{“lastseen”:”2026-05-06T14:05:10″,”description”:”In our previous research, we analyzed a Windows infostealer we track as **NWHStealer**. The attackers behind this stealer are continuously finding new methods to distribute the stealer. During our hunting activities, we noticed how attackers are using a JavaScript runtime called Bun to help distribute it.\\n\\nBun is a legitimate, fast, all-in-one JavaScript and TypeScript toolkit designed as a modern, high-performance replacement for Node.js. It is built from the ground up to simplify modern web development by integrating several essential tools into a single executable. \\n\\nIts relative newness also makes it appealing for attackers. Bun has not yet been widely seen in malware campaigns, and it allows them to package malicious code into larger executables that may be less easily detected. \\n\\n## What is NWHStealer and what can it do? \\n\\nNWHStealer is a **Rust-based stealer** distributed using a range of lures and delivery methods. These include Node.js scripts, MSI installers, and, more recently, JavaScript loaders built with the Bun runtime. \\n\\nIt is often hosted on legitimate platforms such as GitHub, GitLab, MediaFire, Itch.io, and SourceForge, which helps it blend in with normal software and increases the chances of users downloading it. Attackers continue to create new profiles and lures to spread the stealer. \\n\\nOnce installed on your PC, NWHStealer can: \\n\\n * Collect system information, including operating system, hardware, security software, user data and connected devices. \\n * Steal data from browsers, extensions and crypto wallets. \\n * Steal data from different applications, including FTP applications such as FileZilla, CoreFTP and messaging apps such as Steam and Discord. \\n * Inject malicious code into browser processes and run additional payloads (e.g. XMRig).\\n * Attempt to bypass User Account Control (UAC). \\n * Achieve persistence via scheduled tasks. \\n * Get new command-and-control (C2) addresses from Telegram. \\n\\n\\n\\n## How to stay safe \\n\\nAttackers are constantly adapting their techniques, and the use of newer tools like Bun shows how they try to stay ahead of detection. \\n\\nNWHStealer is particularly concerning because of how widely it is distributed, and the types of data it targets. Stolen browser data, saved passwords, and cryptocurrency wallet information can quickly lead to account takeovers, financial loss, and further compromise. \\n\\nHere are a few simple ways to stay safe: \\n\\n * Only download software from official websites. \\n * Be cautious with downloads from platforms like GitHub, SourceForge, or file-sharing platforms unless you trust the source. \\n * Attackers are continuing to create new profiles to distribute this stealer across platforms. Check the profile\/developer\/publisher’s profile, reputation, and how new it is when downloading something from file hosting providers or blogs. \\n * Check the structure of the archives, that the content, images, txt files are consistent with what you downloaded. Also check the archive name, they usually have recognizable patterns. \\n * Check the file\u2019s publisher and signature before you run it. \\n\\n\\n\\n* * *\\n\\n\\n\\n### Safer. Faster. Ad-free browsing.\\n\\nINSTALL BROWSER GUARD\\n\\n* * *\\n\\n**Pro tip:** Install Malwarebytes Browser Guard to block malicious sites before they load. \\n\\n* * *\\n\\n## Technical analysis\\n\\n### The new distribution method: Bun JavaScript Runtime \\n\\nAccording to its official site, Bun is an all-in-one JavaScript, TypeScript \\u0026 JSX toolkit. It\u2019s built from scratch in Zig and powered by Apple’s JavaScriptCore engine, with a focus on fast startup and low memory usage. \\n\\nBun is composed of four main components: \\n\\n * **JavaScript Runtime:** a JavaScript runtime designed as a drop-in