Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Zoom Windows Flient Flaw Lets Attackers Take Over Accounts via Network
July 16, 2026
TuxBot v3 IoT Botnet Hijacks Devices, Launches DDoS Attacks with LLM Code
July 16, 2026
Critical Windows Bug Lets Attackers Access SYSTEM Shell Without Credentials
July 16, 2026
Home/Threats/NWHStealer malware uses Bun Loader, anti-VM checks, encrypted C2
Threats

NWHStealer malware uses Bun Loader, anti-VM checks, encrypted C2

Key Takeaways NWHStealer, a Rust-based information stealer, has adopted a more sophisticated delivery chain, now utilizing the Bun JavaScript runtime. The malware is distributed via seemingly...

Jennifer sherman
Jennifer sherman
May 8, 2026 4 Min Read
46 0

Key Takeaways

  • NWHStealer, a Rust-based information stealer, has adopted a more sophisticated delivery chain, now utilizing the Bun JavaScript runtime.
  • The malware is distributed via seemingly legitimate software downloads on platforms like GitHub, GitLab, SourceForge, and Itch.io.
  • It employs advanced anti-virtual machine (anti-VM) checks and encrypts its command-and-control (C2) communications to evade detection.
  • NWHStealer is highly capable, stealing browser data, passwords, cryptocurrency, and targeting applications such as Discord, Steam, and FTP clients.
  • The campaign is widespread, with attackers continuously creating new profiles on legitimate platforms to push malicious lures.

NWHStealer Evolves with Bun Loader and Advanced Evasion Techniques

Cybersecurity experts are issuing warnings regarding NWHStealer, a Windows-based information stealer that has re-emerged with a significantly enhanced infection mechanism. The malware now incorporates the Bun JavaScript runtime, a modern, high-performance alternative to Node.js, into its intricate delivery process. This strategic shift indicates that the threat actors behind NWHStealer are actively exploring lesser-known tools to bypass established security measures.

Table Of Content

  • Key Takeaways
  • NWHStealer Evolves with Bun Loader and Advanced Evasion Techniques
  • Malwarebytes Uncovers New Delivery Method
  • Bun Loader, Anti-VM Checks, and Encrypted C2
  • What You Should Do

Built in Rust, NWHStealer is designed to exfiltrate sensitive data from compromised Windows systems. Its propagation methods include Node.js scripts, MSI installers, and fake software distributed through reputable platforms like GitHub, GitLab, SourceForge, and Itch.io. By masquerading as legitimate software packages, the malware tricks users into unknowingly downloading and executing it.

Malwarebytes Uncovers New Delivery Method

The updated delivery chain was first identified by analysts at Malwarebytes during their routine threat hunting operations. Researcher Gabriele Orini highlighted the attackers’ adoption of Bun, noting its novelty within security circles makes it an attractive choice for evading detection.

Once it infiltrates a system, NWHStealer demonstrates extensive capabilities. It gathers system information, pilfers saved browser data and credentials, drains cryptocurrency wallets, and targets popular applications such as Discord, Steam, and FTP clients like FileZilla. The stealer can also inject malicious code into browser processes, circumvent Windows User Account Control (UAC), establish persistence through scheduled tasks, and dynamically retrieve new command-and-control (C2) server addresses from Telegram, ensuring resilience against partial takedowns.

The sheer scale of this ongoing campaign is noteworthy. Threat actors consistently establish new profiles on legitimate hosting platforms to disseminate fresh lures, posing a significant challenge for platform moderators to contain. This combination of data theft, persistent access, and self-updating infrastructure positions NWHStealer as a substantial threat to both individual users and enterprises.

Bun Loader, Anti-VM Checks, and Encrypted C2

The infection sequence typically commences with a ZIP archive, deceptively presented as a game trainer, software crack, or utility tool. Identified archive names include “MOUSE_PI_Trainer_v1.0.zip,” “FiveM Mod.zip,” “TradingView-Activation-Script-0.9.zip,” and “AutoTune 2026.zip.”

Entry point of the JavaScript loader (Source - Malwarebytes)
Entry point of the JavaScript loader (Source – Malwarebytes)

Within these archives lies “Installer.exe,” which contains JavaScript code bundled with the Bun runtime embedded in its .bun section. The malicious JavaScript is compartmentalized into two primary files.

The first file, “sysreq.js,” executes PowerShell and WMI commands to determine if the execution environment is a genuine machine or a virtualized one. It scrutinizes parameters like CPU count, disk space, screen resolution, hardware manufacturers, and even the username. A scoring system dictates whether the infection should proceed or terminate, a sophisticated anti-VM layer designed to bypass automated security analysis environments.

