405/68 Thursday, October 16, 2025
FortiGuard Labs, a cybersecurity research company, has disclosed a new wave of attacks spreading an information-stealing malware known as “Stealit.” Threat actors are disguising Stealit inside fake game and VPN installers, which they then upload to popular file-sharing platforms such as Mediafire and Discord to lure unsuspecting users into downloading them. Once installed, the malware activates immediately, employing sophisticated evasion techniques to bypass antivirus detection and hinder analysis.
The primary goal of Stealit is to steal sensitive data stored on victims’ devices. This includes information from web browsers such as Google Chrome and Microsoft Edge, account credentials from popular gaming platforms like Steam, Minecraft, and Epic Games Launcher, chat data from messaging apps like WhatsApp and Telegram, and-most critically-cryptocurrency wallet information, both in standalone applications and as browser extensions. This can lead to significant financial losses.
What makes this campaign particularly concerning is the attackers’ ability to continuously evolve their distribution methods. Initially, they leveraged Node.js Single Executable Apps (SEA) to create stealthier installers that could better evade detection, before later reverting to older frameworks but adding file encryption for persistence. Researchers also discovered that the Stealit operators had relocated their command-and-control (C2) servers and openly launched a website to sell Stealit as a subscription service. Marketed as a “professional data extraction solution,” this version of Stealit comes with RAT-like (Remote Access Trojan) features, including file theft, webcam control, live screen surveillance, and even the ability to lock files for ransom. Alarmingly, the malware is capable of operating on both Windows and Android platforms.
Source https://www.infosecurity-magazine.com/news/new-stealit-malware-campaign-vpn/
