A new CYFIRMA report details a sophisticated credential-stealing campaign known as LTX Stealer, a Windows-based malware that hides inside a heavily obfuscated installer to bypass security. The campaign weaponises legitimate developer tools by embedding a full Node[.]js runtime and using an unusually large, encrypted archive of over 375 MB, designed to overwhelm scanners and hinder static analysis.
The infection begins with a file named Negro[.]exe, presented as a standard Windows application but acting as a Trojan horse, with Inno Setup used to blend into legitimate software distribution workflows. According to CYFIRMA, the malware compiles its JavaScript code into bytecode, effectively black-boxing its logic, and drops a payload named updater[.]exe into a hidden system directory that is in fact the bundled Node[.]js runtime.
It targets Chromium-based browsers to extract passwords, cookies and tokens, and also searches for cryptocurrency wallets. The threat is sold as a Stealer-as-a-Service via a Supabase backend fronted by Cloudflare, with pricing observed at USD 10 for weekly access and USD 25 for monthly access. The report notes the tool’s low cost and high sophistication, signalling likely broad distribution in the wild.