GachiLoader: Defeating Node.js Malware with API Tracing

This report analyzes a sustained YouTube Ghost Network campaign that lures users with game cheats and cracked software to download malware; it details GachiLoader (an obfuscated Node.js loader), the Kidkadi native loader, and a novel PE-injection method called "Vectored Overloading" used to load the Rhadamanthys infostealer, and provides technical analysis, anti-analysis bypass methods, IoCs and PoC tooling for defenders and researchers.