{
	"id": "037ff810-3a16-4a23-a24d-0ddcb8577256",
	"created_at": "2026-04-06T00:20:16.728376Z",
	"updated_at": "2026-04-10T13:13:03.894901Z",
	"deleted_at": null,
	"sha1_hash": "afc26333bab8b0b151099beb9e167fd48f1e7745",
	"title": "Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1125301,
	"plain_text": "Bring your own LOLBin: Multi-stage, fileless Nodersok campaign\r\ndelivers rare Node.js-based malware | Microsoft Security Blog\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2019-09-26 · Archived: 2026-04-05 19:58:20 UTC\r\nWe’ve discussed the challenges that fileless threats pose in security, and how Microsoft Defender Advanced\r\nThreat Protection (Microsoft Defender ATP) employs advanced strategies to defeat these sophisticated threats.\r\nPart of the slyness of fileless malware is their use of living-off-the-land techniques, which refer to the abuse of\r\nlegitimate tools, also called living-off-the-land binaries (LOLBins), that already exist on machines through which\r\nmalware can persist, move laterally, or serve other purposes.\r\nBut what happens when attackers require functionality beyond what’s provided by standard LOLBins? A new\r\nmalware campaign we dubbed Nodersok decided to bring its own LOLBins—it delivered two very unusual,\r\nlegitimate tools to infected machines:\r\nNode.exe, the Windows implementation of the popular Node.js framework used by countless web\r\napplications\r\nWinDivert, a powerful network packet capture and manipulation utility\r\nLike any LOLBin, these tools are not malicious or vulnerable; they provide important capabilities for legitimate\r\nuse. It’s not uncommon for attackers to download legitimate third-party tools onto infected machines (for\r\nexample, PsExec is often abused to run other tools or commands). However, Nodersok went through a long chain\r\nof fileless techniques to install a pair of very peculiar tools with one final objective: turn infected machines into\r\nzombie proxies.\r\nWhile the file aspect of the attack was very tricky to detect, its behavior produced a visible footprint that stands\r\nout clearly for anyone who knows where to look. With its array of advanced defensive technologies, Microsoft\r\nDefender ATP, defeated the threat at numerous points of dynamic detection throughout the attack chain.\r\nAttack overview\r\nThe Nodersok campaign has been pestering thousands of machines in the last several weeks, with most targets\r\nlocated in the United States and Europe. The majority of targets are consumers, but about 3% of encounters are\r\nobserved in organizations in sectors like education, professional services, healthcare, finance, and retail.\r\nhttps://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/\r\nPage 1 of 12\n\nFigure 1. Distribution of Nodersok’s enterprise targets by country and by sector\r\nThe campaign is particularly interesting not only because it employs advanced fileless techniques, but also\r\nbecause it relies on an elusive network infrastructure that causes the attack to fly under the radar. We uncovered\r\nthis campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from\r\nhttps://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/\r\nPage 2 of 12\n\nMicrosoft Defender ATP telemetry. In the days that followed, more anomalies stood out, showing up to a ten-fold\r\nincrease in activity:\r\nFigure 2. Trending of Nodersok activity from August to September, 2019\r\nAfter a process of tracking and analysis, we pieced together the infection chain:\r\nFigure 3. Nodersok attack chain\r\nhttps://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/\r\nPage 3 of 12\n\nLike the Astaroth campaign, every step of the infection chain only runs legitimate LOLBins, either from the\r\nmachine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys). All of the\r\nrelevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then\r\ndecrypted, and run while only in memory. No malicious executable is ever written to the disk.\r\nThis infection chain was consistently observed in several machines attacked by the latest variant of Nodersok.\r\nOther campaigns (possibly earlier versions) with variants of this malware (whose main JavaScript payload was\r\nnamed 05sall.js or 04sall.js) were observed installing malicious encoded PowerShell commands in the registry\r\nthat would end up decoding and running the final binary executable payload.