{"id":54621,"date":"2023-11-22T00:00:00","date_gmt":"2023-11-22T00:00:00","guid":{"rendered":"urn:uuid:36fd745a-6262-7b00-dcba-90e045af0a92"},"modified":"2023-11-22T00:00:00","modified_gmt":"2023-11-22T00:00:00","slug":"attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/","title":{"rendered":"Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Genesis-cover-1:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Genesis-cover.png\" class=\"ff-og-image-inserted\"><\/div>\n<p>The next part of the infection chain involved the installation of an old but legitimate <i>Node.js <\/i>with a valid and legitimate code signing certificate. It is important to note that this does not mean that the user was affected because they were using an old <i>Node.js<\/i> module. Rather, the module was brought in and installed by the threat actor (instead of being preinstalled on the host machine).<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">SHA1 Hash: 6817df1da376e8f6e68fd1ad06d78f02406b6e19<\/span><\/li>\n<li><span class=\"rte-red-bullet\">File Version: 0.10.41<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Signer: Node.js Foundation<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Date signed: 2015-12-04 03:46:00 UTC<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Installed path: C:\\ProgramData\\DNTException\\node.exe<\/span><\/li>\n<\/ul>\n<p>A closer look at this payload sample reveals it to be the malware <a href=\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/\">analyzed by Any.run as Lu0Bot<\/a>.<\/p>\n<p>After being installed, the payload was launched on <i>Node.js<\/i>, after which it received a number of OS commands (possibly human-operated )from the C&amp;C server via a backdoor, then executed them:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">&#8220;C:\\Users\\{username}\\AppData\\Local\\Temp\\nvnnimjsd\\fnichvxlmq.exe&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">&#8220;C:\\Users\\{username}\\AppData\\Local\\Temp\\nvnnimjsd\\lgjnbyhdmf.dat&#8221; 3721679456<\/span><\/li>\n<li><span class=\"rte-red-bullet\">attrib.exe +H &#8220;C:\\ProgramData\\Intel\\Intel(R) Management Engine Components&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">attrib.exe +H &#8220;C:\\ProgramData\\Intel\\Intel(R) Management Engine Components\\Intel MEC 3573217561&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">attrib.exe +H &#8220;C:\\ProgramData\\Intel\\Intel(R) Management Engine Components\\Intel MEC 3806163581&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">attrib.exe +H C:\\ProgramData\\DNTException<\/span><\/li>\n<li><span class=\"rte-red-bullet\">attrib.exe +H C:\\ProgramData\\DNTException\\node.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">attrib.exe +H C:\\ProgramData\\Intel<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Users\\{username}\\AppData\\Local\\Temp\\nvnnimjsd\\fnichvxlmq.exe C:\\Users\\{username}\\AppData\\Local\\Temp\\nvnnimjsd\\lgjnbyhdmf.dat 3721679456 1369574819<\/span><\/li>\n<li><span class=\"rte-red-bullet\">cacls.exe C:\\ProgramData\\DNTException \/t \/e \/c \/g Everyone:F<\/span><\/li>\n<li><span class=\"rte-red-bullet\">cacls.exe C:\\ProgramData\\Intel \/t \/e \/c \/g Everyone:F<\/span><\/li>\n<li><span class=\"rte-red-bullet\">cmd.exe \/c dir C:\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">icacls.exe C:\\ProgramData\\DNTException \/t \/c \/grant *S-1-1-0:(f)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">icacls.exe C:\\ProgramData\\Intel \/t \/c \/grant *S-1-1-0:(f)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ipconfig.exe \/all<\/span><\/li>\n<li><span class=\"rte-red-bullet\">netstat.exe -ano<\/span><\/li>\n<li><span class=\"rte-red-bullet\">node.exe node.lib 3721679456 3015897030<\/span><\/li>\n<li><span class=\"rte-red-bullet\">reg.exe add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run \/v &#8220;Intel Management Engine Components 1808681674&#8221; \/t REG_SZ \/d &#8220;wscript.exe \/t:30 \/nologo \/e:jscript \\&#8221;C:\\ProgramData\\Intel\\Intel(R) Management Engine Components\\Intel MEC 3573217561\\&#8221; \\&#8221;C:\\ProgramData\\Intel\\Intel(R) Management Engine Components\\&#8221; 2779289286&#8243; \/f<\/span><\/li>\n<li><span class=\"rte-red-bullet\">reg.exe add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run \/v &#8220;Intel Management Engine Components 1808681674&#8221; \/t REG_SZ \/d &#8220;wscript.exe \/t:30 \/nologo \/e:jscript \\&#8221;C:\\ProgramData\\Intel\\Intel(R) Management Engine Components\\Intel MEC 3573217561\\&#8221; \\&#8221;C:\\ProgramData\\Intel\\Intel(R) Management Engine Components\\&#8221; 2779289286&#8243; \/f<\/span><\/li>\n<li><span class=\"rte-red-bullet\">reg.exe query &#8220;HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">reg.exe query HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run<\/span><\/li>\n<li><span class=\"rte-red-bullet\">reg.exe query HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run<\/span><\/li>\n<li><span class=\"rte-red-bullet\">reg.exe query HKLM\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}<\/span><\/li>\n<li><span class=\"rte-red-bullet\">reg.exe query HKLM\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0000<\/span><\/li>\n<li><span class=\"rte-red-bullet\">reg.exe query HKLM\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0001<\/span><\/li>\n<li><span class=\"rte-red-bullet\">route.exe print<\/span><\/li>\n<li><span class=\"rte-red-bullet\">systeminfo.exe \/fo csv<\/span><\/li>\n<li><span class=\"rte-red-bullet\">tasklist \/fo csv \/nh<\/span><\/li>\n<li><span class=\"rte-red-bullet\">wmic process get processid,parentprocessid,name,executablepath \/format:csv<\/span><\/li>\n<li><span class=\"rte-red-bullet\">wmic process get processid,parentprocessid,name,executablepath,commandline \/format:csv<\/span><\/li>\n<\/ul>\n<p>The Vision One execution profile shows how the MSI installer starts. First, <i>Node.js<\/i> is installed, then the Lu0Bot payload is started on the module, after which the backdoor commands are executed.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>In the previous section, we mentioned that <i>svchost.Bat <\/i>file introduced an old <i>Node.js<\/i> module and the Lu0Bot malware. However, we have also observed several other types of secondary payloads launched from the loader that are also masquerading as a <i>svchost<\/i> file. These were not launched by the first payload and we were not able to detect any <i>Node.js<\/i> abuse connected to these payloads.