New Stealit Campaign Abuses Node.js Single Executable Application

    Monday, October 13, 2025 In: Threat Research Print

    Date: 10/13/2025

    Severity: High

    Summary

    The team has identified a new Stealit malware campaign using Node.js' Single Executable Application (SEA) to deliver its payloads. The discovery followed a surge in detections of a Visual Basic script used for persistence. Earlier versions relied on Electron to package Node.js scripts as NSIS installers. This shift to SEA allows bundling malware into standalone binaries without needing Node.js installed. Recent samples still pose as game or VPN installers and are shared via sites like Mediafire and Discord.

    Indicators of Compromise (IOC) List

    Domains\URLs: 

    https://iloveanimals.shop/

    https://iloveanimals.shop/user/login

    https://root.iloveanimals.shop/download/save_data

    https://root.iloveanimals.shop/download/stats_db

    https://root.iloveanimals.shop/download/game_cache

    https://root.iloveanimals.shop/panelping

    https://root.stealituptaded.lol/download/save_data

    https://root.stealituptaded.lol/download/stats_db

    https://root.stealituptaded.lol/download/game_cache

    https://cdn.discordapp.com/attachments/1395171942494896190/1413957011837816915/VrchatPlugin.rar?ex=68bdd195&is=68bc8015&hm=b9f359a7f75b84d1b860d2aa4dd92f8adad3a2feef5d82832f49d664a256ff7b&

    https://www.mediafire.com/file/9ni7pgjxuw8pc6h/ShaderSetup.rar/file

    Https://download1529.mediafire.com/8006s55pduvgtQ0THBMZxcLtlrh20a5BnfF18n8YfGUB8P7M5U3mEQb-UYYDCrMHsSG0aWvnyy_LIMg2OnTc4kuNYmWzjWLQwOds-qSfhdO03NOQFAAaYCPiOvB8nU7mBEHe-3a5gDSufW6upPbFXyGlbzBTdtpcrVPXokNKOYZ9/c4zbp39q02jvrn8/Aykadia.rar

    Hash : 

