Stealit malware activity abusing Node.js SEA and counterfeit installers
Malware Activity
Summary
Hide ▲
Show ▼
Stealit is an active malware activity that uses Node.js Single Executable Application (SEA) and some Electron builds to spread standalone payloads through counterfeit game and VPN installers on Mediafire and Discord. In the latest reporting, FortiGuard Labs says the campaign initially leveraged Node.js SEA to deliver malicious scripts to systems without Node.js installed, then later reverted to Electron with AES-256-GCM encryption and moved its C2 panel from stealituptaded[.]lol to iloveanimals[.]shop. The malware targets Windows and Android systems and can steal data from browsers, messengers, cryptocurrency wallets, and game-related apps while also supporting persistence, remote control, and ransomware deployment.
Related Happenings
JustAskJacky fake AI assistant malware campaign
Campaign
H score33
First: 04.06.2026 17:00
Last: 04.06.2026 17:00
Sources 1
About this happening:
The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...
JustAskJacky fake AI assistant malware campaign
CampaignAbout this happening: The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...
WeedHack Minecraft MaaS campaign expands with malicious JARs and remote access
Malware Activity
H score65
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
About this happening:
**WeedHack** is a **Minecraft-focused malware-as-a-service** operation that has been active since **January 2026** and uses **SEO poisoning** and **YouTube** to push malicious dow...
WeedHack Minecraft MaaS campaign expands with malicious JARs and remote access
Malware ActivityAbout this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service** operation that has been active since **January 2026** and uses **SEO poisoning** and **YouTube** to push malicious dow...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware Activity
H score36
First: 02.06.2026 23:01
Last: 02.06.2026 23:01
Sources 1
About this happening:
A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware ActivityAbout this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
EKZ Infostealer delivered through FortiClient EMS abuse
Malware Activity
H score49
First: 28.05.2026 20:25
Last: 28.05.2026 20:25
Sources 1
About this happening:
A new **EKZ Infostealer** delivery chain is using **FortiClient EMS** abuse to silently install a credential stealer and siphon browser data from affected endpoints. The malware i...
EKZ Infostealer delivered through FortiClient EMS abuse
Malware ActivityAbout this happening: A new **EKZ Infostealer** delivery chain is using **FortiClient EMS** abuse to silently install a credential stealer and siphon browser data from affected endpoints. The malware i...
Timeline
-
10.10.2025 17:25 3 articles · 9mo ago
Stealit malware campaign disclosure
Initial DisclosureCybersecurity researchers disclosed an active Stealit malware campaign that uses Node.js Single Executable Application (SEA) and some Electron builds to distribute malicious payloads through counterfeit game and VPN installers uploaded to Mediafire and Discord. The malware applies anti-analysis checks, writes a Base64-encoded authentication key to %temp%\cache.json, configures Microsoft Defender Antivirus exclusions, and uses modular components to extract data from Chromium-based browsers, messengers, cryptocurrency wallets, game apps, and to support persistence, live screen monitoring, arbitrary command execution, file transfer, and ransomware deployment on Windows and Android systems.
Show sources
- Stealit Malware Abuses Node.js Single Executable Feature via Game and VPN Installers — thehackernews.com — 10.10.2025 17:25
- Stealit Malware Abuses Node.js Single Executable Feature via Game and VPN Installers — thehackernews.com — 10.10.2025 17:25
- New Stealit Malware Campaign Spreads via VPN and Game Installer Apps — www.infosecurity-magazine.com — 13.10.2025 16:45