GachiLoader Deploys Payloads Using Heavily Obfuscated Node.js JavaScript Malware on Infected Machines

GachiLoader is a new, heavily obfuscated Node. JS-based loader used to deploy multiple payloads, including the Rhadamanthys infostealer, on compromised Windows machines.

It is distributed via the YouTube Ghost Network, a large-scale malware-delivery operation that exploits compromised YouTube accounts to distribute fake game cheats and cracked software downloads.​

Campaign and Infection Flow

Attackers use compromised YouTube channels to publish videos advertising game cheats and pirated software, luring users to external file-hosting sites that deliver password-protected ZIP archives containing the GachiLoader executable.

The loader is a large (60–90 MB) self-contained Node.js application packaged with the nexe project, enabling it to run on systems without Node.js installed, making it appear to the victim as a legitimate installer.​

Once executed, the malware performs extensive environment checks to avoid sandboxes and analysis systems.

It inspects RAM size, CPU core count, usernames, hostnames, running processes, disk manufacturers, and video controllers, looking for signs of virtual machines, security tools, or research environments.

If a lab-like environment is detected, GachiLoader enters an infinite loop of benign HTTP GET requests to popular websites such as LinkedIn and Twitter, wasting analysts’ time while concealing its actual behavior.​

If the system passes these checks, GachiLoader creates a mutex-like lock file in the TEMP directory to prevent rapid re-execution, then attempts to elevate privileges using a hidden PowerShell command that relaunches itself with “RunAs,” prompting the user with a UAC dialog that appears consistent with a standard software installer.​

Payload Delivery and Advanced Injection

To ensure persistence in later stages, GachiLoader attempts to weaken Windows Defender by terminating the SecHealthUI.exe process and adding broad Defender exclusion paths for system drives, as well as an exclusion for .sys files.

The loader then enters its payload-delivery phase, where researchers have observed two main variants.​

In the first variant, GachiLoader communicates with multiple embedded command-and-control (C2) servers, collecting host information (such as OS and antivirus) and sending it via POST requests to a “log” endpoint before requesting the final payload.

It then uses a Base64-encoded URL, protected by a unique X-Secret header, to download the final payload, often Rhadamanthys, to the TEMP folder, under names that mimic legitimate software such as KeePass.exe or GoogleDrive.exe, and to protect it with packers such as VMProtect or Themida.​

In the second variant, the loader drops a native Node.js addon named kidkadi. Node, which receives an embedded PE payload via a JavaScript-exposed function and executes it using a novel PE injection technique dubbed “Vectored Overloading.”

This method abuses Vectored Exception Handlers and hardware breakpoints on functions such as NtOpenSection and NtMapViewOfSection to trick the Windows loader into mapping a malicious PE in memory.

At the same time, it appears to be backed by a legitimate DLL, such as wmp.dll or amsi.dll, offloading much of the loader’s work to the operating system and complicating detection.​

All analyzed samples in this YouTube Ghost Network campaign eventually deliver Rhadamanthys, underscoring the growing use of Node. JS-based, heavily obfuscated loaders and advanced injection techniques to evade security tools and steal sensitive data from victims.​

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post GachiLoader Deploys Payloads Using Heavily Obfuscated Node.js JavaScript Malware on Infected Machines appeared first on Cyber Security News.