New Stealit Campaign Abuses Node.js Single Executable Application
Oct. 13, 2025, 10:15 a.m.
Description
A new Stealit malware campaign has been discovered that utilizes Node.js' Single Executable Application feature to distribute payloads. The campaign bundles malicious scripts into standalone binaries, allowing execution without requiring a pre-installed Node.js runtime. The malware is distributed as disguised game and VPN application installers through file-sharing sites. It employs heavy obfuscation and anti-analysis techniques to evade detection. Once installed, it can control the victim's system and extract information from various applications, including login credentials and cryptocurrency wallets. The campaign has shown adaptability, switching between Node.js SEA and Electron frameworks for payload delivery.
Tags
Date
- Created: Oct. 11, 2025, 2:50 a.m.
- Published: Oct. 11, 2025, 2:50 a.m.
- Modified: Oct. 13, 2025, 10:15 a.m.
Indicators
- https://iloveanimals.shop/
- https://iloveanimals.shop/user/login
- https://root.iloveanimals.shop/download/save_data
- https://root.iloveanimals.shop/download/stats_db
- https://root.iloveanimals.shop/download/game_cache
- https://root.iloveanimals.shop/panelping
- https://root.stealituptaded.lol/download/save_data
- https://root.stealituptaded.lol/download/stats_db
- https://root.stealituptaded.lol/download/game_cache
- https://cdn.discordapp.com/attachments/1395171942494896190/1413957011837816915/VrchatPlugin.rar?ex=68bdd195&is=68bc8015&hm=b9f359a7f75b84d1b860d2aa4dd92f8adad3a2feef5d82832f49d664a256ff7b&
- https://www.mediafire.com/file/9ni7pgjxuw8pc6h/ShaderSetup.rar/file
- https://download1529.mediafire.com/8006s55pduvgtQ0THBMZxcLtlrh20a5BnfF18n8YfGUB8P7M5U3mEQb-UYYDCrMHsSG0aWvnyy_LIMg2OnTc4kuNYmWzjWLQwOds-qSfhdO03NOQFAAaYCPiOvB8nU7mBEHe-3a5gDSufW6upPbFXyGlbzBTdtpcrVPXokNKOYZ9/c4zbp39q02jvrn8/Aykadia.rar