replacement for Node.js. \\n * **Package Manager:** a fast alternative for npm. \\n * **Test Runner:** a built-in, Jest-compatible runner that executes tests much faster than standard runners. \\n * **Bundler:** replaces tools like Webpack, Vite, or esbuild for packaging code. \\n\\n\\n\\nIn recent campaigns, we detected that NWHStealer is being distributed using a Bun JavaScript Runtime bundle. \\n\\nAs we saw in our previous research, game-related and other software lures are used to start the infection chain. Some of the detected ZIP names in these recent campaigns include: \\n\\n * Game-related software and cheats such as: \\n * `MOUSE_PI_Trainer_v1.0.zip`\\n * `FiveM Mod.zip`\\n * `VampireCrawlers_Trainer_v1.0.zip`\\n * `MagicalPrincess_Trainer_v1.0.zip`\\n * `TerraTechLegion_Trainer_v1.0.zip`\\n * Other software such as: \\n * `TradingView-Activation-Script-0.9.zip`\\n * `AutoTune 2026.zip`\\n * `Metatune by Slate Digital 2026.zip`\\n * `GoGoTv_Plus.zip`, `Autodesk.zip`\\n\\n\\n\\nIn the case analyzed in this article, the infection chain starts with an archive containing `Installer.exe`, which embeds JavaScript code bundled with the Bun runtime. \\n\\nThe \u201cDW\u201d folder contains another loader, called `dw.exe`. This self-injection loader is similar to the one analyzed previously, but with a different decryption routine. This loader is not present in all ZIP files analyzed. \\n\\n_The malicious ZIP contains two loaders_\\n\\nThe `Readme.txt` file asks the user to manually launch `dw.exe` if the main `.exe` file fails to run properly. This gives the attacker two ways to distribute the stealer if the C2 of the main Bun loader is offline. The loader in `dw.exe` works independently from the Bun JavaScript loader. \\n\\n_The Readme file inside the ZIP archive_ _The fake Build Tools setup shown if`dw.exe` is started_\\n\\nIn this article, we don\u2019t analyze `dw.exe`, as it\u2019s a variant of the previous loaders. Instead, we focus on the JavaScript loader executed with the Bun JavaScript runtime. \\n\\n### Analysis of the JavaScript Loader \\n\\nThe executed JavaScript code by the Bun JavaScript runtime is inside the `.bun` section and is obfuscated. \\n\\n_The`.bun` section with the obfuscated JavaScript code _\\n\\nThe malicious code is implemented in two parts of the code: \\n\\n * `sysreq.js`: performs the anti-virtualization checks with a score system. \\n * `memload.js`: communicates with the C2 server, performs decryption and loads the next stage. \\n\\n_Entry point of the JavaScript loader_\\n\\nThe loader runs several PowerShell CIM (Common Information Model) commands and WMI (Windows Management Instrumentation) commands to detect virtual environments. There are different controls related to CPU numbers, disk space, screen resolution, USB devices, hardware manufacturers and products, number of installed software, presence of specific folders such as Browser folders, number of running processes and username. A scoring system is implemented, and based on this score, the loader decides whether to continue with the infection or terminate it.\\n\\nTo detect a virtual environment, the loader executes more than 10 PowerShell commands, such as: \\n\\n * `Get-CimInstance -ClassName Win32_DiskDrive | Select-Object Model `\\n * `Get-CimInstance -ClassName Win32_PhysicalMemory | Select-Object Manufacturer,Speed `\\n * `Get-CimInstance -ClassName Win32_BIOS | Select-Object Manufacturer `\\n * `Get-CimInstance -ClassName Win32_BaseBoard | Select-Object Manufacturer,Product `\\n * `Get-CimInstance -ClassName Win32_DiskDrive | Select-Object PNPDeviceID `\\n * (`Get-Process -ErrorAction SilentlyContinue).Count `\\n\\n\\n\\nThe results are compared against different strings, for example:\\n\\n * Virtualization indicators: qemu, seabios, bochs, vbox, vmware, virtualbox, kvm, xen, parallels, virtio, vmbus, red hat, edk