Find notable cyber news and cases, enriched with sources, timelines, and signals.

Stealit malware activity abusing Node.js SEA and counterfeit installers

Malware Activity
First reported
Last updated
Happening score
H score 30
2 unique sources, 2 articles

Summary

Hide ▲

Stealit is an active malware activity that uses Node.js Single Executable Application (SEA) and some Electron builds to spread standalone payloads through counterfeit game and VPN installers on Mediafire and Discord. In the latest reporting, FortiGuard Labs says the campaign initially leveraged Node.js SEA to deliver malicious scripts to systems without Node.js installed, then later reverted to Electron with AES-256-GCM encryption and moved its C2 panel from stealituptaded[.]lol to iloveanimals[.]shop. The malware targets Windows and Android systems and can steal data from browsers, messengers, cryptocurrency wallets, and game-related apps while also supporting persistence, remote control, and ransomware deployment.

Related Happenings

JustAskJacky fake AI assistant malware campaign

Campaign
H score33 First: 04.06.2026 17:00 Last: 04.06.2026 17:00 Sources 1

About this happening: The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...

WeedHack Minecraft MaaS campaign expands with malicious JARs and remote access

Malware Activity
H score65 First: 03.06.2026 00:54 Last: 03.06.2026 00:54 Sources 1

About this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service** operation that has been active since **January 2026** and uses **SEO poisoning** and **YouTube** to push malicious dow...

AI-built ransomware toolkit with AD discovery and EDR evasion

Malware Activity
H score36 First: 02.06.2026 23:01 Last: 02.06.2026 23:01 Sources 1

About this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...

EKZ Infostealer delivered through FortiClient EMS abuse

Malware Activity
H score49 First: 28.05.2026 20:25 Last: 28.05.2026 20:25 Sources 1

About this happening: A new **EKZ Infostealer** delivery chain is using **FortiClient EMS** abuse to silently install a credential stealer and siphon browser data from affected endpoints. The malware i...

Timeline

  1. 10.10.2025 17:25 3 articles · 9mo ago

    Stealit malware campaign disclosure

    Initial Disclosure

    Cybersecurity researchers disclosed an active Stealit malware campaign that uses Node.js Single Executable Application (SEA) and some Electron builds to distribute malicious payloads through counterfeit game and VPN installers uploaded to Mediafire and Discord. The malware applies anti-analysis checks, writes a Base64-encoded authentication key to %temp%\cache.json, configures Microsoft Defender Antivirus exclusions, and uses modular components to extract data from Chromium-based browsers, messengers, cryptocurrency wallets, game apps, and to support persistence, live screen monitoring, arbitrary command execution, file transfer, and ransomware deployment on Windows and Android systems.

    Show sources