Threat Analysis: Backdoored Electron Apps Evading Defenses

This Purple Team report from LevelBlue analyzes abuse of Electron applications to achieve stealthy persistence and safelisting bypass. Through two demonstration scenarios—(1) inserting a staged Meterpreter downloader into an Electron app and (2) hollowing out a WDAC-allowed Electron app (Microsoft Teams) to run the Loki Node.js C2—the report shows how attackers can maintain covert C2 channels and evade controls. It provides IOCs (modified main.js/app.asar, Azure Blob Storage domain connections, unusual –user-data-dir usage, suspicious file deletions), detection guidance, a sample hunting query, and recommendations for deployment and monitoring of Electron apps.