Oct 10, 2025Ravie LakshmananRansomware / Information Theft
Cybersecurity researchers have disclosed particulars of an energetic malware marketing campaign known as Stealit that has leveraged Node.js’ Single Executable Utility (SEA) function as a technique to distribute its payloads.
In accordance with Fortinet FortiGuard Labs, choose iterations have additionally employed the open-source Electron framework to ship the malware. It is assessed that the malware is being propagated by way of counterfeit installers for video games and VPN purposes which might be uploaded to file-sharing websites equivalent to Mediafire and Discord.
SEA is a function that permits Node.js purposes to be packaged and distributed as a standalone executable, even on techniques with out Node.js put in.
“Each approaches are efficient for distributing Node.js-based malware, as they permit execution with out requiring a pre-installed Node.js runtime or extra dependencies,” safety researchers Eduardo Altares and Joie Salvio mentioned in a report shared with The Hacker Information.
On a devoted web site, the menace actors behind Stealit declare to supply “skilled information extraction options” by way of a number of subscription plans. This features a distant entry trojan (RAT) that helps file extraction, webcam management, dwell display monitoring, and ransomware deployment focusing on each Android and Home windows working techniques.
Costs for the Home windows Stealer vary from $29.99 for a weekly subscription to $499.99 for a lifetime license. The Android RAT pricing, alternatively, goes from $99.99 all the best way to $1,999.99.
The pretend executables include an installer that is designed to retrieve the principle elements of the malware retrieved from a command-and-control (C2) and set up them, however observe that earlier than performing a lot of anti-analysis checks to make sure it is working inside a digital or sandboxed setting.
An important facet of this step includes writing a Base64-encoded authentication key, a 12-character alphanumeric key, to the %temppercentcache.json file. This secret is used to authenticate with the C2 server, in addition to by subscribers to log in to the dashboard as a way to seemingly monitor and management their victims.
The malware can be engineered to configure Microsoft Defender Antivirus exclusions in order that the folder that incorporates the downloaded elements isn’t flagged. The capabilities of the three executables are as follows –
save_data.exe, which is just downloaded and executed if the malware is working with elevated privileges. It is designed to drop a software named “cache.exe” – which is a part of open-source venture ChromElevator – to extract data from Chromium-based browsers.
stats_db.exe, which is designed to extract data from messengers (Telegram, WhatsApp), cryptocurrency wallets and pockets browser extensions (Atomic and Exodus), and game-related apps (Steam, Minecraft, GrowTopia, and Epic Video games Launcher).
game_cache.exe, which is designed to arrange persistence on the host by launching its upon system reboot by making a Visible Fundamental script and speaking with the C2 server to stream a sufferer’s display in real-time, execute arbitrary instructions, obtain/add recordsdata, and alter desktop wallpaper.
“This new Stealit marketing campaign leverages the experimental Node.js Single Executable Utility (SEA) function, which remains to be beneath energetic growth, to conveniently distribute malicious scripts to techniques with out Node.js put in,” Fortinet mentioned. “Menace actors behind this can be exploiting the function’s novelty, counting on the factor of shock, and hoping to catch safety purposes and malware analysts off guard.”
