Cybersecurity researchers have uncovered a stealthy malware campaign leveraging the experimental Single Executable Application (SEA) feature in Node.js to distribute Stealit, a sophisticated information-stealing malware. Packaged as fake game installers and VPN applications, the malware is distributed via popular file-sharing platforms like Mediafire and Discord. Stealit is being sold as a malware-as-a-service (MaaS) offering with a full-featured remote access trojan (RAT) targeting both Windows and Android platforms.
Exploiting the SEA Feature in Node.js Enables Standalone Execution
The Node.js SEA feature, currently experimental, enables developers to bundle an entire JavaScript application into a single executable binary that can run on systems without requiring a Node.js runtime. While useful for legitimate software distribution, threat actors have now weaponized this capability.
SEA-Bundled Malware Runs on Any System, No Node.js Required
Attackers take advantage of SEA by packaging malicious Node.js scripts into self-contained executables. These executables use a raw data resource named `NODE_SEA_BLOB`, which holds the actual script code. Once executed, the SEA loader unpacks and runs this data in memory, bypassing traditional protections.
Security researchers from Fortinet’s FortiGuard Labs note that the scripts are heavily obfuscated, helping them bypass detection. Additionally, the malware performs multiple anti-analysis checks—such as detecting virtual machines or sandbox environments—before proceeding. Only when real user systems are detected does the script inject its final payloads.
Malware Masquerading as Game and VPN Installers
Fake Installers Lure Users on Popular File-Sharing Platforms
The initial infection vector involves phishing users into downloading infected installers advertised as popular games or VPN clients. These fake applications are hosted on widely used file-sharing services, including Mediafire and Discord. The installers, often wrapped with tools like PyInstaller and compressed into ZIP or archive files, lend the appearance of legitimacy while hiding their true intent.
Upon execution, the malware performs several key actions:
- Writes a Base64-encoded 12-character authentication token to `%temp%cache.json` for use in authenticating with its command-and-control (C2) server.
- Configures Microsoft Defender Antivirus exclusions to reduce chances of being blocked.
- Downloads three additional executables:
* `save_data.exe` – Steals data from Chromium-based browsers. * `stats_db.exe` – Extracts credentials and data from messengers (e.g., WhatsApp, Telegram), cryptocurrency wallets, and gaming platforms (e.g., Steam, Epic Games). * `game_cache.exe` – Establishes system persistence and facilitates remote control.
The malicious functionalities include everything from data exfiltration to full-frame screen monitoring and webcam hijacking.
Commercialization of Stealit as Malware-as-a-Service
Threat Actors Monetize Stealit via Subscription Panels
What sets this campaign apart is its commercialization. The operators of Stealit have set up an online portal posing as a data extraction service, now hosted at iloveanimals[.]shop after moving from an earlier domain. This website sells access to the ransomware and RAT functionalities in tiered subscription plans:
- Windows access:
* $29.99 weekly * Up to $499.99 for a lifetime license
- Android access:
* Starting at several hundred dollars * Up to $1,999.99 for lifetime access
The site pitches features like:
- File theft
- Live screen monitoring
- Webcam control
- Ransomware execution
To further entice criminal customers, operators provide instructional videos and setup guides, streamlining attacks even for less technically skilled users.
Shifting Tactics: From Node.js SEA to Electron Framework
Return to Electron to Improve Tradecraft and Obfuscation
While the initial waves of the campaign relied heavily on Node.js SEA to achieve stealthy execution, researchers report that more recent samples are packaged using the Electron framework. Electron applications combine Node.js and Chromium and are commonly used in legitimate desktop applications, giving these malware-laden builds additional cover.
To further complicate reverse engineering, the Node.js scripts embedded within these Electron packages are encrypted using AES-256-GCM. The use of encryption, combined with the already multi-layered architecture of the malware, presents significant barriers for malware analysts.
Broader Security Implications and Mitigation
This campaign underscores how threat actors continue to adapt legitimate development features—like Node.js SEA and Electron—for malicious gain. Security analysts and endpoint protection tools may struggle to detect such polymorphic and encrypted malware.
Recommended Defenses
To reduce exposure, security professionals should consider these actions:
- Block downloads from known malicious file-sharing domains when feasible.
- Monitor for SEA or Electron-based executables appearing from non-standard install paths.
- Audit Windows directories (like `%temp%`) for known indicators such as `cache.json`.
- Use behavioral analysis to flag executables that disable antivirus, access browsers, or launch persistent background communication.
Continued awareness of how features like SEA can be abused is critical. Until traditional security tools adapt, campaigns like Stealit will likely continue to exploit these newer distribution methods with high efficacy.
