A new sophisticated malware strain, identified as LTX Stealer, has emerged, targeting Windows users with a novel Node.js-based architecture. First observed in early 2026, this insidious tool is designed to exfiltrate sensitive user data, including login credentials, browser cookies, and cryptocurrency wallet information. Its unique method involves embedding a complete Node.js runtime within its payload, enabling the execution of complex JavaScript code directly on the victim’s system without requiring prior installation of the Node.js framework.
The initial vector for LTX Stealer infections typically begins with a seemingly innocuous Windows installer file named “Negro.exe.” This file is constructed using the legitimate Inno Setup framework, a common tool for software installations. By concealing its malicious nature within a trusted installation wrapper, the malware evades detection by standard security scans. Upon execution, the installer deploys a substantial payload, approximately 271MB in size, onto the compromised system. Cyfirma analysts noted that this large file size is a deliberate strategy to bypass antivirus engines that often skip scanning bulky files to maintain performance.
LTX Stealer Exploits Obfuscation and Node.js for Stealthy Attacks
Once established on a system, LTX Stealer focuses its attention on Chromium-based browsers, including Google Chrome and Microsoft Edge. The malware accesses the browser’s “Local State” files to extract encryption keys. These keys are subsequently utilized to decrypt stored passwords and session cookies. Concurrently, LTX Stealer actively scans for cryptocurrency wallets and captures screenshots of user activity, compiling a comprehensive profile of the victim’s digital life. All collected data is then compressed and prepared for exfiltration to a command-and-control server. The attackers leverage cloud services like Supabase for authentication and Cloudflare to obscure the true location of their infrastructure, enhancing its resilience against takedown efforts.
A defining technical characteristic of LTX Stealer is its extensive use of advanced obfuscation techniques to impede reverse engineering efforts. The primary payload, identified as updater.exe, is not a conventional executable but rather a packaged Node.js application. This package is created using a tool called pkg, which bundles the malicious JavaScript logic, its dependencies, and the Node.js runtime into a single binary file. This approach not only simplifies deployment but also adds a layer of complexity for security researchers attempting to analyze the malware.
To further protect its underlying code, the developers compiled the JavaScript source code into bytecode (.jsc) using a utility known as Bytenode. This conversion process transforms human-readable code into a binary format that is exceptionally difficult to decompile or analyze. By eliminating the original source code entirely, attackers ensure that understanding the malware’s internal operations requires specialized knowledge of Node.js internals, significantly raising the barrier for detection and analysis.
The infrastructure behind LTX Stealer is designed for resilience. Attackers utilize cloud services to mask their command-and-control servers. Supabase is employed for authentication, while Cloudflare is used to conceal the true IP addresses of the servers, making them harder to locate and disrupt. This sophisticated use of legitimate cloud services helps the malware operators maintain operational continuity and evade immediate takedown.
The proliferation of advanced info-stealers like LTX Stealer highlights the evolving threat landscape. As attackers adopt more complex and evasive techniques, organizations must continuously adapt their security postures. The reliance on Node.js and advanced obfuscation methods signifies a trend toward leveraging common development tools and techniques for malicious purposes, challenging traditional signature-based detection methods. The ability of the malware to bundle a runtime environment bypasses common deployment hurdles for such tools.
To defend against LTX Stealer and similar threats, organizations should implement a multi-layered security strategy. This includes regularly updating antivirus and endpoint detection and response (EDR) solutions, implementing robust network monitoring to detect suspicious traffic, and conducting regular security awareness training for employees to prevent initial infection vectors like phishing. Vigilance regarding unusual file sizes and installation behaviors on endpoints can also provide early warning signs of compromise. Understanding the indicators of compromise (IoCs) and actively blocking them at the network and endpoint levels is crucial.
The ongoing development and deployment of sophisticated malware like LTX Stealer necessitate a proactive and adaptive approach to cybersecurity. As threat actors continue to innovate, security professionals must remain vigilant, continuously researching and implementing new defense strategies to protect sensitive data and critical systems. The continued evolution of malware highlights the importance of threat intelligence sharing and collaboration within the cybersecurity community to stay ahead of emerging threats.