The Reveal Platform
Intel Name: New stealit campaign abuses node.js single executable application
Date of Scan: October 13, 2025
Impact: High
Summary: The team has identified a new Stealit malware campaign using Node.js’ Single Executable Application (SEA) to deliver its payloads. The discovery followed a surge in detections of a Visual Basic script used for persistence. Earlier versions relied on Electron to package Node.js scripts as NSIS installers. This shift to SEA allows bundling malware into standalone binaries without needing Node.js installed. Recent samples still pose as game or VPN installers and are shared via sites like Mediafire and Discord.
