Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to deploy a stealthy NodeJS backdoor.

The attack, part of the broader KongTuke campaign, leverages compromised websites to distribute malicious JavaScript that ultimately deploys advanced remote access trojans (RATs) capable of tunneling traffic through SOCKS5 proxies with XOR-based encryption.

SpiderLabs researchers note a significant increase in NodeJS-based backdoor deployments across multiple malware campaigns, highlighting their growing effectiveness as initial access vectors compared to traditional methods.

- Advertisement -

KongTuke Campaign Deploys Sophisticated Social Engineering

The attack chain begins when victims visit compromised websites, often reached through social media links. The websites contain injected malicious code that loads a JavaScript file following a specific naming pattern of alternating alphanumeric characters (e.g., “4r6t.js”).

This first-stage script performs environment checks and collects system information including operating system details, IP address, browser type, and geolocation data before communicating with command and control (C2) servers.

If conditions are met, the script delivers a fake CAPTCHA verification screen, a technique also known as “ClickFix.” When users interact with this deceptive interface, malicious PowerShell commands are silently copied to their clipboard.

These commands execute either by connecting to a hardcoded IP address or by leveraging Cloudflare tunnels to retrieve and execute additional payloads while evading detection.

“Given the effectiveness and high success rates of fake CAPTCHA techniques as an initial access vector compared to traditional methods, we anticipate continued growth and prevalence of these tactics,” researchers warned.

Advanced NodeJS RAT Evades Detection

The deployed NodeJS backdoor incorporates sophisticated anti-analysis mechanisms, terminating execution if it detects virtual machine environments, insufficient memory, or computer names containing “DESKTOP-“.

After bypassing these checks, it downloads and extracts a legitimate Node.js package to execute its malicious components.

The malware’s technical sophistication is evident in its data transmission protocol, which employs a custom encryption scheme: data is XOR-encrypted with a random 4-byte key, compressed with gzip, and appended with a checksum.

This ensures secure communication with C2 servers while evading network detection tools.

For persistence, the backdoor creates registry entries masquerading as legitimate browser updaters.

When active, it awaits commands from the C2 infrastructure, capable of executing system commands, deploying additional payloads, and establishing SOCKS5 proxy tunnels that allow attackers to route malicious traffic through compromised systems.

Growing Trend of NodeJS-Based Malware

The KongTuke campaign has evolved significantly since its emergence in September 2024. Initially using script naming conventions with keywords like “metrics” and “analytics,” it shifted to the current alphanumeric pattern in November 2024.

Researchers have identified numerous compromised domains primarily hosted on AS 399629 (BL Networks) infrastructure.

This malware represents part of a larger trend, with SpiderLabs observing similar NodeJS-based backdoor deployments across multiple campaigns, including Mispadu and Lumma stealers.

Security experts recommend organizations implement robust JavaScript monitoring capabilities, particularly focusing on suspicious connections to domains matching the regular expression pattern “\d[a-z]\d[a-z].js” and monitor for PowerShell execution with encoded commands.

Additionally, organizations should watch for unusual Node.js installation activity and registry modifications referencing browser updaters, as these may indicate compromise.

As fake CAPTCHA techniques demonstrate higher success rates than traditional phishing methods, security teams should prioritize user awareness training specifically addressing these increasingly convincing social engineering tactics.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!