A newly noticed wave of assaults is utilizing the cutting-edge Single Executable Utility functionality in Node. js to ship the Stealit malware to Home windows programs, marking a strategic shift by menace actors to evade detection. Safety analysts say the transfer underscores how attackers are co-opting growth frameworks to bypass standard defences.
FortiGuard Labs safety researchers found that this marketing campaign packages malicious payloads utilizing Node. js SEA, an experimental bundling methodology that produces a self-contained executable. That permits the malware to run on programs with out requiring a separate Node. js runtime—widening its potential attain. The marketing campaign continues to disguise its supply as authentic software program, distributing pretend installers for video games and VPN instruments by way of file-sharing websites and archive downloads.
As soon as executed, the malware launches a multi-layered installer that evaluates the host surroundings for indicators of study, sandboxing, or digital machines. If it determines the system is secure, it decompresses and executes extra modules in reminiscence. It additionally configures Microsoft Defender exclusions to stop the directories it makes use of from being scanned.
Three core executables are deployed within the later phases: savedata. exe, statsdb. exe, and game_cache. exe. The primary is tasked with exfiltrating browser information utilizing strategies impressed by the ChromElevator venture. The second focuses on extracting credentials and information from purposes corresponding to Telegram, WhatsApp, Steam, Epic Video games, and cryptocurrency pockets extensions. The ultimate element ensures persistence, enabling distant command execution, display and webcam streaming, and file switch beneath the management of the attacker’s command and management server.
The operators behind Stealit run a full-fledged malware-as-a-service mannequin. Their promotional website purports to supply “skilled information extraction options” with tiered subscription plans. Pricing for the Home windows model reportedly goes as excessive as $500 for lifetime entry, whereas the Android model is obtainable as much as $2,000. The group maintains an energetic Telegram channel to advertise updates and liaise with potential purchasers.
Analysts word that the marketing campaign has already proven indicators of tactical adaptation. Whereas the SEA variant is the spotlight, samples have reverted to utilizing the Electron framework—this time encrypting embedded Node. js scripts with AES-256-GCM to complicate detection. The area internet hosting the management panel has additionally been switched, transferring from stealituptaded. lol to iloveanimals. store.