Full Report
During an Advanced Continual Threat Hunt (ACTH) investigation conducted in early March 2025, Trustwave SpiderLabs identified a notable resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications. These campaigns trick users into executing NodeJS-based backdoors, subsequently deploying sophisticated NodeJS Remote Access Trojans (RATs) similar to traditional PE structured legacy RATs.
Analysis Summary
# Tool/Technique: Yet Another NodeJS Backdoor (YaNB) / KongTuke Cluster
## Overview
Yet Another NodeJS Backdoor (YaNB) refers to sophisticated NodeJS Remote Access Trojans (RATs) being deployed via campaigns exploiting deceptive CAPTCHA verifications. The primary activity cluster associated with this initial access vector is frequently referred to as **KongTuke**, which typically involves redirecting victims from compromised websites to deliver the malicious payload.
## Technical Details
- Type: Malware Family (NodeJS Backdoor/RAT)
- Platform: NodeJS environment (likely targeting systems where NodeJS scripts can be executed, typically Windows/Linux servers or client machines running Node).
- Capabilities: Initial access via deceptive CAPTCHA, establishing C2 communication, data exfiltration, subsequent RAT deployment, SOCKS5 proxy tunneling, and XOR-based encryption for C2 communication.
- First Seen: KongTuke activity cluster observed since at least September 2024; initial mention of KongTuke in May 2024 contexts.
## MITRE ATT&CK Mapping
Based on the observed initial access and execution chain:
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Exploiting website visits)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.007 - JavaScript
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTP/S)
- T1573 - Encrypted Channel (XOR Encryption)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
*(Note: The provided list of mappings covers many potential follow-on actions for a RAT, such as Persistence (T1543/T1053), Privilege Escalation (T1068), Defense Evasion (T1564/T1036/T1497), and Discovery (T1082, T1057, etc.). The primary focus here is Execution and C2.)*
- **TA0005 - Defense Evasion**
- T1497 - Virtualization/Sandbox Evasion
- T1497.001 - System Checks
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- T1033 - System Owner/User Discovery
## Functionality
### Core Capabilities
- **Initial Deception:** Deployment via compromised websites, often utilizing scripts (like the KongTuke injected script) to monitor the environment before presenting a deceptive CAPTCHA designed to trick users into executing the malicious NodeJS file.
- **Environmental Monitoring:** The initial JavaScript checks for the "isCompleted" cookie to prevent repeated loading and performs checks to ensure the environment is compatible before proceeding.
- **Data Collection:** Gathers OS, IP Address, Referrer URL, Browser Type, User-Agent String, and Geolocation (via `cloudflare[.]com/cdn-cgi/trace`). Data is Base64 encoded before transmission.
- **C2 Communication:** Establishes an initial connection to attacker infrastructure, remaining passive awaiting further instructions.
### Advanced Features
- **RAT Deployment:** Ability to download and deploy more advanced NodeJS RAT variants.
- **SOCKS5 Proxy Tunneling:** The advanced RAT variant can tunnel malicious traffic through SOCKS5 proxies.
- **Encryption:** Communications between the backdoor/RAT and C2 are secured using XOR-based encryption methods.
- **Malware Clustering:** This activity is observed alongside or associated with other known malware campaigns like KongTuke, Fake CAPTCHA schemes, Mispadu, and Lumma stealers.
## Indicators of Compromise
- File Hashes: [Not specified in detail]
- File Names: Initial stage scripts showed naming conventions including hardcoded keywords like "metrics," "analyzer," and "analytics." The latest naming convention for the injected script follows a format of **4 alternating alphabet and numeral characters** (Regex: `\d[a-z]\d[a-z]\.js`).
- Registry Keys: [Not specified in detail]
- Network Indicators: Domains used for script injection often belong to AS 399629 (BLNWX/BL Networks, US), or Eonix Corporation. Accessing these domains returns a unique hash resource and the text "It works."
- Behavioral Indicators: Cookie checking mechanism (setting "isCompleted" for 4 hours). Execution of NodeJS scripts from unexpected web context. Use of `cloudflare[.]com/cdn-cgi/trace` endpoint for data gathering.
## Associated Threat Actors
- Several unnamed malicious activity clusters sharing similar attack patterns are tracked under aliases such as **404TDS, Chaya\_002, LandUpdate808, and TAG-124**.
- Associated with campaigns using **KongTuke**, **Fake CAPTCHA schemes**, **Mispadu**, and **Lumma stealers**.
## Detection Methods
- Signature-based detection: Signatures based on the unique file naming regex or known C2 infrastructure.
- Behavioral detection: Monitoring for the abnormal execution of NodeJS scripts from compromised website injections, especially those attempting to gather system information or communicate externally. Monitoring for the specific cookie manipulation pattern.
- YARA rules: [Not specified in detail, but YARA rules targeting the specific NodeJS code structure or obfuscation patterns would be effective].
## Mitigation Strategies
- **Patching/Hardening:** Ensure web servers hosting content are constantly patched to prevent initial content injection (T1659).
- **Traffic Filtering:** Implement strong egress and ingress filtering.
- **Endpoint Protection:** Utilize modern EDR solutions capable of monitoring NodeJS process execution, especially when initiated from unexpected user vectors (web browsing).
- **User Training:** Educate users against interacting with deceptive CAPTCHAs or prompts on untrusted or unexpected websites.
## Related Tools/Techniques
- KongTuke (Used synonymously with the infection cluster)
- Mispadu
- Lumma Stealers
- General NodeJS RATs/Backdoors
- Deceptive CAPTCHA schemes (as an infection vector)