NWHStealer malware uses Bun Loader, anti-VM checks, encrypted C2
Key Takeaways NWHStealer, a Rust-based information stealer, has adopted a more sophisticated delivery chain, now utilizing the Bun JavaScript runtime. The malware is distributed via seemingly...
Key Takeaways
- NWHStealer, a Rust-based information stealer, has adopted a more sophisticated delivery chain, now utilizing the Bun JavaScript runtime.
- The malware is distributed via seemingly legitimate software downloads on platforms like GitHub, GitLab, SourceForge, and Itch.io.
- It employs advanced anti-virtual machine (anti-VM) checks and encrypts its command-and-control (C2) communications to evade detection.
- NWHStealer is highly capable, stealing browser data, passwords, cryptocurrency, and targeting applications such as Discord, Steam, and FTP clients.
- The campaign is widespread, with attackers continuously creating new profiles on legitimate platforms to push malicious lures.
NWHStealer Evolves with Bun Loader and Advanced Evasion Techniques
Cybersecurity experts are issuing warnings regarding NWHStealer, a Windows-based information stealer that has re-emerged with a significantly enhanced infection mechanism. The malware now incorporates the Bun JavaScript runtime, a modern, high-performance alternative to Node.js, into its intricate delivery process. This strategic shift indicates that the threat actors behind NWHStealer are actively exploring lesser-known tools to bypass established security measures.
Table Of Content
Built in Rust, NWHStealer is designed to exfiltrate sensitive data from compromised Windows systems. Its propagation methods include Node.js scripts, MSI installers, and fake software distributed through reputable platforms like GitHub, GitLab, SourceForge, and Itch.io. By masquerading as legitimate software packages, the malware tricks users into unknowingly downloading and executing it.
Malwarebytes Uncovers New Delivery Method
The updated delivery chain was first identified by analysts at Malwarebytes during their routine threat hunting operations. Researcher Gabriele Orini highlighted the attackers’ adoption of Bun, noting its novelty within security circles makes it an attractive choice for evading detection.
Once it infiltrates a system, NWHStealer demonstrates extensive capabilities. It gathers system information, pilfers saved browser data and credentials, drains cryptocurrency wallets, and targets popular applications such as Discord, Steam, and FTP clients like FileZilla. The stealer can also inject malicious code into browser processes, circumvent Windows User Account Control (UAC), establish persistence through scheduled tasks, and dynamically retrieve new command-and-control (C2) server addresses from Telegram, ensuring resilience against partial takedowns.
The sheer scale of this ongoing campaign is noteworthy. Threat actors consistently establish new profiles on legitimate hosting platforms to disseminate fresh lures, posing a significant challenge for platform moderators to contain. This combination of data theft, persistent access, and self-updating infrastructure positions NWHStealer as a substantial threat to both individual users and enterprises.
Bun Loader, Anti-VM Checks, and Encrypted C2
The infection sequence typically commences with a ZIP archive, deceptively presented as a game trainer, software crack, or utility tool. Identified archive names include “MOUSE_PI_Trainer_v1.0.zip,” “FiveM Mod.zip,” “TradingView-Activation-Script-0.9.zip,” and “AutoTune 2026.zip.”

Within these archives lies “Installer.exe,” which contains JavaScript code bundled with the Bun runtime embedded in its .bun section. The malicious JavaScript is compartmentalized into two primary files.
The first file, “sysreq.js,” executes PowerShell and WMI commands to determine if the execution environment is a genuine machine or a virtualized one. It scrutinizes parameters like CPU count, disk space, screen resolution, hardware manufacturers, and even the username. A scoring system dictates whether the infection should proceed or terminate, a sophisticated anti-VM layer designed to bypass automated security analysis environments.
The second file, “memload.js,” manages communications with the attacker’s command-and-control server. All strings and configurations are encrypted using a combination of XOR and base64 encoding, significantly complicating static analysis. This loader transmits a report to the C2 containing the victim’s public IP address, system specifications, and a screenshot. Subsequently, it fetches an AES-encrypted payload and injects NWHStealer directly into memory, minimizing forensic traces on disk.

