Illustration of fake speedtest app interface revealing hidden malicious JavaScript code, Node.js execution, data exfiltration to C2 server, and security icons for mitigations like EDR and whitelisting.

Fake online speedtest apps are deceiving users by mimicking legitimate internet performance tools, but they conceal malicious JavaScript payloads that compromise systems and steal data. Discovered on September 21, 2025, these fakes use Inno Setup Packer to unpack, install Node.js, and deploy an obfuscated temp.js file via a disguised scheduled task. The script employs multi-stage decoding to extract sensitive info like the Windows MachineGuid from the registry.

Illustration of fake speedtest app interface revealing hidden malicious JavaScript code, Node.js execution, data exfiltration to C2 server, and security icons for mitigations like EDR and whitelisting.Illustration of fake speedtest app interface revealing hidden malicious JavaScript code, Node.js execution, data exfiltration to C2 server, and security icons for mitigations like EDR and whitelisting.

The payload constructs a JSON object with version details ("ver":0.2.1), app identifiers, and system data, then sends it via HTTPS POST to cloud.appusagestats[.]com for unique host fingerprinting. The C2 server responds with an XOR-encoded JSON (using the first 16 bytes as the key), containing a "pl" array of commands. These are executed through Node.js's child_process.exec, such as spawning PowerShell for arbitrary actions like credential dumping, ransomware, or lateral movement.

Illustration of fake speedtest app interface revealing hidden malicious JavaScript code, Node.js execution, data exfiltration to C2 server, and security icons for mitigations like EDR and whitelisting.Illustration of fake speedtest app interface revealing hidden malicious JavaScript code, Node.js execution, data exfiltration to C2 server, and security icons for mitigations like EDR and whitelisting.

To mitigate, watch for unexpected Node.js binaries, suspicious scheduled tasks in temp directories, and outbound traffic to unknown domains. Implement EDR for detecting child process spawning, enforce application whitelisting, and block .js execution in unusual contexts. Always download verified speedtest software and regularly audit tasks and networks to thwart these obfuscated, persistent threats in everyday utilities.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security