailed system information, including:
Windows information: Registered owner, system root, installed software, email addresses
BIOS information: Manufacturer, name, release date, version
System information: Name, domain, manufacturer, model, domain membership, memory, logical processors, graphics processing units (GPUs), processors, network adapters
Operating system information: Name, version, locale, user access control (UAC) settings, country, language, time zone, install date
All this information is structured into a nested hash table, converted into JSON format, and then sent using HTTP POST to the attacker’s command-and-control (C2) server.
Figure 3. Excerpts from the script that gathers and exfiltrates data
Payload delivery
After the data collection activity, another PowerShell script is launched to perform the following actions:
Download an archive file from the C2 and extract its contents, which typically include:
node.exe (Node.js runtime)
A JSC file (JavaScript compiled file)
Several supporting library files/modules
Turn off proxy settings in the Windows registry
Launch the JSC that starts the attack’s next stage
Figure 4. Excerpts from the script that downloads and launches the payload
Payload execution
The Node.js executable launches the downloaded JSC file, which then performs the following routines:
Load multiple library modules
Establish network connections
Add certificates to the device
Read and possibly exfiltrate sensitive browser information
These routines might indicate follow-on malicious activities such as credential theft, evasion, or secondary payload execution, which are commonly observed in other malware campaigns leveraging Node.js.
Figure 5. Command line used to launch the JSC file
Beyond executables: Inline script execution in Node.js
Another notable technique we’ve observed emerging from campaigns leveraging Node.js involves inline JavaScript execution. In this technique, malicious scripts are run directly through Node.js to facilitate the deployment of malware.
One observed instance of this method was through a ClickFix social engineering attack, which attempts to deceive users into executing a malicious PowerShell command. This command initiates the download and installation of multiple components, including the Node.js binary (node.exe) and additional required modules. Once all the files are in place, the PowerShell script uses the Node.js environment to execute a JavaScript code directly in the command, rather than running it from a file.
The JavaScript further conducts network discovery by executing commands to map the domain structure and identify high-value assets. It also disguises the command-and-control traffic as legitimate Cloudflare activity and gains persistence by modifying registry run keys.
Figure 6. Excerpts from the malicious script, highlighting hardcoded C2 serversFigure 7. Excerpts from the malicious script, highlighting core HTTP functions
Recommendations
Organizations can follow these recommendations to mitigate threats associated with Node.js misuse:
Educate users. Warn them about the risks of downloading software from unverified sources.
Monitor Node.js execution. Flag unauthorized node.exe processes.
Enforce PowerShell logging. Turn on script block logging to track obfuscation.
Turn on endpoint protection. Ensure endpoint detection and response (EDR) or extended detection and response (XDR) solutions are actively monitoring script execution.
Microsoft also recommends the following mitigations to reduce the impact of this threat.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats.
Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Understand and use PowerShell’s execution policies, which control how scripts are loaded and run. Set an appropriate execution policy based on your needs. Remember that execution policy alone is not foolproof; it can be bypassed.
Turn on and monitor PowerShell logging.
Turn on script block logging, module logging, and transcription. These logs provide a trail of activity and help identify malicious behavior.
Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to prevent attackers from using local administrator privileges to set antivirus exclusions.
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender for Endpoint
The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.
