New Stealit Infostealer Abuses Node.js SEA Feature and Telegram C2 in Malware-as-a-Service Campaign

FortiGuard Labs has identified a new and active Stealit malware campaign that abuses the Node.js Single Executable Application (SEA) feature to package and distribute its malicious payloads. The discovery follows a surge in detections of a Visual Basic persistence script, revealing a significant evolution in Stealit’s delivery methods.

Previous Stealit variants were built with Electron, an open-source framework that wraps Node.js scripts as Windows installers. However, this latest wave has shifted to Node.js’ experimental SEA feature, which allows Node-based applications to run as a single executable binary without requiring Node.js to be installed on the target system.

FortiGuard Labs noted, “Both approaches are effective for distributing Node.js-based malware, as they allow execution without requiring a pre-installed Node.js runtime or additional dependencies.”

The campaign continues Stealit’s established trend of masquerading as game or VPN installers, with fake setup files hosted on Mediafire and Discord. These malicious packages often use PyInstaller and compressed archives to lure unsuspecting users.

Beyond its technical innovation, Stealit maintains a professionalized operation. The malware’s command-and-control (C2) panel has migrated from stealituptaded[.]lol to iloveanimals[.]shop, a domain doubling as a marketing website that openly promotes “data extraction services.”

Researchers observed that “the panel—also functioning as the Command-and-Control (C2) server—was hosted at stealituptaded[.]lol. However, that domain quickly became inaccessible as the C2 server was moved to iloveanimals[.]shop.”

The Stealit website advertises subscription plans for its Windows and Android stealers — priced around $500 for lifetime Windows access and $2,000 for Android. The platform even includes tutorial videos and a Telegram channel (@StealitPublic) for updates and customer support. The main contact identified by Fortinet uses the handle @deceptacle.

The Stealit infection chain begins with an installer component that executes several obfuscated Node.js layers before reaching its main payload. Each stage is encoded and decoded dynamically in memory, evading traditional static analysis.

The core installer contains a raw resource (NODE_SEA_BLOB) embedding the malicious script. Fortinet researchers explained, “In the samples we encountered, this path includes a directory named StealIt, strongly suggesting that it belongs to the stealer malware service of the same name.”

To further complicate detection, the malware performs anti-analysis checks, including:

• Detecting virtual environments and sandboxes.
• Inspecting running processes for debuggers or analysis tools.
• Monitoring execution timing for signs of instrumentation.

If analysis is detected, the malware terminates execution, displaying an error message box before shutting down.

Once installed, Stealit creates a Visual Basic startup script (startup.vbs) to ensure persistence on Windows systems. The malware then downloads three core payloads — save_data.exe, stats_db.exe, and game_cache.exe — from its C2 domain iloveanimals[.]shop.

Each component serves a distinct purpose:

• save_data.exe uses ChromElevator to extract credentials from Chromium-based browsers, bypassing built-in encryption mechanisms.
• stats_db.exe targets data from browsers, gaming clients (Steam, Epic Games, Minecraft), messaging apps (WhatsApp, Telegram), and cryptocurrency wallets like Exodus and Atomic.
• game_cache.exe acts as the C2 client, enabling attackers to remotely execute commands, view live screens, access webcams, send fake alerts, and even deploy ransomware modules.

Fortinet analysts observed that within weeks of detection, new Stealit variants reverted to Electron, now using AES-256-GCM encryption for bundled Node.js scripts — a sign of rapid iteration and evasion. Despite changing frameworks, the underlying functionalities remained consistent, showing that the Stealit operators are actively refining their distribution pipeline.

FortiGuard Labs warns that “this new Stealit campaign leverages the experimental Node.js Single Executable Application (SEA) feature, which is still under active development, to conveniently distribute malicious scripts to systems without Node.js installed.”

Related Posts:

• Red Sea Cable Cuts Cause Azure Outage and Global Traffic Disruptions
• Node.js Misused in Malvertising Campaigns to Deliver Stealthy Malware
• Node.js to Issue CVE for End-of-Life Versions
• Operation Sea Elephant Cyber-Espionage Campaign Targeting South Asia
• Azure Services Disrupted After Red Sea Submarine Cables Severed