Threat Research

New Stealit Campaign Abuses Node.js Single Executable Application

Fortinet

FortiGuard Labs observed an active Stealit campaign distributing Node.js-based stealers using the experimental Single Executable Application (SEA) feature and also reverting to Electron, with heavy obfuscation, anti-analysis checks, and multiple payload components for data theft and remote control. The campaign uses commercialized C2 panels (iloveanimals[.]shop / stealituptaded[.]lol), distributes via game/VPN installer lures and file-sharing sites, and targets browsers, messengers, game platforms, and many crypto wallet extensions. #Stealit #iloveanimals.shop

Keypoints

  • Stealit operators are distributing Node.js stealers packaged with Node.js SEA (Single Executable Application) and also using Electron with AES-256-GCM to bundle and execute payloads without requiring a Node runtime.
  • Initial installers are multi-layered, heavily obfuscated Node.js scripts stored in a NODE_SEA_BLOB resource (built with AngaBlue), which decode and execute further payloads in memory.
  • The installer performs many anti-analysis checks (VM detection, suspicious files, timing, process and registry checks) and aborts if analysis artifacts are found; it can also log execution to C:UsersPCAppDataLocalerrorlxerror.log when run elevated.
  • Post-installation components (save_data.exe, stats_db.exe, game_cache.exe) are downloaded from C2 URLs under root.iloveanimals[.]shop, decompressed (Brotli), whitelisted from Defender scanning, and executed; persistence via startup.vbs is established.
  • Functionality includes credential and browser wallet theft (many browser targets and extension IDs listed), Chromium data extraction (ChromElevator-derived tool), remote control (screen/webcam, CMD executor, file grabber), and possible ransomware support (Encrypted_files.txt).
  • Stealit operates a commercial panel site and Telegram channel (StealitPublic) offering subscription access and authentication keys for customers to control infected hosts.
  • IOCs include malicious domains, file-sharing links (Discord/MediaFire), and a large file hash; FortiGuard signatures detect variants as W64/Litseat.A–D!tr and web filtering blocks cited C2 URLs.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Installer and payloads are Node.js scripts executed (decoded and run in memory) using require and packaged as executables: “this blob is decoded and executed directly in memory using Node.js’ require function.”
  • [T1105] Ingress Tool Transfer – Components are downloaded from C2 URLs like https[:]//root.iloveanimals[.]shop/download/save_data and saved to %UserProfile%AppdataLocal… – “It then proceeds to download the initial components from the following URLs…”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys and Startup Folder – Persistence via startup.vbs placed in the Windows startup folder to launch game_cache.exe on startup: “That script is then placed in the Windows startup folder … startup.vbs executes game_cache.exe.”
  • [T1083] File and Directory Discovery – Malware enumerates system properties and checks for virtual environment artifacts and specific files/paths (e.g., VirtualBox/VMware driver paths) as part of anti-analysis checks: “Checks for the existence of directories and files related to VMware and VirtualBox.”
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks for VM indicators (memory, CPU cores, hostname/username blacklists, timing checks) and abort if suspicious: “If two or more of these checks are not satisfied, it determines that it’s inside a virtual setup.”
  • [T1056] Input Capture (Screen Capture) – Drops/builds a VB.NET screenCapture_1.3.2.exe to allow remote viewing of the victim’s screen: “ScreenCapture_1.3.2.bat, app.manifest: These files are used to build … screenCapture_1.3.2.exe … to remotely view the victim’s screen.”
  • [T1113] Screen Capture – Feature list and components support live screen view and screen capture capabilities for remote monitoring: “Live Screen View – Stream victim’s screen in real-time.”
  • [T1490] Inhibit System Recovery – Malware attempts to add created directories to Defender exclusion list to avoid detection: “Add-MpPreference -ExclusionPath {directory}”; this inhibits recovery/detection mechanisms.
  • [T1005] Data from Local System – stats_db.exe and save_data.exe extract browser data, messenger data, game platform data, and crypto wallets from local applications: “It then proceeds to extract information from various browsers, including Google Chrome and Microsoft Edge … The extracted information is stored in the %Temp%/BrowserData directory.”
  • [T1071] Application Layer Protocol – game_cache.exe communicates with C2 via HTTP POST to https[:]//root[.]iloveanimals[.]shop/panelping sending victim info JSON: “{“pcName”:”[username]”,”hwid”:”[UUID]”,”key”:”[12-character key]”}”

Indicators of Compromise

  • [File Hash ] malicious Stealit sample – 554b318790ad91e330dced927c92974d6c77364c… (long SHA-256 hash provided)
  • [Domain ] C2 and panel infrastructure – iloveanimals[.]shop, root.iloveanimals[.]shop, stealituptaded[.]lol (C2/panel hosting and download endpoints)
  • [URL / File-Hosting ] distribution links – Discord CDN and MediaFire file URLs used to host installer lures (e.g., https[:]//cdn.discordapp[.]com/…/VrchatPlugin.rar, https[:]//www[.]mediafire[.]com/file/9ni7pgjxuw8pc6h/ShaderSetup.rar/file)
  • [File Names ] dropped/executed components and persistence – save_data.exe, stats_db.exe, game_cache.exe, startup.vbs, cache.exe (ChromElevator-derived), Stealit{random}.txt

Read more: https://feeds.fortinet.com/~/926060729/0/fortinet/blog/threat-research~New-Stealit-Campaign-Abuses-Nodejs-Single-Executable-Application

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint