Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal

MITRE Techniques

• [T1041] Exfiltration Over C2 Channel – JSCEAL exfiltrates collected machine and user data to command and control servers over encrypted channels. (‘extracts the MachineGuid value and compiles information sent to operators’).
• [T1086] PowerShell – Scheduled tasks run encoded PowerShell scripts that disable Windows Defender exclusions and maintain persistent backdoor functionality. (‘Add-MpPreference -ExclusionProcess … -Force’).
• [T1059.007] Command and Scripting Interpreter: JavaScript – Malicious compiled JavaScript payload executed via Node.js, evading detection through obfuscation and compiled bytecode. (‘JSCEAL executes the final payload using Node.exe and app.jsc’).
• [T1204.002] User Execution: Malicious File – Victims are tricked into executing MSI installers from fake websites promoted by malicious social media advertisements. (‘malicious MSI installer files downloaded from attacker-controlled sites’).
• [T1176] Browser Extensions – JSCEAL manipulates crypto-related browser extensions to steal sensitive data. (‘Manipulates crypto-related web extensions’).
• [T1098] Account Manipulation – Actors use stolen or fake social media accounts for propagation of malicious advertisements. (‘The actors use either stolen accounts or newly created ones to write malicious posts’).
• [T1036] Masquerading – Fake apps impersonate nearly 50 legitimate cryptocurrency trading platforms to lure victims. (‘Impersonate almost 50 common cryptocurrency trading apps’).
• [T1071.001] Application Layer Protocol: Web Protocols – Communication with C2 servers uses HTTPS, including DNS over HTTPS to Cloudflare DNS 1.1.1.1. (‘starts communicating with Cloudflare DNS 1.1.1.1 over HTTPS’).
• [T1543.003] Create or Modify System Process: Windows Service – The campaign creates scheduled tasks that trigger infection stages and maintain persistence. (‘creates scheduled task to launch PowerShell infection chain’).