A newly observed wave of attacks is using the cutting-edge Single Executable Application capability in Node. js to deliver the Stealit malware to Windows systems, marking a strategic shift by threat actors to evade detection. Security analysts say the move underscores how attackers are co-opting development frameworks to bypass conventional defences.
FortiGuard Labs security researchers discovered that this campaign packages malicious payloads using Node. js SEA, an experimental bundling method that produces a self-contained executable. That allows the malware to run on systems without requiring a separate Node. js runtime—widening its potential reach. The campaign continues to disguise its delivery as legitimate software, distributing fake installers for games and VPN tools via file-sharing sites and archive downloads.
Once executed, the malware launches a multi-layered installer that evaluates the host environment for signs of analysis, sandboxing, or virtual machines. If it determines the system is safe, it decompresses and executes additional modules in memory. It also configures Microsoft Defender exclusions to prevent the directories it uses from being scanned.
Three core executables are deployed in the later stages: savedata. exe, statsdb. exe, and game_cache. exe. The first is tasked with exfiltrating browser data using techniques inspired by the ChromElevator project. The second focuses on extracting credentials and data from applications such as Telegram, WhatsApp, Steam, Epic Games, and cryptocurrency wallet extensions. The final component ensures persistence, enabling remote command execution, screen and webcam streaming, and file transfer under the control of the attacker’s command and control server.
The operators behind Stealit run a full-fledged malware-as-a-service model. Their promotional site purports to offer “professional data extraction solutions” with tiered subscription plans. Pricing for the Windows version reportedly goes as high as $500 for lifetime access, while the Android version is offered up to $2,000. The group maintains an active Telegram channel to promote updates and liaise with prospective clients.
Analysts note that the campaign has already shown signs of tactical adaptation. While the SEA variant is the highlight, samples have reverted to using the Electron framework—this time encrypting embedded Node. js scripts with AES-256-GCM to complicate detection. The domain hosting the control panel has also been switched, moving from stealituptaded. lol to iloveanimals. shop.
Notice an issue?
Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don’t hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.