Full Report
Cybersecurity researchers have disclosed details of an active malware campaign called Stealit that has leveraged Node.js' Single Executable Application (SEA) feature as a way to distribute its payloads. According to Fortinet FortiGuard Labs, select iterations have also employed the open-source Electron framework to deliver the malware. It's assessed that the malware is being propagated through
Analysis Summary
# Tool/Technique: Stealit Malware
## Overview
Stealit is an active malware campaign that functions as a data stealer and potentially deploys a Remote Access Trojan (RAT). It is noted for abusing the Node.js Single Executable Application (SEA) feature, and in some variants, the Electron framework, to distribute malicious payloads disguised as counterfeit installers for popular games and VPN applications. The threat actors behind Stealit also market data extraction services commercially.
## Technical Details
- Type: Malware family
- Platform: Windows (explicitly mentioned components impacting Windows systems) and Android (a RAT component claims Android targeting capability).
- Capabilities: Data theft from browsers, messengers, cryptocurrency wallets, and game applications; remote access capabilities; real-time screen streaming; arbitrary command execution.
- First Seen: October 10, 2025 (based on article publication date, indicating active status around this time).
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on described functionality.*
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
- T1059.003 - Windows Command Shell
- T1548 - Abuse Elevation Control Mechanism
- T1548.002 - Bypass User Account Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
- T1560 - Archive Collected Data
- T1560.001 - Archive via Utility
- T1057 - Process Discovery
- T1055 - Process Injection (Inferred by using external tool *cache.exe*)
## Functionality
### Core Capabilities
- **Distribution Method:** Leverages Node.js SEA feature or Electron framework to create standalone executables, avoiding the requirement for a pre-installed Node.js runtime.
- **Infection Vector:** Disseminated via fake installers for games and VPNs hosted on file-sharing sites (Mediafire, Discord).
- **Anti-Analysis:** Performs checks to ensure it is not running within a virtual or sandboxed environment.
- **C2 Authentication:** Writes a Base64-encoded authentication key (12-character alphanumeric) to `%temp%\cache.json` for C2 communication and subscriber login.
- **Defense Evasion:** Configures Microsoft Defender Antivirus exclusions for the folder containing downloaded components.
### Advanced Features
- **Data Exfiltration:**
- `save_data.exe`: Drops and executes `cache.exe` (part of ChromElevator project) to extract data from Chromium-based browsers (requires elevated privileges).
- `stats_db.exe`: Steals data from Telegram, WhatsApp, cryptocurrency wallets (Atomic, Exodus), and gaming platforms (Steam, Minecraft, GrowTopia, Epic Games Launcher).
- **Persistence and Control:**
- `game_cache.exe`: Establishes persistence by creating a Visual Basic script to launch on system reboot.
- Remote functions: Real-time screen streaming, arbitrary command execution, file upload/download, and changing the victim's desktop wallpaper.
- **RAT Capabilities:** Claims support for file extraction, webcam control, and ransomware deployment (mentioned for both Windows and Android variants).
## Indicators of Compromise
- File Hashes: [Not specified in the provided text]
- File Names: `save_data.exe`, `stats_db.exe`, `game_cache.exe`, `cache.exe`
- Registry Keys: [Not specified in the provided text, though persistence relies on a VBScript]
- Network Indicators: C2 servers used for retrieving components and exfiltrating data (C2 domains/IPs are *defanged* as they were not provided).
- Behavioral Indicators: Writing a 12-character Base64 key to `%temp%\cache.json`; creating a Visual Basic script for persistence on system reboot; configuring Microsoft Defender exclusions.
## Associated Threat Actors
- The threat actors behind Stealit are known to commercialize their malware, offering subscription plans for data extraction services on a dedicated website.
## Detection Methods
- Signature-based detection: Detection against known hashes or file names (`save_data.exe`, etc.).
- Behavioral detection: Monitoring for the creation of files in the `%temp%` directory containing authentication keys, the execution of ChromElevator components, configuration of Defender exclusions, and the creation of VBScript files for persistence.
- YARA rules: [Not available in the provided text]
## Mitigation Strategies
- **Prevention:** Exercise caution when downloading installers from file-sharing sites, especially for popular software like games and VPNs.
- **Hardening:** Ensure endpoint security solutions are up-to-date to immediately flag suspicious executable behavior, particularly processes attempting to modify Windows Defender configurations or injecting/launching components like `cache.exe`. Monitor for the abuse of newly released or experimental features like Node.js SEA.
## Related Tools/Techniques
- ChromElevator (The tool utilized by `save_data.exe` to extract browser data).
- Node.js Single Executable Application (SEA) feature (Abused distribution mechanism).
- Electron Framework (Mentioned as used in select iterations).