Cybersecurity researchers have disclosed an active malware campaign called Stealit that is using Node.js’ Single Executable Application (SEA) feature to distribute malicious payloads, and that some variants also use the Electron framework.
Fortinet researchers Eduardo Altares and Joie Salvio said the operators are propagating the malware through counterfeit installers for games and VPN applications uploaded to file‑sharing sites such as Mediafire and Discord. The researchers said these delivery methods let the malware run without a preinstalled Node.js runtime.
The Node.js Single Executable Application feature allows developers to package applications as standalone executables for systems that do not have Node.js installed, and Fortinet said the campaign appears to be exploiting the feature’s relative novelty to evade detection.
The fake installers contain a bootstrapper that retrieves the main components from a command‑and‑control server, performs anti‑analysis checks for virtual or sandboxed environments, and writes a Base64‑encoded, 12‑character alphanumeric authentication key to %temp%\cache.json. Fortinet said that key is used to authenticate with the C2 and by subscribers to log in to the actors’ dashboard; the actors advertise subscription plans and sell a Windows stealer and an Android RAT with a range of prices.
The campaign drops multiple executables. According to the report, save_data.exe (run only with elevated privileges) installs a tool named cache.exe drawn from the open source ChromElevator project to extract data from Chromium‑based browsers; stats_db.exe targets messengers, cryptocurrency wallets and extensions, and game platforms; and game_cache.exe establishes persistence by creating a Visual Basic script and connects to the C2 to stream screens, execute commands and transfer files.
Fortinet also said the malware configures Microsoft Defender Antivirus exclusions for the folder containing downloaded components.