Stealit
Stealit is an information-stealing malware family and malware-as-a-service offering observed in campaigns distributing fake game and VPN installers via Mediafire and Discord. Fortinet FortiGuard Labs reported that the campaign abuses Node.js Single Executable Application (SEA) and, in some newer samples, Electron, to package heavily obfuscated malicious Node.js code into standalone binaries that can run without Node.js installed. The installer is described as a multi-layered SEA executable built with AngaBlue that decodes and executes multiple in-memory script layers and uses anti-analysis checks including VM, timing, process, registry, DLL, and parent-process checks.
The malware downloads Brotli-compressed components from root.iloveanimals[.]shop, stores them under randomized paths in %UserProfile%\AppData\Local{RandDir}*.exe, and attempts to exclude those directories from Microsoft Defender. Persistence is established via a startup.vbs script. If run with high privileges, it writes logs and stores a 12-character alphanumeric authentication key in %temp%\cache.json; this key is used for C2 authentication and is also described as the same key used by subscribers to access their dashboards.
Reported components include save_data.exe, which uses ChromElevator to extract data from Chromium browsers; stats_db.exe, which collects browser and application data; and game_cache.exe, which functions as the C2 client. Stealit is capable of stealing login credentials, cryptocurrency wallets, and other data from many applications. Its C2 receives the victim username, hardware ID, and authentication key, and can issue commands for live screen viewing, webcam viewing, file theft, remote command execution, and ransomware deployment. The associated infrastructure reportedly moved from stealituptaded[.]lol to iloveanimals[.]shop, which masquerades as a commercial "professional data extraction solutions" site advertising Stealit subscriptions and licenses for Windows and Android. A Telegram channel named StealitPublic and contact handle @deceptacle were identified in connection with promotion of the service.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Stealit is an information stealer malware distributed via fake installers for games and VPNs, often hosted on platforms like Mediafire and Discord.
Stealer/RAT sold as a subscription service that uses Node.js SEA/Electron-based, heavily obfuscated installers to deploy components for credential and data theft (including crypto wallets), remote control (screen/webcam), command execution, persistence, and optional ransomware delivery.
Stealit is an information stealer malware that abuses Node.js single executable applications to exfiltrate sensitive data from infected systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.