Threat Research

GachiLoader: Defeating Node.js Malware with API Tracing

Checkpoint
GachiLoader: Defeating Node.js Malware with API Tracing

A coordinated YouTube Ghost Network campaign used compromised accounts to distribute obfuscated Node.js malware (GachiLoader) that retrieves or drops a second-stage loader (Kidkadi) which employs a novel PE injection method abusing Vectored Exception Handling to load malicious payloads such as the Rhadamanthys infostealer. Check Point Research released a Node.js Tracer to defeat anti-analysis checks and reproduced the injection technique (Vectored Overloading) as a PoC for researchers. #GachiLoader #Rhadamanthys

Keypoints

  • Compromised YouTube accounts promoted game cheats and cracked software to lure victims into downloading archives that contained obfuscated malware.
  • The campaign deployed a Node.js-based, heavily obfuscated loader called GachiLoader, which implements extensive anti-analysis and anti-VM checks.
  • Check Point developed and published an open-source Node.js Tracer to dynamically analyze and bypass GachiLoader’s anti-analysis logic, enabling extraction of payloads and configs.
  • One GachiLoader variant drops a native Node addon (kidkadi.node) that loads a final payload using a novel PE injection technique dubbed Vectored Overloading.
  • Vectored Overloading maps a malicious PE into a legitimate DLL section and uses Vectored Exception Handlers and hardware breakpoints to trick the Windows loader into mapping and executing the payload.
  • Final payloads observed in this campaign were protected with Themida/VMProtect and all analyzed samples deployed the Rhadamanthys infostealer; multiple C2 domains and IPs were extracted as IOCs.

MITRE Techniques

  • [T1204 ] User Execution – The campaign relies on users downloading and running archives from YouTube video descriptions to start the infection chain: ‘the infection chain begins with compromised accounts that host videos designed to lure viewers into downloading malware from an external file hosting platform.’
  • [T1497 ] Virtualization/Sandbox Evasion – GachiLoader performs multiple environment checks for RAM, CPU, usernames, hostnames, processes and WMI queries and enters a benign loop if detected: ‘If any of these checks indicate a virtual machine, sandbox or analysis environment the malware enters a loop of sending HTTP GET requests to benign websites…’
  • [T1027 ] Obfuscated Files or Information – The loader is heavily obfuscated in Node.js to hinder static analysis: ‘GachiLoader is a heavily obfuscated Node.js JavaScript malware used to deploy additional payloads to an infected machine.’
  • [T1055 ] Process Injection – The Kidkadi loader implements a novel Portable Executable injection technique that causes the OS to load a malicious PE from memory instead of a legitimate DLL: ‘implements a novel technique for PE injection, which tricks the Windows loader into loading a malicious PE from memory instead of a legitimate DLL.’
  • [T1548.002 ] Bypass User Account Control – The malware attempts to elevate privileges by relaunching itself with RunAs, prompting a UAC dialog: ‘Start-Process cmd.exe -Verb RunAs -WindowStyle Hidden -ArgumentList ‘/c “””’
  • [T1562 ] Impair Defenses – The loader attempts to disable or bypass Windows Defender and adds exclusions using Add-MpPreference: ‘the malware attempts to kill Windows Defender’s SecHealthUI.exe process… and adds Defender exclusions via Add-MpPreference -ExclusionPath.’
  • [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communication and payload retrieval use HTTP(S) POST/GET requests to embedded endpoints: ‘sends them via a POST request to the /log endpoint of its C2… a GET request to the /richfamily/ endpoint… gets the URL of the final payload to download.’

Indicators of Compromise

  • [File Hash – .zip archive] Archive containing initial malware – 062d342f59136c3b…237ecf (long hash), and other archived payload hashes.
  • [File Hash – GachiLoader sample] GachiLoader binary hash – 00bcfecad4b679f72c50cbdc… (long hash shown in report), and other GachiLoader sample hashes.
  • [File Hash – Kidkadi dropper] Kidkadi dropper binary hash – 01bdbb37d4b5d22ab98f1977… (long hash shown in report).
  • [File Hash – Native module] kidkadi.node sample hash – 2ac4f1a2e22c99a8…424be25 (kidkadi.node), and other native addon hashes.
  • [File Hash – PoC] HookPE.exe PoC hash – ded68a8f5d0765740d469c08bd66270097f3474eab92ee1e65ddcdd6d15fca6e.
  • [File Names] filenames used for dropped/final payloads – examples: kidkadi.node, KeePass.exe, GoogleDrive.exe, UnrealEngine.exe, HookPE.exe.
  • [Domains] GachiLoader C2 and distribution domains – davpniktonevidit[.]cfd, nexus-cloud-360[.]com, globalmarket247online[.]com, digitalservice365cloud[.]com, and several others listed (and more domains in the report).
  • [IP Addresses/URLs] C2 and payload URLs for Rhadamanthys – examples: 176[.]46[.]152[.]18:8181/gDatFeDway/…, 94[.]154[.]35[.]99:1888/gateway/…, 180[.]178[.]189[.]34:8181/gDatFeDway/… (multiple IP:port endpoints and paths provided).

Read more: https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint