These fake online speedtest applications prey on users seeking to measure their internet performance, yet they harbor hidden payloads that compromise system integrity and privacy.
Much like the previously analyzed Fake Manual Reader and Finder software, these imposters leverage packers, obfuscated JavaScript, and persistence mechanisms to execute arbitrary code and exfiltrate sensitive data.
On September 21, 2025, a new wave of malicious applications masquerading as legitimate speed-testing tools was uncovered.
The infection begins when a user downloads what appears to be a standard desktop or web-hosted speedtest utility. Upon installation, the executable unpacks itself using the Inno Setup Packer, then deploys Node.js alongside an obfuscated JavaScript file.
Analysis of the scheduled task—registered under a benign name via a task.xml definition—reveals that the launcher invokes Node to execute a file named temp.js.
This script employs a multi-stage decoding routine to reconstruct its true payload. By patching the decode function:
js//return _0x4375f0.decode(_0xfca211);
return (() => { const r = _0x4375f0.decode(_0xfca211); console.log(r); return r; })();
security researchers were able to print the decrypted strings before execution, confirming that the malware harvests system identifiers and sends them to a remote command-and-control (C2) server.
Payload and Data Exfiltration
Once the JavaScript payload executes, it queries the Windows registry for the MachineGuid at HKLM\Software\Microsoft\Cryptography and constructs a JSON object.
The script’s hardcoded fields include version metadata ("ver":0.2.1), application identifier, and registry values.
These parameters are serialized via JSON.stringify and transmitted via HTTPS POST to cloud.appusagestats[.]com. By redirecting this domain to a local listener with a generated TLS certificate, analysts captured the exact POST body:
json{"ver":"0.2.1","a":"argString"}
Accompanying metadata fields such as MachineGuid and process identifiers are also embedded, enabling uniquely identifying compromised hosts. After data exfiltration, the script awaits commands from the C2.
Looking at the Malware itself there are a couple things we can do to pull strings out: For the POST data, there is a JSON.stringify that follows the URL section seen here:
The command-and-control server response arrives as an application/octet-stream containing an XOR-encoded JSON payload.
The decoding process entails taking the first 16 bytes of the response as an XOR key (expressed in hexadecimal), then applying that key to the remainder of the payload.
The decrypted JSON typically carries a "pl" array populated with server-issued commands. In live analysis, this array was empty, but the framework allows for arbitrary instructions.
When commands are received, the malware employs Node.js’s child_process.exec to spawn system commands.
A proof-of-concept response triggered a disguised PowerShell invocation that displayed a Windows Forms message box. This demonstrates the potential for executing any arbitrary code, including credential dumping, ransomware deployment, or lateral movement tools.
Mitigations
Detecting these fake speedtest applications poses challenges due to the obfuscation and legitimate appearance of the front-end functionality. Indicators of compromise include:
- Presence of Node.js binaries in application directories that otherwise should not require them.
- Scheduled tasks referencing JavaScript files in temporary directories.
- Outbound HTTPS POST traffic to unknown domains such as
cloud.appusagestats[.]com. - Task.xml or registry entries created during installation under non-standard keys.
System administrators should audit scheduled tasks and executable file checksums against known good baselines.
Endpoint detection and response (EDR) solutions can flag the dynamic creation of child processes invoked via Node.js or PowerShell with encoded payloads.
Blocking .js execution under unexpected contexts and enforcing strict application whitelisting further reduces attack surface.
The resurgence of fake, obfuscated JS-based malware under the guise of innocuous speedtest tools underscores the evolving threat landscape.
Attackers recycle proven infection patterns—packer usage, obfuscated scripting, scheduled persistence, and C2 communication—while targeting a new category of everyday utility.
Vigilance in application sourcing, combined with robust detection policies, remains the best defense against these deceptive threats.
Ensuring that users download only verified speed-testing software, and monitoring for anomalous scheduled tasks and network traffic, will help organizations stay ahead of this insidious campaign.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
