Ddos 
Fake captcha page
Trustwave SpiderLabs has uncovered an evolving cyber threat that leverages deceptive CAPTCHA verifications to infect users with stealthy NodeJS-based backdoors. This campaign showcases the increasing sophistication of threat actors using social engineering to bypass conventional security measures.
“These campaigns trick users into executing NodeJS-based backdoors, subsequently deploying sophisticated NodeJS Remote Access Trojans (RATs),” Trustwave researchers stated.
The attack chain begins with a user landing on a compromised website, often through social media bait or poisoned search results. These sites are injected with malicious JavaScript, belonging to the KongTuke campaign, which has been active since at least September 2024. The malicious script collects system information and redirects users to a fake CAPTCHA page — a ploy to disguise malicious intent.
Once users interact with the CAPTCHA, a PowerShell command is silently copied to the clipboard, executing a second-stage payload. This payload delivers a NodeJS RAT — a powerful and modular backdoor designed for persistence, data theft, and remote command execution.
The NodeJS backdoor showcases several advanced capabilities:
- Anti-VM checks to evade detection in sandbox environments
- Encrypted C2 communications using a combination of XOR encryption and gzip compression
- Persistence via Windows Registry, disguising itself as a browser updater
- SOCKS5 proxy tunneling to relay malicious traffic covertly
“Our research uncovered the deployment of a more advanced NodeJS RAT variant capable of tunneling malicious traffic through SOCKS5 proxies, with communications further secured using XOR-based encryption methods,” SpiderLabs noted.
Once deployed, the RAT polls its command-and-control (C2) server every five minutes. It listens for commands that enable:
- Arbitrary system command execution
- Payload dropping (EXE, DLL, JS, CMD)
- Detailed system reconnaissance (OS info, ARP cache, domain membership)
- Interactive and one-off command shells
- Lateral movement potential through Active Directory reconnaissance
“The NodeJS RAT creates SOCKS5 proxy tunnels and allows attackers to proxy their traffic… It also receives commands from the attacker for further exploitation,” SpiderLabs explained.
One standout detail in SpiderLabs’ investigation is the use of TryCloudflare to host second-stage payloads — a technique that exploits Cloudflare’s legitimate tunneling service to evade detection and prolong threat actor access.
The KongTuke campaign, also known by aliases such as 404TDS, Chaya_002, and TAG-124, appears to be a broader malware infrastructure operation that has gained momentum due to the effectiveness of fake CAPTCHA lures.
This campaign has also been associated with other malware strains such as Mispadu, Lumma Stealer, and similar NodeJS backdoors. Trustwave warns that due to the “high success rates of fake CAPTCHA techniques,” these attacks are likely to grow in scope and impact.
Donate