Pierluigi Paganini October 13, 2025

Stealit malware abuses Node.js SEA and Electron to spread via fake game and VPN installers shared on Mediafire and Discord.

Fortinet FortiGuard Labs researchers spotted Stealit malware campaign abusing Node.js Single Executable Application (SEA) and sometimes Electron to spread via fake game and VPN installers on Mediafire and Discord.

Fortinet uncovered the campaign while investigating a surge in detections of a particular Visual Basic script, which the experts later identified as a component for malware persistence.

Attackers used Node.js SEA to bundle malware into standalone binaries, enabling execution without Node.js installed.

The Stealit malware has moved its command-and-control panel from stealituptaded[.]lol to iloveanimals[.]shop, now posing as a commercial site advertising “professional data extraction solutions.” The site lists features such as file theft, webcam control, live monitoring, and ransomware delivery for Android and Windows, complete with demo videos and subscription plans.

The site sells the stealer as subscriptions, lifetime licenses cost about $500 for Windows and $2,000 for Android.

Malware operators use a Telegram channel, named StealitPublic, to share updates and promotions to possible clients. The contact person managing the Telegram channel was a user with the handle @deceptacle.

Stealit’s installer is a multi-layered, heavily obfuscated Node.js SEA executable (built with AngaBlue) that decodes and runs multiple in-memory script layers. The malware performs anti-analysis checks (VM/timing/process/registry/DLL/parent-process) and logs execution; if run with high privileges it writes logs and saves a 12-char auth key to %temp%\cache.json for C2 authentication.

“Once it passes through the anti-analysis checks, it proceeds to the actual installation of malware components.” reads the report published by Fortinet. “It first writes a base64-encoded authentication key in%temp%\cache.json. This 12-character alphanumeric key is used to authenticate with its C2. This is the same key used by subscribers of the malware service to log in to their dashboards, where they are likely to monitor and control their victims.”

The installer downloads Brotli-compressed components from root.iloveanimals[.]shop, saves them under %UserProfile%\AppData\Local\{RandDir}\*.exe, and excludes those dirs from Defender.

The malware bundles its payloads with Pkg and makes them persist by adding a startup.vbs script. Key components are:

• save_data.exe (uses ChromElevator to grab data from Chromium browsers);
• stats_db.exe (collects browser and app data);
• game_cache.exe (the C2 client).

The C2 server receives the victim’s username, hardware ID and auth key, then sends commands for live screen and webcam viewing, file theft, remote command execution, ransomware, and other RAT functions.

Below is the list of functionalities advertised on the malware website:

New Stealit samples switched back to Electron, encrypting embedded Node.js scripts with AES-256-GCM; the researchers pointed out that they operate just like the previous SEA-built samples.

“This new Stealit campaign leverages the experimental Node.js Single Executable Application (SEA) feature, which is still under active development, to conveniently distribute malicious scripts to systems without Node.js installed. Threat actors behind this may be exploiting the feature’s novelty, relying on the element of surprise, and hoping to catch security applications and malware analysts off guard.” concludes the report.

“Furthermore, it employs heavy obfuscation and numerous anti-analysis techniques to evade detection and complicate analysis. Once installed, it is capable of controlling the victim’s system and extracting information, including login credentials and cryptocurrency wallets, from a wide variety of applications.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)