Modern Fileless RAT Tactics: Node.js Abuse : Technical Analysis and Threat Attribution
This presentation explores a modern threat that leverages Node.js to operate entirely in memory, bypassing traditional endpoint protections. The malware analyzed is a fileless remote access trojan written in JavaScript, designed to evade detection and provide persistent control over compromised systems. Delivered through socially engineered lures, such as fake job interview processes and CAPTCHA forms, this malware reflects tradecraft frequently linked to North Korean state-sponsored groups.
Once deployed, the RAT establishes communication with a command-and-control server using XOR-obfuscated and compressed HTTP traffic. It supports advanced features such as SOCKS5 proxy tunneling and is equipped with anti-analysis mechanisms, including virtual machine detection to avoid sandbox environments. These characteristics allow it to remain hidden in enterprise environments while enabling adversaries to maintain long-term access.
To fully understand its behavior and control mechanisms, we reconstructed and operated a replica of the command-and-control infrastructure. This reverse engineering effort revealed the malware’s operational commands, communication patterns, and the level of control it grants to attackers. Our findings indicate a broader trend in the adoption of Node.js for malware development, due to its flexibility, cross-platform capabilities, and lower detection footprint.
This session will detail the technical architecture of the malware, walk through the infection chain, and share behavioral patterns useful for detection. We will also map the observed tactics to threat actor activity, presenting strong links to campaigns attributed to the Lazarus group. The talk includes detection strategies, YARA rules, and endpoint artifacts for defenders to use in their environments.
Attendees will leave with a deeper understanding of emerging JavaScript-based threats, attacker tooling evolution, and practical insights for threat hunting and incident response in enterprise networks.
Reegun Richard Jayapaul
Director of Threat Research at Cyderes with over 14 years of experience in threat research, malware analysis, reverse engineering, incident response, and offensive security. I build solutions to help organizations defend against evolving cyber threats.
My team regularly publishes new research and contributes to the broader security community. I’m an active contributor to the LOLBAS project, documenting how attackers abuse legitimate binaries to bypass security controls.
I’ve reported critical vulnerabilities, including a remote code execution flaw in Microsoft Teams, and led investigations into major malware campaigns such as GoldenSpy and GoldenHelper. I use threat intelligence to shape proactive defense strategies and improve detection capabilities.