New Stealit Campaign Abuses Node.js Single Executable Application
Essential information
- Published
- 11/10/2025 02:50
- Modified
- 13/10/2025 10:15
- Tags
- 2025-10-11 anti-analysis cryptocurrency information theft node.js obfuscation rat single executable application stealit
- Related entities
- 12 observables, 1 intrusion sets (apt), 20 techniques (mitre), 1 malware
Description
A new Stealit malware campaign has been discovered that utilizes Node.js' Single Executable Application feature to distribute payloads. The campaign bundles malicious scripts into standalone binaries, allowing execution without requiring a pre-installed Node.js runtime. The malware is distributed as disguised game and VPN application installers through file-sharing sites. It employs heavy obfuscation and anti-analysis techniques to evade detection. Once installed, it can control the victim's system and extract information from various applications, including login credentials and cryptocurrency wallets. The campaign has shown adaptability, switching between Node.js SEA and Electron frameworks for payload delivery.