CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Stealit Malware Campaign Abuses Node.js SEA Feature

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A malware campaign named Stealit is actively distributing Node.js-based payloads via the Single Executable Application (SEA) feature. The malware is propagated through fake installers for games and VPN applications on file-sharing sites. The campaign offers a remote access trojan (RAT) with various capabilities, including file extraction, webcam control, and ransomware deployment. The malware performs anti-analysis checks, writes an authentication key to a temporary file, and configures Microsoft Defender exclusions to avoid detection. It targets Chromium-based browsers, messengers, cryptocurrency wallets, and game-related apps. The campaign is monetized through subscription plans for the malware's services. The threat actor has also relocated the command-and-control (C2) panel to new domains and reverted to using the Electron framework with encrypted scripts.

Timeline

  1. 13.10.2025 16:45 1 articles · 2d ago

    Threat Actor Relocates C2 Panel and Reverts to Electron Framework

    The threat actor behind this new Stealit campaign has moved its command-and-control (C2) panel to new domains. Initially hosted at stealituptaded[.]lol, the panel was quickly moved to iloveanimals[.]shop. The threat actor reverted to the Electron framework, encrypting bundled Node.js scripts with AES-256-GCM.

    Show sources
    Open in new tab
  2. 10.10.2025 17:25 2 articles · 5d ago

    Stealit Malware Campaign Leverages Node.js SEA Feature

    The campaign uses PyInstaller and common compressed archives for initial access. The threat actor employs heavy obfuscation and numerous anti-analysis techniques to evade detection and complicate analysis. The Stealit infostealer can extract information from various browsers, including Google Chrome and Microsoft Edge. The Stealit infostealer can steal data from game-related software and marketplaces, instant messaging apps, and cryptocurrency wallets.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

XWorm malware variants with ransomware module and over 35 plugins observed

XWorm malware, first observed in 2022, has resurfaced with enhanced capabilities. New versions (6.0, 6.4, and 6.5) include a ransomware module and over 35 plugins, enabling data theft, keylogging, DDoS attacks, and more. The malware is being distributed in phishing campaigns and has been adopted by multiple threat actors. The original developer, XCoder, abandoned the project last year, leading to the proliferation of cracked versions. XWorm's modular architecture allows it to steal data, take control of the host, and encrypt files. Recent campaigns have used various delivery methods, including JavaScript, PowerShell, and AI-themed lures. The ransomware module, Ransomware.dll, encrypts files in specific locations and provides ransom instructions. The malware has been observed in campaigns targeting users in multiple countries, with over 18,459 infections reported in one campaign. XWorm 6.0 is being sold on cybercrime forums for $500 for lifetime access and connects to its C2 server at 94.159.113[.]64 on port 4411. The malware's plugins include modules for remote desktop access, data theft, file management, and system command execution.

Open in new tab

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

Malicious Browser Extensions Target Meta Business Accounts

Cybersecurity researchers have identified two campaigns using fake browser extensions to hijack Meta Business accounts. The extensions, disguised as legitimate tools for Facebook and Instagram verification and ad optimization, steal session cookies and credentials. The attackers target Meta advertisers to sell hijacked accounts on underground forums or repurpose them for further malicious activities. The campaigns are linked to Vietnamese-speaking threat actors and exploit legitimate cloud services and the Chrome Web Store. The first campaign involves fake 'Meta Verified' extensions named SocialMetrics Pro, distributed via malicious ads and fake websites. The second campaign uses rogue Chrome extensions disguised as AI-powered ad optimization tools, including Madgicx Plus and Meta Ads SuperTool. Both campaigns aim to steal sensitive data and compromise Meta Business accounts.

Open in new tab

Malicious Android Apps with 19M Installs Removed from Google Play

Seventy-seven malicious Android apps, with over 19 million installs, were removed from Google Play. These apps delivered multiple malware families, including Anatsa (Tea Bot) banking trojan, Joker, Harly, and maskware. The apps were discovered by Zscaler's ThreatLabs team and included adware, credential theft, and other malicious functionalities. The malware targeted various banking and cryptocurrency apps, expanding its scope to include Germany and South Korea. The apps used various evasion techniques, including malformed APK archives, runtime DES-based string decryption, and emulation detection. Users are advised to enable Play Protect and take additional steps to secure compromised accounts.

Open in new tab

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

The FileFix social engineering attack, a variant of the ClickFix family, impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The campaign has evolved over two weeks with different payloads, domains, and lures, indicating an attacker testing and adapting their infrastructure. The FileFix technique, created by red team researcher mr. d0x, uses the address bar in File Explorer to execute malicious commands. The campaign employs steganography to hide a second-stage PowerShell script and encrypted executables inside a JPG image, which is believed to be AI-generated. The StealC malware targets credentials from various applications, cryptocurrency wallets, and cloud services, and can take screenshots of the active desktop. The FileFix attack uses a multilingual phishing site to trick users into executing a malicious command via the File Explorer address bar. The attack leverages Bitbucket to host the malicious components, abusing a legitimate source code hosting platform to bypass detection. The attack involves a multi-stage PowerShell script that downloads an image, decodes it into the next-stage payload, and runs a Go-based loader to launch StealC. The attack uses advanced obfuscation techniques, including junk code and fragmentation, to hinder analysis efforts. The FileFix attack is more likely to be detected by security products due to the payload being executed by the web browser used by the victim. The FileFix attack demonstrates significant investment in tradecraft, with carefully engineered phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact. The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware. Previously, threat actors tracked as UNC5518 leveraged a social engineering tactic called ClickFix to deploy the CORNFLAKE.V3 backdoor. The campaign used fake CAPTCHA pages to trick users into executing malicious PowerShell scripts, providing initial access to systems. This access was then monetized by other threat groups, including UNC5774 and UNC4108, which deployed additional payloads. The attack began with users interacting with compromised search results or malicious ads, leading them to fake CAPTCHA pages. Users were then tricked into running a malicious PowerShell command, which downloaded and executed the CORNFLAKE.V3 backdoor. This backdoor supported various payload types and could collect system information, which was transmitted via Cloudflare tunnels to evade detection. CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, featuring host persistence and additional payload support. The campaign also involved the deployment of WINDYTWIST.SEA, a backdoor that supports lateral movement within infected networks.

Open in new tab