Stealit malware activity abusing Node.js SEA and counterfeit installers
Malware Activity
Summary
Hide ▲
Show ▼
Stealit is an active malware activity that uses Node.js Single Executable Application (SEA) and some Electron builds to spread standalone payloads through counterfeit game and VPN installers on Mediafire and Discord. In the latest reporting, FortiGuard Labs says the campaign initially leveraged Node.js SEA to deliver malicious scripts to systems without Node.js installed, then later reverted to Electron with AES-256-GCM encryption and moved its C2 panel from stealituptaded[.]lol to iloveanimals[.]shop. The malware targets Windows and Android systems and can steal data from browsers, messengers, cryptocurrency wallets, and game-related apps while also supporting persistence, remote control, and ransomware deployment.
Related Happenings
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware Activity
First: 02.06.2026 23:01
Last: 02.06.2026 23:01
Sources 1
About this happening:
A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware ActivityAbout this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
EKZ Infostealer delivered through FortiClient EMS abuse
Malware Activity
First: 28.05.2026 20:25
Last: 28.05.2026 20:25
Sources 1
About this happening:
A new **EKZ Infostealer** delivery chain is using **FortiClient EMS** abuse to silently install a credential stealer and siphon browser data from affected endpoints. The malware i...
EKZ Infostealer delivered through FortiClient EMS abuse
Malware ActivityAbout this happening: A new **EKZ Infostealer** delivery chain is using **FortiClient EMS** abuse to silently install a credential stealer and siphon browser data from affected endpoints. The malware i...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
AI chatbot cryptojacking campaign targeting high-performance GPU users
Campaign
First: 27.05.2026 10:45
Last: 27.05.2026 10:45
Sources 1
About this happening:
An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
AI chatbot cryptojacking campaign targeting high-performance GPU users
CampaignAbout this happening: An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
Timeline
-
10.10.2025 17:25 3 articles · 7mo ago
Stealit malware campaign disclosure
Initial DisclosureCybersecurity researchers disclosed an active Stealit malware campaign that uses Node.js Single Executable Application (SEA) and some Electron builds to distribute malicious payloads through counterfeit game and VPN installers uploaded to Mediafire and Discord. The malware applies anti-analysis checks, writes a Base64-encoded authentication key to %temp%\cache.json, configures Microsoft Defender Antivirus exclusions, and uses modular components to extract data from Chromium-based browsers, messengers, cryptocurrency wallets, game apps, and to support persistence, live screen monitoring, arbitrary command execution, file transfer, and ransomware deployment on Windows and Android systems.
Show sources
- Stealit Malware Abuses Node.js Single Executable Feature via Game and VPN Installers — thehackernews.com — 10.10.2025 17:25
- Stealit Malware Abuses Node.js Single Executable Feature via Game and VPN Installers — thehackernews.com — 10.10.2025 17:25
- New Stealit Malware Campaign Spreads via VPN and Game Installer Apps — www.infosecurity-magazine.com — 13.10.2025 16:45