\r\nInitial access: Complex remote infrastructure\r\nThe attack begins when a user downloads and runs an HTML application (HTA) file named\r\nPlayer1566444384.hta. The digits in the file name differ in every attack. Analysis of Microsoft Defender ATP\r\ntelemetry points to compromised advertisements as the most likely infection vector for delivering the HTA files.\r\nThe mshta.exe tool (which runs when an HTA file runs) was launched with the -embedding command-line\r\nparameter, which typically indicates that the launch action was initiated by the browser.\r\nFurthermore, immediately prior to the execution of the HTA file, the telemetry always shows network activity\r\ntowards suspicious advertisement services (which may vary slightly across infections), and a consistent access to\r\nlegitimate content delivery service Cloudfront. Cloudfront is not a malicious entity or service, and it was likely\r\nused by the attackers exactly for that reason: because it’s not a malicious domain, it won’t likely raise alarms.\r\nExamples of such domains observed in several campaigns are:\r\nd23cy16qyloios[.]cloudfront[.]net\r\nd26klsbste71cl[.]cloudfront [.]net\r\nd2d604b63pweib[.]cloudfront [.]net\r\nd3jo79y1m6np83[.]cloudfront [.]net\r\nd1fctvh5cp9yen[.]cloudfront [.]net\r\nd3cp2f6v8pu0j2[.]cloudfront[.]net\r\ndqsiu450ekr8q[.]cloudfront [.]net\r\nIt’s possible that these domains were abused to deliver the HTA files without alerting the browser. Another content\r\ndelivery service abused later on in the attack chain is Cdn77. Some examples of observed URLs include:\r\nhxxps://1292172017[.]rsc [.]cdn77 [.]org/images/trpl[.]png\r\nhxxps://1292172017[.]rsc.cdn77[.]org/imtrack/strkp[.]png\r\nThis same strategy was also used by the Astaroth campaign, where the malware authors hosted their malware on\r\nthe legitimate storage.googleapis.com service.\r\nFirst-stage JavaScript\r\nWhen the HTA file runs, it tries to reach out to a randomly named domain to download additional JavaScript code.\r\nThe domains used in this first stage are short-lived: they are registered and brought online and, after a day or two\r\nhttps://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/\r\nPage 4 of 12\n\n(the span of a typical campaign), they are dropped and their related DNS entries are removed. This can make it\r\nmore difficult to investigate and retrieve the components that were delivered to victims. Examples of domains\r\nobserved include:\r\nDu0ohrealgeek[.]org – active from August 12 to 14\r\nHi5urautopapyrus[.]org – active from April 21 to 22\r\nEx9ohiamistanbul[.]net – active from August 1 to 2\r\nEek6omyfilmbiznetwork[.]org – active from July 23 to 24\r\nThis stage is just a downloader: it tries to retrieve either a JavaScript or an extensible style language (XSL) file\r\nfrom the command-and-control (C\u0026C) domain. These files have semi-random names like 1566444384.js and\r\n1566444384.xsl, where the digits are different in every download. After this file is downloaded and runs, it\r\ncontacts the remote C\u0026C domain to download an RC4-encrypted file named 1566444384.mp4 and a decryption\r\nkey from a file named 1566444384.flv. When decrypted, the MP4 file is an additional JavaScript snippet that starts\r\nPowerShell:\r\nInterestingly, it hides the malicious PowerShell script in an environment variable named “deadbeef” (first line),\r\nthen it launches PowerShell with an encoded command (second line) that simply runs the contents of the\r\n“deadbeef” variable. This trick, which is used several times during the infection chain, is usually employed to hide\r\nthe real malicious script so that it does not appear in the command-line of a PowerShell process.\r\nSecond-stage PowerShell\r\nNodersok’s infection continues by launching several instances of PowerShell to download and run additional\r\nmalicious modules. All the modules are hosted on the C\u0026C servers in RC4-encrypted form and are decrypted on\r\nthe fly before they run on the device. The following steps are perpetrated by the various instances of PowerShell:\r\nDownload module.avi, a module that attempts to:\r\nDisable Windows Defender Antivirus\r\nDisable Windows updates\r\nRun binary shellcode that attempts elevation of privilege by using auto-elevated COM interface\r\nDownload additional modules trpl.png and strkp.png hosted on a Cdn77 service\r\nDownload legitimate node.exe tool from the official nodejs.org website\r\nDrop the WinDivert packet capture library components WinDivert.dll, WinDivert32.sys, and\r\nWinDivert64.sys\r\nExecute a shellcode that uses WinDivert to filter and modify certain outgoing packets\r\nFinally, drop the JavaScript payload along with some Node.js modules and libraries required by it, and run\r\nit via node.exe\r\nThis last JavaScript is the actual final payload written for the Node.js framework that turns the device into a proxy.