- A Malware campaign named Stealit uses Node.js’ Single Executable Application (SEA) feature to spread its harmful software.
- Stealit is distributed through fake game and VPN installers posted on file-sharing platforms like Mediafire and Discord.
- The malware includes a remote access trojan rental service targeting Windows and Android systems with various subscription options.
- Stealit installs multiple components that steal data from browsers, messaging apps, cryptocurrency wallets, and gaming platforms.
- The malware avoids detection by disabling Microsoft Defender in its working folder and performs anti-analysis checks before executing.
Cybersecurity researchers revealed an active malware campaign called Stealit that exploits Node.js’ Single Executable Application (SEA) feature for distributing malicious payloads. The campaign uses counterfeit installers for popular games and VPNs uploaded to sites such as Mediafire and Discord. This method allows the malware to run on systems without Node.js installed.
Fortinet FortiGuard Labs reported that some versions of Stealit also use the open-source Electron framework. Stealit offers its malware as a subscription service with pricing for Windows stealing tools ranging from $30 for a weekly license to $500 for a lifetime license. The Android remote access trojan (RAT) subscriptions cost between $100 and $2,000.
According to security researchers Eduardo Altares and Joie Salvio, “Both approaches are effective for distributing Node.js-based malware, as they allow execution without requiring a pre-installed Node.js runtime or additional dependencies.” The threat actors behind Stealit advertise their services as professional data extraction solutions, which include file theft, remote control of webcams, live screen monitoring, and Ransomware deployment for Android and Windows.
The malware begins by installing core components after verifying it is not in a Sandbox or virtual environment, using a 12-character Base64-encoded authentication key to connect to its command-and-control server. It then disables Microsoft Defender antivirus protection for the folder containing these files.
Stealit comprises three main executables: save_data.exe, which drops a tool for extracting data from Chromium-based browsers; stats_db.exe, aimed at stealing information from messaging apps, cryptocurrency wallets, and gaming apps; and game_cache.exe, which establishes persistence on the infected device and allows real-time screen streaming, command execution, and file transfers.
Fortinet highlighted that Stealit leverages the experimental Node.js SEA feature, still under development, to deliver malicious scripts more easily to machines without requiring Node.js. “Threat actors behind this may be exploiting the feature’s novelty, relying on the element of surprise, and hoping to catch security applications and malware analysts off guard.”
For more details, the Node.js Single Executable Applications feature and the Fortinet report provide further insights.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Ripple Eyes Safe-Haven Status as XRP ETFs Await SEC Approval
- Bitcoin Miners Surge as Pre-Secured Power Attracts AI Partnerships
- US Commerce Secretary Lutnick Assists Tether’s $20B Equity Raise
- North Korean Hackers Target Binance Co-Founder CZ With Google Attack
- Railgun Token Soars 300% After Ethereum Foundation Integration
