EXECUTIVE SUMMARY:
A new Stealit malware campaign has emerged, leveraging Node.js’ Single Executable Application (SEA) feature to evade detection and increase its distribution efficiency. This campaign targets Windows environments and can potentially compromise any organization, allowing attackers to exfiltrate sensitive data and maintain persistent access. The malware continues a trend of being disguised as legitimate software, including game and VPN installers, and is actively distributed through file-sharing platforms like Mediafire and Discord.
The Stealit malware is delivered as a single executable binary using Node.js SEA, which bundles all scripts and dependencies into one file, allowing execution without a pre-installed Node.js runtime. The installer operates in multiple layers, each heavily obfuscated to prevent analysis. The first layer extracts a script stored in a resource named NODE_SEA_BLOB, which is decoded and executed in memory. The second layer is an obfuscated function object, and the third layer installs the main malware components and performs system checks. These checks detect virtual environments, suspicious files, and debugging tools, ensuring the malware avoids sandbox or analyst detection. Execution logs are written to both console and a local log file if elevated privileges are detected.
This Stealit campaign demonstrates a growing in malware delivery by abusing experimental Node.js SEA features to package malicious logic in a stealthy, all-in-one binary. By combining layered obfuscation, anti-analysis defenses, and modular capabilities for data theft and remote control, the campaign poses a credible threat to organizations. It should monitor such unusual single-file executables, ensure endpoint protection signatures are up to date, restrict execution of unknown binaries, and apply network analytics to detect anomalous communications to suspicious domains.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1497.001 | Virtualization / Sandbox Evasion | System Checks |
| T1562.001 | Impair Defenses | Disable or Modify Tools | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1113 | Screen Capture |
| F0002 | Keylogging | |
| E1056 | Input Capture | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | F0001 | Software Packing |
| E1027 | Obfuscated Files or Information | |
| Discovery | E1083 | File and Directory Discovery |
| E1082 | System Information Discovery | |
| Execution | B0011 | Remote Commands |
| Exfiltration | E1020 | Automated Exfiltration |
| Impact | E1486 | Data Encrypted for Impact |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further technical details: