GachiLoader: Defeating Node.js Malware with API Tracing research.checkpoint.com/2025/gach…
-
The YouTube Ghost Network is a malware distribution network that uses compromised accounts to promote malicious videos and spread malware, such as infostealers.
-
One of the observed campaigns uses a new, heavily obfuscated loader malware written in Node.js, which we call GachiLoader.
-
To make it easier to analyze obfuscated Node.js malware, Check Point Research developed an open-source Node.js tracer, which significantly reduces the effort needed to analyze this type of malware and extract configurations.
-
One variant of GachiLoader deploys a second stage malware, Kidkadi, that implements a novel technique for Portable Executable (PE) injection. This technique loads a legitimate DLL and abuses Vectored Exception Handling to replace it on-the-fly with a malicious payload.
