GachiLoader: Defeating Node.js Malware with API Tracing
Essential information
- Published
- 17/12/2025 21:22
- Modified
- 21/12/2025 19:35
- Tags
- 2025-12-17 anti-analysis api tracing gachiloader infostealer kidkadi malware node.js obfuscation pe injection rhadamanthys youtube
- Related entities
- 10 observables, 10 techniques (mitre), 2 others
Description
A new malware distribution campaign utilizing compromised YouTube accounts to spread infostealers has been identified. The campaign employs GachiLoader, a heavily obfuscated Node.js loader, to deploy the Rhadamanthys infostealer. GachiLoader implements anti-analysis techniques and uses a novel PE injection method called Vectored Overloading. To aid analysis, researchers developed an open-source Node.js tracer tool. The campaign has affected over 100 videos with 220,000 views across 39 compromised accounts since December 2024. The malware evades detection, elevates privileges, and disables Windows Defender before retrieving its payload.