Active Node.js Malware Campaign Targeting Manual Reader Applications

We’re seeing a significant uptick in a malware campaign that’s affecting multiple customers. This one’s worth knowing about if you’re in a SOC or working with EDR platforms.

The Campaign

Attackers are distributing malicious Node.js payloads disguised as manual reader and document utility applications. The names are designed to look legitimate: AllManualsReader, OpenMyManual, ManualFinder, AppSuitePDF, and OneStart.

Initial distribution appears to be through SEO poisoning. Users search for manuals or document tools, find these applications in search results, and download what they think is a legitimate utility.

Detection Challenges

We’re seeing varying levels of detection across solutions, with some only flagging the activity when the persistence mechanism tries to execute the Node.js payload via scheduled tasks. By that point, the malware is already installed, though execution can be successfully blocked at that stage.

Proactive hunts across the environment revealed 11 infected endpoints that would have gone unnoticed through passive detection alone.

Technical Details

Scheduled Task Persistence

The malware establishes persistence through Windows scheduled tasks with these characteristics:

• Task names formatted as GUIDs (e.g., 2d4d7602-8032-4207-a03f-be08e68d1094)
• Dual triggers: recurring execution every 4-12 hours plus system startup
• Execution chain: cmd.exe → node.exe → malicious .js payload

File System Artifacts

Installation directory structure:

1
2
3

C:\Users\[username]\AppData\Local\Programs\[ApplicationName]\
├── node\node.exe
└── [malicious-payload].js

Original downloads typically in:

1

C:\Users\[username]\Downloads\[ApplicationName].exe

Payload files use names like licensekey.js or GUID-based .js files.

Network Indicators

The node.exe processes generate DNS requests to DGA-style domains following the pattern:

1

api.[random10-35characters].com

These appear to be C2 infrastructure. The JavaScript payload uses eval() on the server response, allowing arbitrary code execution.

What We’ve Observed

The payload sits quietly in the background. We observed C2 callouts to DGA domains, but no immediate post-exploitation activity. The JavaScript uses eval() on server responses, meaning the attacker has full code execution capability whenever they choose to activate it.

Remediation Steps

1. Hunt for scheduled tasks with GUID names executing node.exe from AppData
2. Check Downloads folders for the known application names
3. Review DNS logs for the DGA pattern: api.[random].com
4. Remove identified artifacts:

• Delete scheduled tasks
• Remove installation directories from AppData\Local\Programs\
• Clean up original executables from Downloads

Connection to Known Campaigns

This campaign shares similarities with “TamperedChef” but appears to be ramping up with higher volume and slightly different infrastructure. The core techniques remain consistent.

Takeaway

Even with EDR deployed, proactive hunting matters. This campaign demonstrates the gap between initial infection and detection. By the time automated alerts fire, the malware is already installed and waiting for activation.