In early 2026, cybersecurity researchers identified a sophisticated malware strain named LTX Stealer, which leverages a Node.js-based architecture to infiltrate Windows systems. This malware is engineered to extract sensitive user information, including login credentials, browser cookies, and cryptocurrency wallet data.
Infection Vector and Execution
The attack initiates with a Windows installer file named Negro.exe, crafted using the legitimate Inno Setup framework. This method allows the malware to masquerade as a trustworthy application, thereby evading initial security scrutiny. Upon execution, the installer deploys a substantial payload—approximately 271 MB in size—onto the victim’s system. This large file size is a deliberate tactic to bypass antivirus engines that often skip scanning sizable files to maintain system performance.
Targeted Data Extraction
Once installed, LTX Stealer focuses on Chromium-based browsers like Google Chrome and Microsoft Edge. It accesses the Local State files to extract encryption keys, which are then used to decrypt and retrieve saved passwords and session cookies. Additionally, the malware scans for cryptocurrency wallets and captures screenshots of the user’s activity. The collected data is then compressed and prepared for exfiltration to a command-and-control server. The attackers utilize cloud services like Supabase for authentication and Cloudflare to obscure their server’s true location, enhancing the resilience of their infrastructure against takedowns.
Advanced Obfuscation Techniques
A notable aspect of LTX Stealer is its use of advanced obfuscation methods to hinder reverse engineering. The primary payload, `updater.exe`, is a packaged Node.js application created using the `pkg` tool. This bundles the malicious JavaScript code, dependencies, and the runtime into a single binary. To further complicate analysis, the developers compiled the JavaScript source into bytecode (`.jsc`) using `Bytenode`. This process transforms readable code into a binary format that is challenging for security researchers to decompile or analyze, effectively concealing the malware’s internal logic.
Defensive Measures
To mitigate the threat posed by LTX Stealer, organizations should implement the following measures:
– Block Known Indicators: Configure firewalls and endpoint detection systems to block traffic to domains like `eqp.lol` and IP addresses associated with the malware’s control panel.
– Monitor File Creation: Set up alerts for the creation of hidden or system-marked directories within user-accessible paths, especially those mimicking legitimate vendors like Microsoft Updater.
– Flag Large Binaries: Investigate unsigned executables that are unusually large (over 100MB) and exhibit runtime behaviors consistent with Node.js applications.
– Detect Credential Access: Monitor for processes that sequentially access browser Local State files and credential stores, as this behavior is indicative of credential theft attempts.
Broader Context of Node.js-Based Malware
The emergence of LTX Stealer is part of a broader trend where threat actors exploit Node.js to deliver malware and other malicious payloads. Since October 2024, campaigns have been observed leveraging Node.js to facilitate information theft and data exfiltration. For instance, a malvertising campaign related to cryptocurrency trading lured users into downloading malicious installers disguised as legitimate software. These installers contained malicious DLLs that gathered system information and established persistence through scheduled tasks. Subsequent stages involved defense evasion, data collection, and payload delivery and execution. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/?msockid=275e31801674632b04a7275e173f6280&utm_source=openai))
Another example is the NodeLoader malware, which masquerades as game hacks to target gamers. Attackers used YouTube and Discord to distribute links leading to malicious ZIP archives containing Node.js-based executables. Upon execution, these files downloaded additional payloads like cryptocurrency miners and information stealers, employing various evasion techniques to avoid detection. ([helpnetsecurity.com](https://www.helpnetsecurity.com/2024/12/16/node-js-malware-loader-nodeloader-game-hack/?utm_source=openai))
These instances underscore the evolving threat landscape where Node.js is increasingly misused to develop and distribute malware. The flexibility and cross-platform capabilities of Node.js make it an attractive tool for attackers aiming to create sophisticated and evasive malware.
Conclusion
The discovery of LTX Stealer highlights the growing trend of utilizing Node.js in malware development. Its sophisticated obfuscation techniques and targeted data extraction capabilities pose significant challenges for detection and mitigation. Organizations must remain vigilant, implementing robust security measures and staying informed about emerging threats to protect sensitive information from such advanced malware campaigns.
