Stealit fake game and VPN installer campaign
Campaign
Summary
Hide ▲
Show ▼
The Stealit campaign is using fake game and VPN installers to infect users and move its C2 panel, increasing the risk of credential and wallet theft. The operation matters because the installers are disguised, widely distributed through file-sharing services, and tied to an infostealer built to harvest data from browsers, apps, and cryptocurrency wallets.
Related Happenings
EKZ Infostealer delivered through FortiClient EMS abuse
Malware Activity
H score49
First: 28.05.2026 20:25
Last: 28.05.2026 20:25
Sources 1
About this happening:
A new **EKZ Infostealer** delivery chain is using **FortiClient EMS** abuse to silently install a credential stealer and siphon browser data from affected endpoints. The malware i...
EKZ Infostealer delivered through FortiClient EMS abuse
Malware ActivityAbout this happening: A new **EKZ Infostealer** delivery chain is using **FortiClient EMS** abuse to silently install a credential stealer and siphon browser data from affected endpoints. The malware i...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
H score33
First: 22.05.2026 14:30
Last: 22.05.2026 14:30
Sources 1
About this happening:
**Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
CampaignAbout this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Gremlin stealer modular toolkit evolution
Malware Activity
H score21
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
H score37
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
UNC1069 open-source maintainer social-engineering campaign
Campaign
H score38
First: 04.04.2026 23:30
Last: 04.04.2026 23:30
Sources 1
About this happening:
UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...
UNC1069 open-source maintainer social-engineering campaign
CampaignAbout this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...
Latest development: 06.04.2026 23:55
Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.
Timeline
-
13.10.2025 16:45 2 articles · 8mo ago
Stealit campaign uses fake installers and new delivery
Initial DisclosureThreat actors are conducting a new Stealit infostealer campaign against users seeking game and VPN installers, using fake installers bundled in PyInstaller and compressed archives from Mediafire and Discord; the delivery later shifted from Node.js Single Executable Apps (SEA) to Electron with AES-256-GCM, and the C2 panel moved from stealituptaded[.]lol to iloveanimals[.]shop.
Show sources
- New Stealit Malware Campaign Spreads via VPN and Game Installer Apps — www.infosecurity-magazine.com — 13.10.2025 16:45
- New Stealit Malware Campaign Spreads via VPN and Game Installer Apps — www.infosecurity-magazine.com — 13.10.2025 16:45