Node.js Malware Campaign Exploits Fake Binance & TradingView Installers to Target Crypto Users

A dangerous Node.js malware campaign is actively targeting cryptocurrency users through deceptive installers disguised as popular platforms like Binance and TradingView, according to a warning issued by Microsoft.

🚨 How the Node.js Malware Attack Works

First observed in October 2024, this ongoing malvertising campaign uses fraudulent websites to distribute fake cryptocurrency trading applications. The installers are embedded with a malicious DLL file named CustomActions.dll that:

• Harvests system details via Windows Management Instrumentation (WMI)

• Establishes persistence through Windows Scheduled Tasks

• Launches a legitimate-looking browser using msedge_proxy.exe to display official trading websites, maintaining the illusion of authenticity

🔍 Stealth Tactics to Evade Detection

The malware uses PowerShell to download additional scripts from a remote command-and-control (C2) server. These scripts:

• Add Microsoft Defender exclusions for the current PowerShell process and directory

• Run obfuscated PowerShell commands to collect extensive OS, BIOS, hardware, and software data

• Encode the stolen data in JSON format and exfiltrate it via HTTPS POST requests

🛠 Node.js Used to Execute Malicious Scripts

In the next stage, the malware downloads a Node.js runtime binary along with a JavaScript Compiled (JSC) file from the C2 server. The Node.js binary executes the malicious script, which initiates network communications, likely targeting sensitive browser data and credentials.

🧪 Alternate Attack Chain: ClickFix Strategy

An alternate infection path involves the ClickFix technique, where the attackers:

• Use inline JavaScript execution via malicious PowerShell

• Deploy Node.js directly to run code without file-based scripts

• Conduct network discovery and disguise traffic as legitimate Cloudflare activity

• Modify Windows Registry run keys to maintain persistence

 

“Node.js is a trusted, open-source JavaScript runtime, but cybercriminals are exploiting it to camouflage malware, bypass security solutions, and embed within legitimate-looking applications,” Microsoft explained.

 

🧊 Related: Fake PDF Converter Site Spreads SectopRAT Malware

In a separate but related campaign, CloudSEK researchers uncovered a malicious site mimicking PDF Candy (candyxpdf[.]com, candyconverterpdf[.]com). Using the ClickFix trick, users were tricked into executing encoded PowerShell commands that deploy SectopRAT (ArechClient2)—a notorious info-stealing malware capable of:

• Hijacking sensitive browser and system data

• Maintaining persistent access on compromised machines

 

“Threat actors cloned the user interface of the original PDF Candy and registered lookalike domains to mislead users,” said Varun Ajmera of CloudSEK.

🧑‍💼 HR-Themed Phishing Scams by 'Payroll Pirates'

Meanwhile, cybercriminals known as the Payroll Pirates have been running HR-themed phishing campaigns, leveraging:

• Fake payroll portals

• Sponsored search ads

• Spoofed login pages

Their goal? To steal employee login credentials and 2FA codes, rerouting payroll funds to attacker-controlled bank accounts.

🔐 Final Thoughts: Stay Protected

This wave of attacks shows how malware developers are becoming increasingly creative, using Node.js, PowerShell, and social engineering to bypass traditional defenses.

Cyber hygiene tips:

• Download software only from official websites

• Beware of sponsored search results and unfamiliar URLs

• Regularly update your endpoint protection tools

• Monitor system activity for suspicious PowerShell or registry changes