CYFIRMA analyzed LTX Stealer, a Windows information stealer delivered via a heavily obfuscated Inno Setup installer that embeds a full Node.js runtime and uses Bytenode JavaScript bytecode to hinder analysis. The malware harvests Chromium-based credentials and cryptocurrency artifacts, stages them for exfiltration to Cloudflare‑fronted infrastructure, and uses Supabase for operator authentication. #LTXStealer #Supabase
Keypoints
- LTX Stealer is distributed as a 32-bit Inno Setup installer (Negro.exe) that contains a massively encrypted embedded archive, preventing static extraction.
- The installer requests administrator privileges, drops a large packaged Node.js executable (updater.exe) into a Microsoft‑like directory, and hides files using Hidden and System attributes.
- The payload bundles a Node.js runtime via pkg and uses Bytenode to compile JavaScript into bytecode, significantly increasing analysis difficulty.
- The malware escalates privileges by impersonating LSASS (SeDebugPrivilege) to decrypt Chromium master keys and recover saved credentials, cookies, and session tokens.
- It searches for and collects browser‑based cryptocurrency wallet artifacts and other financial data, aggregates screenshots and system info, compresses results, and stages them for exfiltration.
- Network activity resolves api.eqp.lol (Cloudflare IPs) and a separate panel IP (69.164.242.27); a web-based operator panel uses Supabase with a long-lived anon JWT for authentication.
- LTX Stealer is marketed as a stealer-as-a-service (MaaS) offering (public demo and pricing tiers), indicating a scalable, commercially oriented threat model.
MITRE Techniques
- [T1189 ] Drive-by Compromise – Installer-based distribution as a broadly distributed executable (‘distributed as Negro.exe’)
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – Use of scripting and privilege escalation routines to enable system-level actions and impersonation (‘The script begins by escalating privileges through the activation of SeDebugPrivilege and impersonation of the lsass.exe process.’)
- [T1027 ] Obfuscated Files or Information – Extensive installer encryption and bytecode compilation to impede static analysis (‘overlay inspection confirmed the presence of compiled bytecode, effectively preventing straightforward source recovery’)
- [T1027.002 ] Obfuscated Files or Information: Software Packing – Payload built with pkg to bundle Node.js runtime and app into a single executable (‘The payload was built using pkg, which bundles JavaScript code, application dependencies, and the Node.js runtime into a single executable.’)
- [T1027.009 ] Obfuscated Files or Information: Embedded Payloads – Large encrypted archive inside the Inno Setup installer containing the stealer components (’embedded archive containing 5,888 files, of which 5,881 were encrypted’)
- [T1564.003 ] Hide Artifacts: Hidden Window – Sets Hidden and System attributes on the dropped directory/files to conceal activity (‘attrib +h +s assigning Hidden (+h) and System (+s) attributes to the directory’)
- [T1087 ] Account Discovery – Enumerates user contexts and leverages SYSTEM/user contexts to access profile-bound encryption material (‘While operating under both SYSTEM and user contexts, the script decrypts the app_bound_encrypted_key from the Chromium Local State file…’)
- [T1217 ] Browser Information Discovery – Repeatedly accesses browser Local State and profile data to extract encryption keys and stored credentials (‘The extracted encryption material enables decryption of stored login credentials, cookies, and authentication tokens across user profiles.’)
- [T1083 ] File and Directory Discovery – Searches filesystem for wallet files, extension data, and browser profiles for collection (‘searching for wallet files and browser-based wallet extension data’)
- [T1082 ] System Information Discovery – Collects system information and screenshots to include with harvested data (‘All collected cryptocurrency artifacts are aggregated alongside browser credentials, screenshots, and system information, then staged within temporary directories.’)
- [T1005 ] Data from Local System – Harvests local credential stores, cookies, tokens, and wallet files from the victim system (‘began harvesting sensitive user data… repeated access to browser configuration files’)
- [T1071.004 ] Application Layer Protocol: DNS – Uses domain resolution and Cloudflare fronting to mask backend infrastructure (‘resolved the domain api.eqp.lol, which returned the following IP addresses: 172.67.153.236 104.21.12.237’)
- [T1041 ] Exfiltration Over C2 Channel – Compresses and stages collected data for exfiltration to attacker-controlled backend services (‘The data is subsequently compressed into archive files in preparation for exfiltration to attacker-controlled backend infrastructure.’)
- [T1485 ] Data Destruction – Identified as an impact technique in the campaign’s framework listing (‘T1485 Data Destruction’)
Indicators of Compromise
- [Domain ] Command-and-control / panel and API domains – eqp[.]lol (operator panel/api), api.eqp.lol (API endpoint)
- [IP Address ] Panel and Cloudflare fronting – 69[.]164[.]242[.]27 (panel server), 172[.]67[.]153[.]236 and 104[.]21[.]12[.]237 (Cloudflare‑fronted IPs; and 1 more Cloudflare IP)
- [SHA256 ] Malicious binaries – ca9798f6bb9ad81dc20f8dee10c19368a44f3e48d71fa823b9c6f3b6473ca518 (updater.exe dropped stealer), 112d731bbfd7379cdf3263cbba39a170c235d616c26b803f3afe6b014f4748a1 (Negro.exe setup)
- [File Name ] Notable dropped and embedded files – updater.exe (packaged Node.js stealer), Negro.exe (Inno Setup installer)
- [File Path ] Targeted browser and drop locations – C:Program Files (x86)Microsoft Updater (drop location impersonating Microsoft), C:UsersAppDataLocalMicrosoftEdgeUser DataLocal State (browser Local State accessed for master key)
Read more: https://www.cyfirma.com/research/ltx-stealer-analysis-of-a-node-js-based-credential-stealer/