New Malware Campaign "Stealit" Exploits Node.js Feature to Target Game and VPN Users

A sophisticated malware campaign targeting digital infrastructure dubbed "Stealit" is actively exploiting Node.js' Single Executable Application (SEA) feature to distribute malicious payloads through fake game and VPN installers, according to cybersecurity researchers at Fortinet FortiGuard Labs.

The threat actors behind Stealit are marketing their malware as "professional data extraction solutions," offering subscription-based access to remote access trojan (RAT) capabilities that can compromise both Windows and Android systems. Understanding the various anti-malware protection methods and tools is crucial for defending against such threats.

Attack Vector and Distribution Methods

The malware spreads through counterfeit installers distributed on popular file-sharing platforms like Mediafire and Discord. Using Node.js' SEA feature, which allows applications to run without requiring Node.js installation, the malware can execute on virtually any system. Users who frequently rely on VPN services for secure internet access should be particularly vigilant about verifying their software sources.

Technical Analysis

The attack process involves several sophisticated steps:

• The installer performs anti-analysis checks to avoid detection in virtual environments
• It creates a Base64-encoded authentication key for C2 server communication
• The malware configures Microsoft Defender exclusions to avoid detection
• Three main executables handle different aspects of the attack:
  • save_data.exe extracts browser information
  • stats_db.exe targets messaging apps and crypto wallets
  • game_cache.exe establishes persistence and enables remote control

Commercialization of Cyber Threats

The creators offer tiered pricing structures for their malicious tools:

• Windows Stealer: $29.99 weekly to $499.99 lifetime
• Android RAT: $99.99 to $1,999.99

Advanced Capabilities

The service includes sophisticated features such as:

• Advanced file extraction capabilities
• Real-time webcam control
• Comprehensive live screen monitoring
• Automated ransomware deployment options

For additional technical details about this emerging threat, readers can refer to the CISA Advisory on Node.js Exploits.

This emerging threat highlights the increasing sophistication of modern malware distribution methods and the commercialization of cybercrime tools. The abuse of legitimate development features like Node.js SEA demonstrates how cybercriminals continue to find new ways to evade detection and compromise systems.