The second file, “memload.js,” manages communications with the attacker’s command-and-control server. All strings and configurations are encrypted using a combination of XOR and base64 encoding, significantly complicating static analysis. This loader transmits a report to the C2 containing the victim’s public IP address, system specifications, and a screenshot. Subsequently, it fetches an AES-encrypted payload and injects NWHStealer directly into memory, minimizing forensic traces on disk.

The malicious ZIP contains two loaders (Source - Malwarebytes)
The malicious ZIP contains two loaders (Source – Malwarebytes)

Some analyzed ZIP archives also include a secondary loader named “dw.exe” within a folder labeled “DW.” A “Readme.txt” file inside the archive instructs users to manually run “dw.exe” if the primary installer fails. This dual-loader configuration serves as a deliberate backup mechanism, ensuring payload delivery even if the initial C2 server becomes unresponsive.

What You Should Do

Given the widespread distribution of NWHStealer, users and organizations must implement proactive measures to safeguard their systems:

  • Source Software Carefully: Only download software from official, verified vendor websites. Avoid third-party file-sharing platforms or unofficial repositories unless the publisher’s identity and reputation are unequivocally established.
  • Verify Digital Signatures: Before executing any downloaded file, always inspect its digital signature. Legitimate software typically possesses consistent and verifiable signing details.
  • Inspect Downloaded Archives: Exercise caution and thoroughly examine the contents of any downloaded archive before extracting or running files. Malicious archives often exhibit unusual file structures, mismatched content, or suspicious naming conventions.
  • Be Skeptical of “Too Good to Be True” Offers: Remain vigilant against downloads promising game cheats, software activators, or free utilities that seem overly generous. These are common lures for malware distribution.
  • Implement Endpoint Detection and Response (EDR): Deploy robust EDR solutions to monitor for suspicious activities, including process injection, unusual network connections, and anti-VM checks.
  • Regularly Backup Data: Maintain regular backups of critical data to an isolated location, mitigating the impact of potential data theft.
  • Keep Systems Updated: Ensure operating systems, web browsers, and all installed software are kept up-to-date with the latest security patches to address known vulnerabilities.

Indicators of Compromise (IoCs):-

Type Indicator Description
Domain whale-ether[.]pro NWHStealer C2 server
Domain cosmic-nebula[.]cc NWHStealer C2 server
Domain silent-harvester[.]cc Bun Loader C2 server
Domain silent-orbit[.]cc Bun Loader C2 server
Domain support-onion[.]club Bun Loader C2 server
SHA-256 d3a896f450561b2546b418b469a8e10949c7320212eb1c72b48e2b1e37c34ba5 Malicious file hash
SHA-256 96fe4ddfe256dc9d2c6faea7c18e2583cd9d9c0099a4ad2cf082f569ee8379f4 Malicious file hash
SHA-256 3710fb27d2032ef1eb1252ebf5c4dd516d2b2c0a83fb82c664c89e504b990fa9 Malicious file hash
SHA-256 33d07aa24b217f27df6a483295c817da198e12511a6989bcc6b917feaf8e491d Malicious file hash
SHA-256 5427b4cefb329ed0e9585b3ce58a2788baf87e3b0c7221373f9bbd5f32c85b62 Malicious file hash
SHA-256 308da9f49ffa1d1744e428b567792ab22712159974e9da8d8e0414ecd81de93e Malicious file hash
SHA-256 021838f30a43026084978bce187c165c6b640d8d474ec009d48078d21ec62025 Malicious file hash
SHA-256 c8e96b55f13435c4b43b7209d2403f1a0e0f9deb05edc50e0f777430be693b07 Malicious file hash
SHA-256 0614c4cc6375ab6bdcdd2dfa913a67d32c3e8be9b95a4a2aa09bb131b98191c8 Malicious file hash
SHA-256 0020999b2e3e4d1b2cfb69e4df9440d3ce05d508573889fdc12b724ce75a0cd8 Malicious file hash
SHA-256 0fa42df08cc467ec52b2d388b5575114a8ec067d13f6b1a653ec33fe879f88ca Malicious file hash
SHA-256 15f79980650393d182f81cd6e389210568aa1f5f875e515efe6cb9485d64b7fb Malicious file hash
SHA-256 20454ba58d509300fd694ae6159db4efa1b7ff965f98c29e7d087e20f96578c1 Malicious file hash

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Mozilla Patches Critical Firefox Vulnerabilities (CVE-2024-XXXX, CVE-2024-XXXX)

Next Post

PCPJack Worm Targets Docker, Kubernetes, Redis, MongoDB for Credential Theft

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
F5 Patches Critical NGINX Vulnerabilities, Preventing Code Execution
July 16, 2026
Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats
July 15, 2026
GPT-5.6 Sol Ultra AI Creates Full Chrome Exploit Chain from Patches
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us