April 17, 2025 By Pierluigi Paganini
Microsoft warns of a malvertising campaign using Node.js to deliver info-stealing malware via fake crypto trading sites like Binance and TradingView.
Microsoft has observed Node.js increasingly used in malware campaigns since October 2024, including an ongoing crypto-themed malvertising attack as of April 2025.
Threat actors are increasingly using Node.js to deploy malware, shifting from traditional scripts like Python or PHP. Node.js allows attackers to blend malicious code with legitimate apps, bypass security tools, and persist in systems. Node.js is an open-source, cross-platform JavaScript runtime environment that allows JavaScript code to run outside of a web browser. Though less common today, Node.js-based threats are becoming a notable part of the evolving attack landscape.
In April Node.js attacks, threat actors use malvertising to lure users to fake sites offering malicious installers disguised as legitimate software. Once executed, the installer drops a malicious DLL (“CustomActions.dll”) that collects system data via WMI, ensures persistence via scheduled tasks, and uses PowerShell commands for defense evasion and further payload delivery.