ii\\n * Username sandbox: sandbox, malware, virus, sample, vmuser, wdagutilityaccount, defaultuser0\\n * MAC associated with virtual environments\\n\\n\\n\\nThe strings are decrypted using XOR and base64 decoding; there are arrays of tuples and each contains the encrypted strings and a key used for XOR decryption. \\n\\n_Encrypted data with XOR keys_\\n\\nSeveral functions handle string decryption, including one that decrypts the config used in the C2 communication. Partial config: \\n \\n \\n C2 server: https:\/\/silent-harvester.cc\\n BUILD_ID: 0ddbfec60307\\n C2 Path: \/api\/status, \/api\/update\\n\\nThe loader obtains and sends an initial request to the endpoint `https:\/\/C2-server\/api\/report` with encrypted data about the compromised system: \\n\\n * Public IP obtained with a request to api.ipify.org. \\n * System information \\n * Anti-VM result \\n * Base-64 encoded screenshot \\n * Timestamp \\n\\n\\n\\nThen it makes two GET HTTP requests: \\n\\n * `https:\/\/C2-server\/api\/status?v={BUILD_ID}`, to obtain the seed used for AES key derivation. \\n * `https:\/\/C2-server\/api\/update?v={BUILD_ID}`, to obtain the encrypted payload with AES nonce and authentication tag. \\n\\n\\n\\nThe next stage is decrypted using AES-256-CBC, with the AES data returned by the C2 and loaded with a self-injection loader using the following APIs: \\n\\n * `VirtualAlloc`\\n * `VirtualProtect`\\n * `LoadLibraryA`\\n * `GetProcAddress`\\n * `RtlAddFunctionTable`\\n * `CreateThread `\\n * `SearchPathA `\\n\\n\\n\\nThese Win32 APIs are executed through the Bun module `bun:ffi`, which allows JavaScript to call native libraries. \\n\\nAt the end of this process, NWHStealer was deployed in the analyzed cases. \\n\\n### Indicators of Compromise (IOCs) \\n\\n**Domains** \\n\\n`whale-ether[.]pro`: NWH Stealer C2 server \\n\\n`cosmic-nebula[.]cc`: NWH Stealer C2 server \\n\\n`silent-harvester[.]cc`: Bun Loader C2 server \\n\\n`silent-orbit[.]cc`: Bun Loader C2 server \\n\\n`support-onion[.]club`: Bun Loader C2 server \\n\\n**Hash** \\n\\n`d3a896f450561b2546b418b469a8e10949c7320212eb1c72b48e2b1e37c34ba5 `\\n\\n`96fe4ddfe256dc9d2c6faea7c18e2583cd9d9c0099a4ad2cf082f569ee8379f4 `\\n\\n`3710fb27d2032ef1eb1252ebf5c4dd516d2b2c0a83fb82c664c89e504b990fa9`\\n\\n`33d07aa24b217f27df6a483295c817da198e12511a6989bcc6b917feaf8e491d`\\n\\n`5427b4cefb329ed0e9585b3ce58a2788baf87e3b0c7221373f9bbd5f32c85b62 `\\n\\n`308da9f49ffa1d1744e428b567792ab22712159974e9da8d8e0414ecd81de93e `\\n\\n`021838f30a43026084978bce187c165c6b640d8d474ec009d48078d21ec62025 `\\n\\n`c8e96b55f13435c4b43b7209d2403f1a0e0f9deb05edc50e0f777430be693b07 `\\n\\n`0614c4cc6375ab6bdcdd2dfa913a67d32c3e8be9b95a4a2aa09bb131b98191c8 `\\n\\n`0020999b2e3e4d1b2cfb69e4df9440d3ce05d508573889fdc12b724ce75a0cd8 `\\n\\n`0fa42df08cc467ec52b2d388b5575114a8ec067d13f6b1a653ec33fe879f88ca `\\n\\n`15f79980650393d182f81cd6e389210568aa1f5f875e515efe6cb9485d64b7fb `\\n\\n`20454ba58d509300fd694ae6159db4efa1b7ff965f98c29e7d087e20f96578c1 `\\n\\n* * *\\n\\n\\n\\n### ****\u201cOne of the best cybersecurity suites on the planet.\u201d** **\\n\\nAccording to CNET. Read their review \u2192\\n\\n* * *”,”published”:”2026-05-06T12:50:55″,”modified”:”2026-05-06T12:50:55″,”type”:”malwarebytes”,”title”:”Attackers adopt JavaScript runtime Bun to spread NWHStealer”,”source”:””,”references”:””,”id”:”MALWAREBYTES:D481450A2033391024D9C5377529F7A3″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/05\/attackers-adopt-javascript-runtime-bun-to-spread-nwhstealer”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-06T14:05:10″,”description”:”In our previous research, we analyzed a Windows infostealer we track as **NWHStealer**. The attackers behind this stealer are continuously finding new methods to distribute…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-51696","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n