ATTACKERS are increasingly using a JavaScript runtime called Bun to help spread the Windows infostealer NWHStealer, with Bun distributed bundles embedded in ZIP archives that also contain loaders such as a self-injection loader named dw[.]exe. Bun is described as an all-in-one JavaScript, TypeScript and JSX toolkit built from Zig, designed to be a fast replacement for Node[.]js, according to its official site.
The malware is delivered via Bun loaders that can run with wrappers and lures, including game-related software and other applications such as trading or activation scripts, hosted on platforms like GitHub, GitLab, MediaFire, Itch[.]io and SourceForge. Once executed, the Bun loader deploys NWHStealer, which can collect system information, browser data, cryptocurrency wallet data and data from various applications, and it can attempt to bypass UAC and achieve persistence via scheduled tasks.
The article also lists several IOCs, including C2 domains such as whale-ether[.]pro and silent-harvester[.]cc, and a published hash for the malware. According to Malwarebytes, the technique demonstrates attackers’ use of newer tools to stay ahead of detection.