Ddos 
A new report by CYFIRMA has uncovered a sophisticated credential-stealing campaign that abuses legitimate software frameworks to bypass security defenses. Dubbed LTX Stealer, this Windows-based malware hides within a heavily obfuscated installer, leveraging the trust users place in standard setup files to execute its malicious payload.
The analysis highlights a growing trend in the cybercrime ecosystem: the “weaponization” of developer tools. By embedding a full Node.js runtime and using legitimate cloud services for management, LTX Stealer creates a low-noise profile that is difficult for traditional antivirus software to detect.
The infection begins with a file named Negro.exe, which presents itself as a standard Windows application. However, under the hood, it is a Trojan horse. The malware utilizes Inno Setup, a widely respected installer framework, to blend in with legitimate software distribution workflows.
“The malware abuses a legitimate installer framework, embeds a full Node.js runtime, and applies JavaScript bytecode compilation to deliberately hinder reverse engineering efforts,” the report explains.
This packaging strategy is key to its evasion. The installer contains an unusually large, encrypted archive—over 375 MB—which conceals thousands of files. This massive size and encryption ratio are designed to overwhelm security scanners and prevent static analysis tools from inspecting the contents.
Once executed, the malware drops a payload named updater.exe into a hidden system directory. Despite its name, this file is actually a bundled Node.js runtime. By compiling its malicious JavaScript code into bytecode, the attackers effectively “black box” their logic, making it incredibly difficult for researchers to understand how the malware works.
“The payload was built using pkg, which bundles JavaScript code, application dependencies, and the Node.js runtime into a single executable,” CYFIRMA notes.
The primary goal of LTX Stealer is data theft. It targets Chromium-based browsers like Google Chrome and Microsoft Edge, systematically extracting sensitive information.
The report details how the malware uses a script called decrypt.py to bypass browser security. “It closely follows Chromium’s native key protection and decryption logic to ensure successful extraction,” allowing it to recover saved passwords, cookies, and active session tokens.
Beyond browser data, the malware also hunts for cryptocurrency wallets, searching for files and extensions associated with digital assets to steal funds from victims.
The investigation suggests that LTX Stealer is not a bespoke tool for a single attack but a product sold on the cybercriminal market. The malware connects to a backend infrastructure powered by Supabase and fronted by Cloudflare, mimicking a professional SaaS application.
Evidence found on social media platforms confirms this “Stealer-as-a-Service” model. “Pricing tiers observed include USD 10 for weekly access and USD 25 for monthly access, reinforcing the assessment that the malware is intended for widespread use,” the report states.
With its low cost and high sophistication, LTX Stealer represents a scalable threat that is likely to see broad distribution in the wild.
Related Posts:
- RedLine Stealer Unleashed: Inno Setup Installers Abused for Stealthy Data Theft & Cryptowallet Draining
- Microsoft Announces Official Open Source Azure IoT Edge
- Node.js Misused in Malvertising Campaigns to Deliver Stealthy Malware
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