Suspicious PowerShell download or encoded command execution
Suspicious Task Scheduler activity
Suspicious behavior by powershell.exe was observed
Node binary loading suspicious combination of libraries
Activity that might lead to information stealer
Possible theft of passwords and other sensitive web browser information
Suspicious DPAPI Activity
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat Intelligence 360 report based on MDTI article
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
Suspicious JSC file
DeviceProcessEvents
| where isnotempty(DeviceId)
| where ProcessVersionInfoOriginalFileName == 'node.exe'
| where (ProcessCommandLine has_all (".jsc", ".js") and ProcessCommandLine matches regex @"\\\w*.jsc")
Suspicious inline JavaScript execution
Identify suspicious inline JavaScript
DeviceProcessEvents
| where isnotempty(DeviceId)
| where ProcessVersionInfoOriginalFileName == 'node.exe'
| where ProcessCommandLine has_all ('http', 'execSync', 'spawn', 'fs', 'path', 'zlib')
Node.js-based infostealer activity
Detect malicious access to sensitive credentials using Windows DPAPI
DeviceEvents
| where isnotempty(DeviceId)
| where EtwEventId == 16385
| where InitiatingProcessParentFileName endswith "powershell.exe"
| where InitiatingProcessFileName =~ "node.exe"
| where InitiatingProcessCommandLine has_all ("-r", ".js") and InitiatingProcessCommandLine endswith ".jsc"
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
Detect network indicators of compromise communication to C2 servers:
let selectedTimestamp = datetime(2025-04-15T00:00:00.0000000Z);
let ip = dynamic(['216.245.184.181', '212.237.217.182', '168.119.96.41']);
let url = dynamic(['sublime-forecasts-pale-scored.trycloudflare.com', 'washing-cartridges-watts-flags.trycloudflare.com', 'investigators-boxing-trademark-threatened.trycloudflare.com', 'fotos-phillips-princess-baker.trycloudflare.com', 'casting-advisors-older-invitations.trycloudflare.com', 'complement-parliamentary-chairs-hc.trycloudflare.com']);
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceInfo,DeviceNetworkEvents,DeviceNetworkInfo,DnsEvents,SecurityEvent,VMConnection,WindowsFirewall)
TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from April 15th runs the search for last 90 days, change the above selectedTimestamp or 90d accordingly.
and
(RemoteIP in (ip) or DestinationIP in (ip) or DeviceCustomIPv6Address1 in (ip) or DeviceCustomIPv6Address2 in (ip) or DeviceCustomIPv6Address3 in (ip) or DeviceCustomIPv6Address4 in (ip) or
MaliciousIP in (ip) or SourceIP in (ip) or PublicIP in (ip) or LocalIPType in (ip) or RemoteIPType in (ip) or IPAddresses in (ip) or IPv4Dhcp in (ip) or IPv6Dhcp in (ip) or IpAddress in (ip) or
NASIPv4Address in (ip) or NASIPv6Address in (ip) or RemoteIpAddress in (ip) or RemoteUrl in (url))
MITRE ATT&CK tactics and techniques observed
Tactic
Technique
Description
Initial Access
T1189 Drive-by Compromise
Malware is downloaded from malicious websites, such as fake cryptocurrency trading websites
Persistence
T1053.005 Scheduled Task/Job: Scheduled Task
Ensures persistence by scheduling tasks or modifying registry settings
Defense Evasion
T1564.001 Hide Artifacts: Hidden Files and Directories T1027 Obfuscated Files or Information T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion
Bypasses security controls using hidden files, obfuscation, and sandbox detection
Discovery
T1082 System Information Discovery
Gathers detailed system information, including hardware and software data
Credential Access
T1003 OS Credential Dumping
Extracts system credentials and browser data
Collection
T1005 Data from Local System T1082 System Information Discovery
Captures system details, installed software, emails, BIOS data, running tasks, and network information
Command and Control
T1071.001 Application Layer Protocol: Web Protocols T1105 Ingress Tool Transfer
Periodically connects to remote servers (for example, Cloudflare tunnels) to send stolen data and receive commands
Exfiltration
T1041 Exfiltration Over C2 Channel
Sends collected data to a remote server through HTTP POST
Learn more
To know how Microsoft can help your team stop similar threats and prevent future compromise with human-led managed services, check out Microsoft Defender Experts for XDR.
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks. To help customers protect their environments and respond to these attacks, Exchange Server and SharePoint Server integrated Windows Antimalware Scan Interface (AMSI), providing an essential layer of protection by preventing harmful web requests from reaching backend endpoints. The blog outlines several attacks prevented by AMSI integration and highlights recent enhancements. The blog also provides protection and mitigation guidance and how defenders can respond.
Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. Microsoft released security updates to address the vulnerability, tracked as CVE 2025-29824, on April 8, 2025.
As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics. These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), and Remcos.
Microsoft Incident Response uncovered a novel remote access trojan (RAT) named StilachiRAT, which demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. This blog primarily focuses on analysis of the WWStartupCtrl64.dll module that contains the RAT capabilities and summarizes the malware’s key behaviors, capabilities, and the potential risk posed to systems and users.