    554b318790ad91e330dced927c92974d6c77364ceddfb8c2a2c830d8b58e203c

    aa8f0988f1416f6e449b036d5bd1624b793b71d62889afdc4983ee21a1e7ca87

    5ea27a10c63d0bbd04dbea5ec08fe0524e794c74d89f92ac6694cfd8df786b1f

    083c4e0ffdc9edf0d93655ee4d665c838d2a5431b8064242d93a545bd9ad761b

    432b8414113a8c14c0305a562a93ed926e77de351bac235552a59cc02e1e5627

    8e1cf254d23e2b94c77294079336339ececf33a3e7ee1a3621ee4e0df0695ce5

    919a2107ac27e49cdaa60610706e05edfc99bd3f2e9ca75da4feb6a5f2517c27

    e004f8e39e489dec74a13d99836ee5693bd509047ecf49f3fc14efc143a161b5

    818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b

    8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83

    24b3def3f374c5f17ec9f1a347c71d9c921155c878ab36e48dd096da418bf782

    c38130d7cb43cf3da4858247a751d7b9a3804183db8c4c571b6eede0590474da

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "https://iloveanimals.shop/" or url like "https://iloveanimals.shop/" or siteurl like "https://iloveanimals.shop/" or domainname like "https://root.stealituptaded.lol/download/game_cache" or url like "https://root.stealituptaded.lol/download/game_cache" or siteurl like "https://root.stealituptaded.lol/download/game_cache" or domainname like "https://root.iloveanimals.shop/download/game_cache" or url like "https://root.iloveanimals.shop/download/game_cache" or siteurl like "https://root.iloveanimals.shop/download/game_cache" or domainname like "https://root.iloveanimals.shop/panelping" or url like "https://root.iloveanimals.shop/panelping" or siteurl like "https://root.iloveanimals.shop/panelping" or domainname like "https://root.iloveanimals.shop/download/stats_db" or url like "https://root.iloveanimals.shop/download/stats_db" or siteurl like "https://root.iloveanimals.shop/download/stats_db" or domainname like "https://root.stealituptaded.lol/download/save_data" or url like "https://root.stealituptaded.lol/download/save_data" or siteurl like "https://root.stealituptaded.lol/download/save_data" or domainname like "https://iloveanimals.shop/user/login" or url like "https://iloveanimals.shop/user/login" or siteurl like "https://iloveanimals.shop/user/login" or domainname like "https://root.iloveanimals.shop/download/save_data" or url like "https://root.iloveanimals.shop/download/save_data" or siteurl like "https://root.iloveanimals.shop/download/save_data" or domainname like "https://root.stealituptaded.lol/download/stats_db" or url like "https://root.stealituptaded.lol/download/stats_db" or siteurl like "https://root.stealituptaded.lol/download/stats_db" or domainname like "https://cdn.discordapp.com/attachments/1395171942494896190/1413957011837816915/VrchatPlugin.rar?ex=68bdd195&is=68bc8015&hm=b9f359a7f75b84d1b860d2aa4dd92f8adad3a2feef5d82832f49d664a256ff7b&" or url like "https://cdn.discordapp.com/attachments/1395171942494896190/1413957011837816915/VrchatPlugin.rar?ex=68bdd195&is=68bc8015&hm=b9f359a7f75b84d1b860d2aa4dd92f8adad3a2feef5d82832f49d664a256ff7b&" or siteurl like "https://cdn.discordapp.com/attachments/1395171942494896190/1413957011837816915/VrchatPlugin.rar?ex=68bdd195&is=68bc8015&hm=b9f359a7f75b84d1b860d2aa4dd92f8adad3a2feef5d82832f49d664a256ff7b&" or domainname like "https://www.mediafire.com/file/9ni7pgjxuw8pc6h/ShaderSetup.rar/file" or url like "https://www.mediafire.com/file/9ni7pgjxuw8pc6h/ShaderSetup.rar/file" or siteurl like "https://www.mediafire.com/file/9ni7pgjxuw8pc6h/ShaderSetup.rar/file" or domainname like "Https://download1529.mediafire.com/8006s55pduvgtQ0THBMZxcLtlrh20a5BnfF18n8YfGUB8P7M5U3mEQb-UYYDCrMHsSG0aWvnyy_LIMg2OnTc4kuNYmWzjWLQwOds-qSfhdO03NOQFAAaYCPiOvB8nU7mBEHe-3a5gDSufW6upPbFXyGlbzBTdtpcrVPXokNKOYZ9/c4zbp39q02jvrn8/Aykadia.rar" or url like "Https://download1529.mediafire.com/8006s55pduvgtQ0THBMZxcLtlrh20a5BnfF18n8YfGUB8P7M5U3mEQb-UYYDCrMHsSG0aWvnyy_LIMg2OnTc4kuNYmWzjWLQwOds-qSfhdO03NOQFAAaYCPiOvB8nU7mBEHe-3a5gDSufW6upPbFXyGlbzBTdtpcrVPXokNKOYZ9/c4zbp39q02jvrn8/Aykadia.rar" or siteurl like "Https://download1529.mediafire.com/8006s55pduvgtQ0THBMZxcLtlrh20a5BnfF18n8YfGUB8P7M5U3mEQb-UYYDCrMHsSG0aWvnyy_LIMg2OnTc4kuNYmWzjWLQwOds-qSfhdO03NOQFAAaYCPiOvB8nU7mBEHe-3a5gDSufW6upPbFXyGlbzBTdtpcrVPXokNKOYZ9/c4zbp39q02jvrn8/Aykadia.rar"

    Detection Query 2 :

    sha256hash IN ("554b318790ad91e330dced927c92974d6c77364ceddfb8c2a2c830d8b58e203c","083c4e0ffdc9edf0d93655ee4d665c838d2a5431b8064242d93a545bd9ad761b","c38130d7cb43cf3da4858247a751d7b9a3804183db8c4c571b6eede0590474da","919a2107ac27e49cdaa60610706e05edfc99bd3f2e9ca75da4feb6a5f2517c27","432b8414113a8c14c0305a562a93ed926e77de351bac235552a59cc02e1e5627","5ea27a10c63d0bbd04dbea5ec08fe0524e794c74d89f92ac6694cfd8df786b1f","aa8f0988f1416f6e449b036d5bd1624b793b71d62889afdc4983ee21a1e7ca87","8e1cf254d23e2b94c77294079336339ececf33a3e7ee1a3621ee4e0df0695ce5","e004f8e39e489dec74a13d99836ee5693bd509047ecf49f3fc14efc143a161b5","818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b","8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83","24b3def3f374c5f17ec9f1a347c71d9c921155c878ab36e48dd096da418bf782")

    Reference:    

    https://www.fortinet.com/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application 


    Tags

    MalwareStealitNode.js SEA

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.