New Stealit Malware Attacking Windows Systems Abuses Node.js Extensions

A sophisticated new malware campaign targeting Windows systems has emerged, leveraging Node.js Single Executable Application (SEA) features to distribute malicious payloads while evading traditional detection mechanisms.

The Stealit malware represents a significant evolution in malware-as-a-service operations, combining advanced obfuscation techniques with extensive anti-analysis capabilities to establish persistent control over infected systems.

The campaign has been observed distributing disguised installers for popular software including games and VPN applications through file-sharing platforms like Mediafire and Discord.

These malicious packages utilize PyInstaller bundling and compressed archives to conceal their true nature, making initial detection challenging for users and security solutions.

The malware’s operators have established a commercial infrastructure complete with subscription pricing models, promotional channels, and customer support services.

Fortinet analysts identified this active campaign following a spike in detections of Visual Basic scripts used for persistence mechanisms.

The threat represents a departure from earlier Stealit variants that relied on Electron frameworks, now adopting Node.js native SEA functionality to create standalone binaries that execute without requiring pre-installed Node.js runtimes or additional dependencies.

The malware demonstrates sophisticated evasion capabilities through multiple detection layers targeting virtual environments, debugging tools, and analysis platforms.

These anti-analysis checks examine system specifications including memory allocation, CPU core counts, and hostname patterns to identify potential research environments.

The campaign operators maintain an active command-and-control infrastructure through domains like iloveanimals[.]shop, providing centralized management for compromised systems.

Technical Implementation and Execution Flow

The Stealit malware employs a multi-layered architecture beginning with an installer component that downloads additional modules from its command-and-control servers.

The initial payload utilizes Node.js SEA functionality to embed malicious scripts within seemingly legitimate executable files, with the core script stored as raw data resource NODE_SEA_BLOB containing both execution code and original development paths.

The installer implements extensive anti-analysis measures including virtual environment detection through system resource verification, timing analysis for mathematical operations, and process enumeration to identify debugging applications.

Registry checks examine locations like HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAeDebug for debugger configurations, while DLL injection analysis reviews loaded modules for analysis-related libraries.

Upon successful environment validation, the malware establishes persistence through multiple mechanisms including Visual Basic scripts placed in Windows startup folders and PowerShell commands to exclude directories from Windows Defender scanning.

The system downloads three core components: save_data.exe for privileged operations, stats_db.exe for data extraction, and game_cache.exe for command-and-control communication.

The save_data component deploys ChromElevator-based tools for extracting information from Chromium browsers, while stats_db.exe targets extensive application categories including gaming platforms like Steam and Minecraft, messaging services like WhatsApp and Telegram, and cryptocurrency wallets including Atomic and Exodus.

The game_cache module handles remote access trojan functionality including screen capture, webcam access, file manipulation, and command execution capabilities.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.