Unsigned .node File Loaded

calendar Apr 28, 2026 · attack.execution attack.privilege-escalation attack.persistence attack.stealth attack.t1129 attack.t1574.001 attack.t1036.005  ·
Share on: linkedin copy

Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.

Sigma rule (View on GitHub)

 1title: Unsigned .node File Loaded
 2id: e5f5c693-52d7-4de5-88ae-afbfbce85595
 3status: experimental
 4description: |
 5    Detects the loading of unsigned .node files.
 6    Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.
 7    .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.
 8    This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.    
 9references:
10    - https://www.coreycburton.com/blog/driploader-case-study
11    - https://github.com/CoreyCBurton/DripLoaderNG
12    - https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron
13author: Jonathan Beierle (@hullabrian)
14date: 2025-11-22
15tags:
16    - attack.execution
17    - attack.privilege-escalation
18    - attack.persistence
19    - attack.stealth
20    - attack.t1129
21    - attack.t1574.001
22    - attack.t1036.005
23logsource:
24    category: image_load
25    product: windows
26detection:
27    selection_node_extension:
28        ImageLoaded|endswith: '.node'
29    selection_status:
30        - Signed: 'false'
31        - SignatureStatus: 'Unavailable'
32    filter_optional_vscode_jupyter:
33        Image|endswith: '\Code.exe'
34        ImageLoaded|contains: '.vscode\extensions\ms-toolsai.jupyter-'
35        ImageLoaded|endswith:
36            - '\electron.napi.node'
37            - '\node.napi.glibc.node'
38    condition: all of selection_* and not 1 of filter_optional_*
39falsepositives:
40    - VsCode extensions or similar legitimate tools might use unsigned .node files. These should be investigated on a case-by-case basis, and whitelisted if determined to be benign.
41level: medium

References

Related rules

to-top