<\/p>\n<p>Currently, we have observed the following combinations:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">C:\\Users\\{username}\\AppData\\Local\\Temp\\RTIvsEUane3TLWA\\svchost.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Users\\{username}\\AppData\\Local\\Temp\\nJAnCiq3sxgojkV\\svchost.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Users\\{username}\\AppData\\Local\\Temp\\6\\kzC88czML4rqbVN\\svchost.dll&#8221; (43f11d6ec961fc82cf53e4eca97c429285026f3e)<\/span><\/li>\n<\/ul>\n<p>This suggests that the second payload is interchangeable and is obtained during the first-stage loader execution, therefore malicious activities appear depending on the timing of the infection or the infected samples.<\/p>\n<p>We found several samples that had EV code signing certificates during our investigation. It\u2019s likely that the threat actor used this technique for defense evasion (making the samples seem legitimate at first).<\/p>\n<p>Similar to our <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/i\/redline-vidar-first-abuses-ev-certificates.html\">previous report<\/a>, EV code signing was added to an executable file that was downloaded from the internet. This suggests that the malicious actors are highly motivated to avoid detection by websites, search engines, browsers, and operating systems whenever executable files are downloaded from the internet. It also has the effect of minimizing the warnings from the operating system whenever users launch the executable.<\/p>\n<p>We found two EV code-signed loaders different locations that had different filenames (related to whatever the user was searching for) but identical file hash values:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">C:\\Users\\{username}\\Downloads\\microsoft_barcode_control_16.0_download.exe (3364dd410527f6fc2c2615aa906454116462bf96)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Users\\{username}\\Downloads\\avenir next heavy font.exe (3364dd410527f6fc2c2615aa906454116462bf96)<\/span><\/li>\n<\/ul>\n<p>The certificates have been revoked as of the time of writing. EV code signing certificates mandate hard token specifications for key generation, and today it is no longer possible to take away keys and certificates as software in PKCS12 files, as was the case in the past when private keys were stolen. This time, the certificate used for the signature was for a most likely small, general company, and they are a victim. In addition to the possibility that the attacker somehow holds the private key itself, there is also possibility that the methods using compromised accounts of the remote signing service, or gaining access of the host to which the token containing the private key is connected. It is currently unknown how the threat actor gained access to the private key of the certificate used for signing.<\/p>\n<p><span class=\"body-subhead-title\">Initial access<br \/><\/span> Note that while we are unable to definitively conclude the exact methods used for initial access, we have evidence of the potential techniques used by the threat actor to gain entry into their target\u2019s system, which we will discuss in this section.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>Trend Vision One was able to record the process chain, which involved&nbsp; the default browser (in this case, Google Chrome, launched from Zoom), downloading a file that acted as the point of entry for the malicious file. This suggests that Zoom served as the entry point of the attack, but we have not been able to confirm this.<\/p>\n<p>The downloaded file has the name of a specific font \u2014 it\u2019s possible that the user may have been on downloading font files since there were several files with this font name in the user&#8217;s downloads folder.<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/k\/attack-signals-possible-return-of-genesis-market.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market, a website for facilitating fraud that was taken down in April 2023. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":54622,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9577,9509],"class_list":["post-54621","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-phishing","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-11-22T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Genesis-cover-1:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing\",\"datePublished\":\"2023-11-22T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\\\/\"},\"wordCount\":1128,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/11\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Phishing\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\\\/\",\"name\":\"Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/11\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing.png\",\"datePublished\":\"2023-11-22T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/11\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/11\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing.png\",\"width\":976,\"height\":533},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/","og_locale":"en_US","og_type":"article","og_title":"Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-11-22T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Genesis-cover-1:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing","datePublished":"2023-11-22T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/"},"wordCount":1128,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/11\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Phishing","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/","url":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/","name":"Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/11\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing.png","datePublished":"2023-11-22T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/11\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/11\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing.png","width":976,"height":533},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54621","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=54621"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54621\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/54622"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=54621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=54621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=54621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}