How can an attacker exploit a third-party trusted program to load a malicious C++ addon?

An attacker can leverage a trusted program (e.g., `t.exe`) that spawns `node.exe` to execute a `main.js` script, which loads the malicious `addon.node` file via `require()`. Because `addon.node` is in DLL format, static analysis cannot directly extract the payload, making it harder to detect. This technique is discussed in the exploitation section of Node.js in Penetration Testing: Using C++ Addons to Conceal Actual Code, highlighting the need to monitor child process behavior.