\r\nThis concludes the infection, at the end of which the network packet filter is active and the machine is working as\r\na potential proxy zombie. When a machine turns into a proxy, it can be used by attackers as a relay to access other\r\nhttps://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/\r\nPage 5 of 12\n\nnetwork entities (websites, C\u0026C servers, compromised machines, etc.), which can allow them to perform stealthy\r\nmalicious activities.\r\nNode.js-based proxy engine\r\nThis is not the first threat to abuse Node.js. Some cases have been observed in the past (for example this\r\nransomware from early 2016). However, using Node.js is a peculiar way to spread malware. Besides being clean\r\nand benign, Node.exe also has a valid digital signature, allowing a malicious JavaScript to operate within the\r\ncontext of a trusted process. The JavaScript payload itself is relatively simple: it only contains a set of basic\r\nfunctions that allows it to act as a proxy for a remote entity.\r\nhttps://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/\r\nPage 6 of 12\n\nFigure 4. A portion of the malicious Node.js-based proxy\r\nThe code seems to be still in its infancy and in development, but it does work. It has two purposes:\r\n1. Connect back to the remote C\u0026C, and\r\n2. Receive HTTP requests to proxy back to it\r\nhttps://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/\r\nPage 7 of 12\n\nIt supports the SOCKS4A protocol. While we haven’t observed network requests coming from attackers, we wrote\r\nwhat the Node.js-based C\u0026C server application may look like: a server that sends HTTP requests to the infected\r\nclients that connect back to it, and receives the responses from said clients. we slightly modified the malicious\r\nJavaScript malware to make it log meaningful messages, ran a JavaScript server, ran the JavaScript malware, and\r\nit proxied HTTP requests as expected:\r\nFigure 5.The debug messages are numbered to make it easier to follow the execution flow\r\nThe server starts, then the client starts and connects to it. In response, the server sends a HTTP request (using the\r\nSocks4A protocol) to the client. The request is a simple HTTP GET. The client proxies the HTTP request to the\r\ntarget website and returns the HTTP response (200 OK) and the HTML page back to the server. This test\r\ndemonstrates that it’s possible to use this malware as a proxy.\r\n05sall.js: A variant of Nodersok\r\nAs mentioned earlier, there exist other variants of this malware. For example, we found one named 05sall.js\r\n(possibly an earlier version). It’s similar in structure to the one described above, but the payload was not\r\ndeveloped in Node.js (rather it was an executable). Furthermore, beyond acting as a proxy, it can run additional\r\ncommands such as update, terminate, or run shell commands.\r\nhttps://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/\r\nPage 8 of 12\n\nFigure 6. The commands that can be processed by the 05sall.js variant.\r\nThe malware can also process configuration data in JSON format. For example, this configuration was encoded\r\nand stored in the registry in an infected machine:\r\nFigure 7. Configuration data exposing component and file names\r\nThe configuration is an indication of the modular nature of the malware. It shows the names of two modules being\r\nused in this infection (named block_av_01 and all_socks_05).\r\nThe WinDivert network packet filtering\r\nAt this point in the analysis, there is one last loose end: what about the WinDivert packet capture library? We\r\nrecovered a shellcode from one of the campaigns. This shellcode is decoded and run only in memory from a\r\nhttps://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/\r\nPage 9 of 12\n\nPowerShell command. It installs the following network filter (in a language recognized by WinDivert):\r\nThis means Nodersok is intercepting packets sent out to initiate a TCP connection. Once the filter is active, the\r\nshellcode is interested only in TCP packets that match the following specific format:\r\nFigure 8. Format of TCP packets that Nodersok is interested in\r\nThe packet must have standard Ethernet, IP, and 20 bytes TCP headers, plus an additional 20 bytes of TCP extra\r\noptions. The options must appear exactly in the order shown in the image above:\r\n02 04 XX XX – Maximum segment size\r\n01 – No operation\r\n03 03 XX – Windows Scale\r\n04 02 – SACK permitted\r\n08 0A XX XX XX XX XX XX XX XX – Time stamps\r\nIf packets matching this criterion are detected, Nodersok modifies them by moving the “SACK Permitted” option\r\nto the end of the packet (whose size is extended by four bytes), and replacing the original option bytes with two\r\n“No operation” bytes.