A sophisticated new malware strain dubbed “LTX Stealer” has emerged in the cyber threat landscape, utilizing a unique Node.js-based architecture to compromise Windows systems.
First surfacing in early 2026, this malicious tool is designed to harvest sensitive user information, including login credentials, browser cookies, and cryptocurrency wallet data.
The malware distinguishes itself by packaging a full Node.js runtime environment within its payload, allowing it to execute complex JavaScript code natively on the victim’s machine without requiring prior installation of the framework.
The attack typically begins with a deceptively simple entry point: a Windows installer file named “Negro.exe”. This file is built using the legitimate Inno Setup framework, a common tool for creating software installers.
By hiding within a trusted installation wrapper, the malware effectively masks its malicious intent from standard security scans. Upon execution, the installer drops a massive payload—roughly 271 MB in size—into the victim’s system.
Cyfirma analysts identified the malware shortly after its appearance, noting that this large file size is a deliberate tactic to bypass antivirus engines that often skip scanning bulky files to maintain system performance.
Once inside, LTX Stealer targets Chromium-based browsers like Google Chrome and Microsoft Edge. It accesses the “Local State” files to extract encryption keys, which are then used to unlock saved passwords and session cookies.
Simultaneously, the malware scans for cryptocurrency wallets and takes screenshots of the user’s activity.
All stolen data is compressed and prepared for exfiltration to a command-and-control server.
The attackers utilize cloud services like Supabase for authentication and Cloudflare to hide their server’s true location, making the infrastructure resilient against takedowns.
Obfuscation via Bytecode Compilation
A defining technical characteristic of LTX Stealer is its heavy reliance on advanced obfuscation techniques to hinder reverse engineering.
The primary payload, updater.exe, is not a standard executable but a packaged Node.js application created using a tool called pkg. This bundles the malicious JavaScript logic, dependencies, and the runtime into a single binary.
.webp)
To further protect their code, the developers compiled the JavaScript source into bytecode (.jsc) using Bytenode. This conversion process transforms readable code into a binary format that is extremely difficult for security researchers to decompile or analyze.
.webp)
By removing the original source code entirely, the attackers ensure that understanding the malware’s internal logic requires specialized knowledge of Node.js internals, significantly raising the bar for analysis and detection.
To defend against LTX Stealer, organizations should implement the following measures:-
- Block Known Indicators: Configure firewalls and endpoint detection systems to block traffic to domains like
eqp.loland IP addresses associated with the malware’s control panel. - Monitor File Creation: Alert on the creation of hidden or system-marked directories within user-accessible paths, specifically those mimicking legitimate vendors like “Microsoft Updater”.
- Flag Large Binaries: Investigate unsigned executables that are unusually large (over 100MB) and exhibit runtime behaviors consistent with Node.js applications.
- Detect Credential Access: Monitor for processes that sequentially access browser “Local State” files and credential stores, as this behavior is highly indicative of info-stealing activity.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
