VERY IMPORTANT

This report details a campaign involving NodeJS backdoors used to distribute proxyware and monetization schemes. The attackers employ Inno setup installers to drop PowerShell scripts that download and execute NodeJS packages with malicious JavaScript. The backdoors collect system information, communicate with command and control servers, and can execute various commands including PowerShell scripts and additional Node.js code. The campaign is associated with multiple proxyware applications like Infatica, Honeygain, earnFM, and PacketLab. The attackers also use browser extensions to track user navigation and potentially redirect to malicious URLs. The infrastructure involves numerous domains and cloud services for hosting malware and command and control.