\r\nFigure 9. The format of TCP packets after Nodersok has altered it: the “SACK permitted” bytes (in red) have been\r\nmoved to the end of the packet, and their original location has been replaced by “No operation” (in yellow)\r\nIt’s possible that this modification benefits the attackers; for example, it may help evade some HIPS signatures.\r\nStopping the Nodersok campaign with Microsoft Defender ATP\r\nBoth the distributed network infrastructure and the advanced fileless techniques allowed this campaign fly under\r\nthe radar for a while, highlighting how having the right defensive technologies is of utmost importance in order to\r\ndetect and counter these attacks in a timely manner.\r\nhttps://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/\r\nPage 10 of 12\n\nIf we exclude all the clean and legitimate files leveraged by the attack, all that remains are the initial HTA file, the\r\nfinal Node.js-based payload, and a bunch of encrypted files. Traditional file-based signatures are inadequate to\r\ncounter sophisticated threats like this. We have known this for quite a while, that’s why we have invested a good\r\ndeal of resources into developing powerful dynamic detection engines and delivering a state-of-the-art defense-in-depth through Microsoft Defender ATP:\r\nFigure 10. Microsoft Defender ATP protections against Nodersok\r\nMachine learning models in the Windows Defender Antivirus client generically detects suspicious obfuscation in\r\nthe initial HTA file used in this attack. Beyond this immediate protection, behavioral detection and containment\r\ncapabilities can spot anomalous and malicious behaviors, such as the execution of scripts and tools. When the\r\nbehavior monitoring engine in the client detects one of the more than 500 attack techniques, information like the\r\nprocess tree and behavior sequences are sent to the cloud, where behavior-based machine learning models classify\r\nfiles and identify potential threats.\r\nMeanwhile, scripts that are decrypted and run directly in memory are exposed by Antimalware Scan Interface\r\n(AMSI) instrumentation in scripting engines, while launching PowerShell with a command-line that specifies\r\nhttps://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/\r\nPage 11 of 12\n\nencoded commands is defeated by command-line scanning. Tamper protection in Microsoft Defender ATP protects\r\nagainst system modifications that attempt to disable Windows Defender Antivirus.\r\nThese multiple layers of protection are part of the threat and malware prevention capabilities in Microsoft\r\nDefender ATP. The complete endpoint protection platform provides multiple capabilities that empower security\r\nteams to defend their organizations against attacks like Nodersok. Attack surface reduction shuts common attack\r\nsurfaces. Threat and vulnerability management, endpoint detection and response, and automated investigation and\r\nremediation help organizations detect and respond to cyberattacks. Microsoft Threat Experts, Microsoft Defender\r\nATP’s managed detection and response service, further helps security teams by providing expert-level monitoring\r\nand analysis.\r\nWith Microsoft Threat Protection, these endpoint protection capabilities integrate with the rest of Microsoft\r\nsecurity solutions to deliver comprehensive protection for comprehensive security for identities, endpoints, email\r\nand data, apps, and infrastructure.\r\nAndrea Lelli\r\nMicrosoft Defender ATP Research\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.\r\nRead all Microsoft security intelligence blog posts.\r\nFollow us on Twitter @MsftSecIntel.\r\nSource: https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-nod\r\ne-js-based-malware/\r\nhttps://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/"
	],
	"report_names": [
		"bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434816,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afc26333bab8b0b151099beb9e167fd48f1e7745.pdf",
		"text": "https://archive.orkl.eu/afc26333bab8b0b151099beb9e167fd48f1e7745.txt",
		"img": "https://archive.orkl.eu/afc26333bab8b0b151099beb9e167fd48f1e7745.jpg"
	}
}