Fortinet FortiGuard Labs has discovered an active Stealit campaign in which hackers are exploiting the Single Executable Application (SEA) feature in Node.js to distribute malware. The virus masquerades as game and VPN installers on Mediafire and Discord sites and steals data from messengers, crypto wallets, and browsers. Researchers report that attackers are distributing Stealit through fake applications that run even without Node.js installed. Some versions are also built on the Electron framework, which allows them to hide malicious code as “legitimate” applications.
When a user runs the installer, it connects to the control servers (C2), checks the environment for signs of virtual machines, and if everything is “clean”, loads the main Stealit components. Before doing so, the program creates a Base64 authentication key in a temporary file cache.json — it is used to communicate with the C2 server and the hackers’ control panel.
Stealit also disables Microsoft Defender by adding its own directory to the exclusions. Then, three auxiliary executables perform different functions:
save_data.exe — steals data from Chromium-based browsers via the ChromElevator tool;
stats_db.exe — collects data from messengers (Telegram, WhatsApp), crypto wallets (Atomic, Exodus), and game clients (Steam, Minecraft, Epic Games);
game_cache.exe — provides autorun and allows attackers to watch the victim’s screen in real time, execute commands, and transfer files.
According to Fortinet, Stealit uses a new, experimental Node.js SEA feature to silently run malicious scripts on systems without Node.js, bypassing many antivirus solutions.
Stealit operates on a “software as a service” model: on its website, the hackers sell a “subscription” for access to a control panel that supports Windows and Android. The price ranges from $29.99 per week to $1,999.99 for life. The product includes a RAT (remote access trojan) that allows you to capture the screen, control the camera, steal files and deploy ransomware. Experts believe that cybercriminals are exploiting the novelty of the SEA function and are trying to take advantage of the fact that most security systems are not yet adapted to monitor it. This makes Stealit especially dangerous for users who download unlicensed software or files from open platforms.
Stealit shows how development tools can become weapons in the hands of cybercriminals. Attackers use the capabilities of Node.js and Electron to disguise Trojans as legitimate programs, and SEA to bypass protection. The new trend is not just data theft, but the creation of commercial malware services available to anyone willing to pay.
