A new cyber threat, known as LTX Stealer, has emerged, leveraging a Node.js-based framework to target Windows systems. This malware is adept at capturing sensitive user information such as login details, browser cookies, and cryptocurrency wallet data.
Unique Node.js Architecture
First identified in early 2026, LTX Stealer is notable for its use of a full Node.js runtime within its payload. This allows it to execute complex JavaScript code directly on an infected machine without needing any additional installations. The attack process begins with a seemingly innocuous Windows installer file called “Negro.exe”, built using the widely-used Inno Setup framework.
This installer disguises the malware, enabling it to evade standard security scans. Once executed, it drops a substantial payload of about 271 MB, a size chosen to bypass antivirus software that might skip scanning large files to preserve system performance.
Targeting Browsers and Cryptocurrency
Upon infiltration, the LTX Stealer primarily targets Chromium-based browsers such as Google Chrome and Microsoft Edge. It extracts encryption keys from “Local State” files to unlock stored passwords and session cookies. Additionally, it scans for cryptocurrency wallets and captures activity screenshots.
The extracted data is then compressed for exfiltration to a command-and-control server. The attackers utilize cloud services like Supabase for authentication and employ Cloudflare to obscure their server’s true location, enhancing the malware’s resilience against takedowns.
Advanced Obfuscation Techniques
A hallmark of LTX Stealer is its sophisticated obfuscation methods designed to prevent reverse engineering. The main payload, updater.exe, is a packaged Node.js application created with the pkg tool, which bundles the JavaScript logic, dependencies, and runtime into a single binary.
To further conceal their code, the developers convert the JavaScript source into bytecode using Bytenode, making the code nearly impossible to decompile. This strategy raises the complexity of analyzing the malware, requiring specialized knowledge of Node.js internals.
Defensive Measures
Organizations can take several steps to guard against LTX Stealer. Blocking known malicious domains and IP addresses associated with the malware’s control panel is crucial. Monitoring the creation of hidden directories mimicking legitimate software vendors can help in early detection.
Security teams should also flag large, unsigned executables exhibiting Node.js application behaviors and monitor processes accessing browser “Local State” files, as these are indicative of credential-stealing activities.
For ongoing updates, follow us on Google News, LinkedIn, and X, and consider setting CSN as a preferred source on Google.
