Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Stealit fake game and VPN installer campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The Stealit campaign is using fake game and VPN installers to infect users and move its C2 panel, increasing the risk of credential and wallet theft. The operation matters because the installers are disguised, widely distributed through file-sharing services, and tied to an infostealer built to harvest data from browsers, apps, and cryptocurrency wallets.

Related Happenings

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
First: 22.05.2026 14:30 Last: 22.05.2026 14:30 Sources 1

About this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...

Open Happening

Gremlin stealer modular toolkit evolution

Malware Activity
First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...

Open Happening

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

Open Happening

UNC1069 open-source maintainer social-engineering campaign

Campaign
First: 04.04.2026 23:30 Last: 04.04.2026 23:30 Sources 1

About this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...

Latest development: 06.04.2026 23:55

Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.

Open Happening

Ghost campaign remote access trojan payload

Malware Activity
First: 24.03.2026 16:30 Last: 24.03.2026 16:30 Sources 1

About this happening: A malicious **npm** payload tied to the **Ghost campaign** began in **early February** and used **fake installation logs** to hide a **remote access trojan (RAT)** that could stea...

Open Happening

Timeline

  1. 13.10.2025 16:45 2 articles · 7mo ago

    Stealit campaign uses fake installers and new delivery

    Initial Disclosure

    Threat actors are conducting a new Stealit infostealer campaign against users seeking game and VPN installers, using fake installers bundled in PyInstaller and compressed archives from Mediafire and Discord; the delivery later shifted from Node.js Single Executable Apps (SEA) to Electron with AES-256-GCM, and the C2 panel moved from stealituptaded[.]lol to iloveanimals[.]shop.

    Show sources
    Open in new tab