Some analyzed ZIP archives also include a secondary loader named “dw.exe” within a folder labeled “DW.” A “Readme.txt” file inside the archive instructs users to manually run “dw.exe” if the primary installer fails. This dual-loader configuration serves as a deliberate backup mechanism, ensuring payload delivery even if the initial C2 server becomes unresponsive.
What You Should Do
Given the widespread distribution of NWHStealer, users and organizations must implement proactive measures to safeguard their systems:
- Source Software Carefully: Only download software from official, verified vendor websites. Avoid third-party file-sharing platforms or unofficial repositories unless the publisher’s identity and reputation are unequivocally established.
- Verify Digital Signatures: Before executing any downloaded file, always inspect its digital signature. Legitimate software typically possesses consistent and verifiable signing details.
- Inspect Downloaded Archives: Exercise caution and thoroughly examine the contents of any downloaded archive before extracting or running files. Malicious archives often exhibit unusual file structures, mismatched content, or suspicious naming conventions.
- Be Skeptical of “Too Good to Be True” Offers: Remain vigilant against downloads promising game cheats, software activators, or free utilities that seem overly generous. These are common lures for malware distribution.
- Implement Endpoint Detection and Response (EDR): Deploy robust EDR solutions to monitor for suspicious activities, including process injection, unusual network connections, and anti-VM checks.
- Regularly Backup Data: Maintain regular backups of critical data to an isolated location, mitigating the impact of potential data theft.
- Keep Systems Updated: Ensure operating systems, web browsers, and all installed software are kept up-to-date with the latest security patches to address known vulnerabilities.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | whale-ether[.]pro | NWHStealer C2 server |
| Domain | cosmic-nebula[.]cc | NWHStealer C2 server |
| Domain | silent-harvester[.]cc | Bun Loader C2 server |
| Domain | silent-orbit[.]cc | Bun Loader C2 server |
| Domain | support-onion[.]club | Bun Loader C2 server |
| SHA-256 | d3a896f450561b2546b418b469a8e10949c7320212eb1c72b48e2b1e37c34ba5 | Malicious file hash |
| SHA-256 | 96fe4ddfe256dc9d2c6faea7c18e2583cd9d9c0099a4ad2cf082f569ee8379f4 | Malicious file hash |
| SHA-256 | 3710fb27d2032ef1eb1252ebf5c4dd516d2b2c0a83fb82c664c89e504b990fa9 | Malicious file hash |
| SHA-256 | 33d07aa24b217f27df6a483295c817da198e12511a6989bcc6b917feaf8e491d | Malicious file hash |
| SHA-256 | 5427b4cefb329ed0e9585b3ce58a2788baf87e3b0c7221373f9bbd5f32c85b62 | Malicious file hash |
| SHA-256 | 308da9f49ffa1d1744e428b567792ab22712159974e9da8d8e0414ecd81de93e | Malicious file hash |
| SHA-256 | 021838f30a43026084978bce187c165c6b640d8d474ec009d48078d21ec62025 | Malicious file hash |
| SHA-256 | c8e96b55f13435c4b43b7209d2403f1a0e0f9deb05edc50e0f777430be693b07 | Malicious file hash |
| SHA-256 | 0614c4cc6375ab6bdcdd2dfa913a67d32c3e8be9b95a4a2aa09bb131b98191c8 | Malicious file hash |
| SHA-256 | 0020999b2e3e4d1b2cfb69e4df9440d3ce05d508573889fdc12b724ce75a0cd8 | Malicious file hash |
| SHA-256 | 0fa42df08cc467ec52b2d388b5575114a8ec067d13f6b1a653ec33fe879f88ca | Malicious file hash |
| SHA-256 | 15f79980650393d182f81cd6e389210568aa1f5f875e515efe6cb9485d64b7fb | Malicious file hash |
| SHA-256 | 20454ba58d509300fd694ae6159db4efa1b7ff965f98c29e7d087e20f96578c1 | Malicious file hash |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.