← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
NodeJS backdoors delivering proxyware and monetization schemes
WHITE AlienVault 2025-09-24 Modified: 2025-09-24
51
IOCs
HIGH VOLUME
This report details a campaign involving NodeJS backdoors used to distribute proxyware and monetization schemes. The attackers employ Inno setup installers to drop PowerShell scripts that download and execute NodeJS packages with malicious JavaScript. The backdoors collect system information, communicate with command and control servers, and can execute various commands including PowerShell scripts and additional Node.js code. The campaign is associated with multiple proxyware applications like Infatica, Honeygain, earnFM, and PacketLab. The attackers also use browser extensions to track user navigation and potentially redirect to malicious URLs. The infrastructure involves numerous domains and cloud services for hosting malware and command and control.
powershellnodejsinfaticapacketlabbackdoorproxywarebrowser extensionmonetizationhoneygain
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Infatica Honeygain earnFM PacketLab
Indicators of Compromise (51)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 5babe3f305824d778728d1234a41a681 2025-09-24
FileHash-MD5 9d93ab6199d8f67fdf52779f6cd197d9 2025-09-24
FileHash-MD5 bfc34934a91a4893817098f73415917a 2025-09-24
FileHash-SHA1 02f02a2b357912ba1cbffe2968cad9e740a62373 2025-09-24
FileHash-SHA1 0f05930f680fd316a1c10f6ad69dbcddbe4e2dfb 2025-09-24
FileHash-SHA1 1b6d5d58e1d6117ae8481d135a86a4ac33d1103b 2025-09-24
FileHash-SHA1 679bc81b6d1a9f8ed8ee44dd9daaef25f7e39d8f 2025-09-24
FileHash-SHA1 b5dfa3ea324bcbfb34635507472588083938a5b6 2025-09-24
FileHash-SHA256 2603369ff392a3f7ddbb65a7e9635f567a5cfecd44d2d6aad4160ff9e740c1b2 2025-09-24
FileHash-SHA256 2e6175681d7b498b6d5a14b09c505f475010ab019098e2f50e565d4f8c45a2cc 2025-09-24
FileHash-SHA256 5766b8c67ec6dafe346140debbe7d8190221ebbcd6e333ec062ed87ff4d07273 2025-09-24
FileHash-SHA256 a50f8028eb53b29ed967d4d1d3b8715fab680ba12a79f297967d8fe93ab92d82 2025-09-24
FileHash-SHA256 ea26469298094c42a06df964190cc8864645adcd72aed6b6207c2a4195133a8b 2025-09-24
URL https://4tressx.com/ 2025-09-24
URL https://a.leru.info/r 2025-09-24
URL https://coremactools.com/ 2025-09-24
URL https://filerit.com/n9ea882bfa.js 2025-09-24
URL https://kuchiku.digital/ 2025-09-24
URL https://kuchiku.digital/d 2025-09-24
URL https://kuchiku.digital/locations 2025-09-24
URL https://kuchiku.digital/locations' 2025-09-24
URL https://kuchiku.digital/updates/KB80164432 2025-09-24
URL https://rt-guard.com/ 2025-09-24
URL https://screenner.com/ 2025-09-24
URL https://smoothmacos.com/ 2025-09-24
URL https://u.chromesecure.com/update.xml 2025-09-24
URL https://www.cheapworth.com/shopnow.html?q=Lsbeauty.com&category=Lsbeauty.com#https%3A%2F%2Fus-go.kelkoogroup.net%2FsitesearchGo%3F.ts%3D1756728361063%26.sig%3DIRkylki8Vem3kFBDybvJQfPwScs-%26affiliationId%3D96981971%26comId%3D100578990%26country%3Dus%26offerId%3Dc9f49c048c5b110774b' 2025-09-24
domain 0x1b532a.map 2025-09-24
domain 0x435b91.id 2025-09-24
domain 0x435b91.red 2025-09-24
domain chromesecure.com 2025-09-24
domain diskcleanu.com 2025-09-24
domain ferntier.com 2025-09-24
domain filerit.com 2025-09-24
domain flewsnark.com 2025-09-24
domain leafstacked.com 2025-09-24
domain lsbeauty.com 2025-09-24
domain maintenancesat.com 2025-09-24
domain memorydiagnostic.com 2025-09-24
domain protocolstatus.com 2025-09-24
domain screenner.com 2025-09-24
domain zrawsomble.com 2025-09-24
hostname 2fus-go.kelkoogroup.net 2025-09-24
hostname 3dwww.cheapworth.com 2025-09-24
hostname a.httprequest.post 2025-09-24
hostname a.leru.info 2025-09-24
hostname a.pairnewtags.com 2025-09-24
hostname d.leru.info 2025-09-24
hostname sd.unitlibrary.com 2025-09-24
hostname u.chromesecure.com 2025-09-24
hostname www.cheapworth.com 2025-09-24
References (1)
↗ https://medium.com/walmartglobaltech/nodejs-backdoors-delivering-proxyware-and-monetization-schemes-1562917ed107