Table of Contents
Threat actors are conducting a new malicious campaign deploying the Stealit malware via disguised applications, according to Fortinet.
The cybersecurity provider’s threat research lab, FortiGuard Labs, uncovered this new information stealer (infostealer) campaign following a spike in detections of a particular Visual Basic script, a new report explained.
The campaign’s initial access is gained via fake game and VPN installers bundled in PyInstaller and common compressed archives and uploaded to file-sharing sites such as Mediafire and Discord.
The threat actor then employs heavy obfuscation and numerous anti-analysis techniques to evade detection and complicate analysis.
Once installed, the Stealit infostealer allows the threat actor to extract information from various browsers, including Google Chrome and Microsoft Edge. I can also steal data from a variety of applications, including game-related software and marketplaces (Steam, Minecraft, GrowTopic and Epic Games Launcher), instant messaging apps (WhatsApp and Telegram) and cryptocurrency wallets (Atomic, Exodus and wallets installed as browser extensions).
Novel Stealit Delivery Techniques
Leveraging Node.js Single Executable Apps
While earlier Stealit malware used Electron to package scripts into installers, the new campaign initially leveraged Node.js Single Executable Apps (SEA) feature to distribute malicious scripts to systems without Node.js installed.
Node.js SEA is an experimental feature designed to package Node.js applications, their dependencies and assets into a standalone executable, allowing them to run on systems without Node.js installed. This approach results in significantly larger file sizes.
The threat actor behind this campaign has exploited this capability by embedding harmful scripts within the executable’s NODE_SEA_BLOB resource, stored as RCDATA.
This resource contains not only the script but also its original file path, which often reveals telling details.
In the observed samples, the path includes references to ‘StealIt’ and ‘angablue,’ indicating the use of AngaBlue, an open-source tool that automates the creation of Node.js SEA executables, alongside the Stealit infostealer.
“Threat actors behind this may be exploiting the feature’s novelty, relying on the element of surprise, and hoping to catch security applications and malware analysts off guard,” the FortiGuard Labs researchers suggested.
However, the researchers observed that, weeks into the new campaign, the threat actor reverted to the Electron framework, this time encrypting bundled Node.js scripts with AES-256-GCM.
Stealit C2 Panel Relocation
Alongside the shift in malware delivery technique, the threat actor behind this new Stealit campaign has also moved its command-and-control (C2) panel to new domains.
Initially hosted at stealituptaded[.]lol, the panel was quickly moved to iloveanimals[.]shop after the original domain became inaccessible.
The site operates as a commercial platform, marketing Stealit as a “professional data extraction solution” with subscription-based access, the FortiGuard Labs researchers observed.
The panel advertises remote access Trojan- (RAT) like capabilities, including file theft, webcam control, live screen monitoring and ransomware deployment, targeting both Windows and Android systems.
Instructional videos demonstrate its functionality, while pricing plans offer lifetime subscriptions at around $500 for Windows and $2000 for Android.
The threat actor also maintains a Telegram channel (StealitPublic) for updates and promotions, with @deceptacle serving as the primary point of contact for potential clients.
Read now: Fake macOS Help Sites Seek to Spread Infostealer in Targeted Campaign