{ "id": "bf79d6ce-e370-47f8-bd8c-069e6950dd77", "created_at": "2026-04-06T03:36:08.563478Z", "updated_at": "2026-04-10T03:36:48.421032Z", "deleted_at": null, "sha1_hash": "77d7cd1e69fbed81ef56d3a399f4b5d372d09dcb", "title": "There’s A New Stealer Variant In Town, And It’s Using Electron", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54529, "plain_text": "There’s A New Stealer Variant In Town, And It’s Using Electron\r\nBy AirFleet - David\r\nPublished: 2023-08-10 · Archived: 2026-04-06 02:58:37 UTC\r\nOur threat research team recently uncovered new npm packages that are used to download a new info-stealer\r\nvariant that uses the popular Electron framework to disguise itself as a legitimate application. In this blog post,\r\nwe’ll analyze the attack flow of this new info-stealer we detected and explain how it can stay undetected by\r\nabusing trusted development tools like Electron. \r\nBy building the malware with Electron, the attackers are able to inject their malicious code into a program that\r\nappears harmless. But behind its innocent look, this info-stealer’s main objective is to collect sensitive data from\r\nthe victim’s machine. We’ll discuss how it operates, its capabilities, and how users can stay safe. \r\nWhat is Electron and why it’s being used in malware\r\nElectron is an open-source framework developed by GitHub for building cross-platform desktop applications\r\nusing web technologies like JavaScript, HTML and CSS. It uses Chromium and Node.js under the hood. The\r\nChromium engine is used to display web content and Node.js runs the backend code.\r\nThe nature of this framework allows attackers to spread their malicious code to multi-platforms with an ease of a\r\nflag and reduce the time it takes to develop code that will suit each system.\r\nThe Framework’s interface makes it easy to create attractive looking apps that users may be tricked into installing\r\nand can easily disguise themselves as legitimate tools while accessing powerful OS functions in the background.\r\nInitial access\r\nOn Thursday, August 3rd, our supply chain tool alerted us with a suspicious package named Crazydown which\r\nruns an obfuscated script using a postinstall hook. The attacker used two techniques to try and hide their malicious\r\nintent. The first one involved a creative way to hide its actions in the package.json file using escaped Unicode\r\ncharacters. The second technique was to obfuscate the main file index.js using rename obfuscation and encryption\r\nto try and stay undetected.\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 1\r\nFigure 1. Escaped Unicode characters in the package.json file\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 2\r\nFigure 2. Heavy obfuscated and encrypted index.js file\r\nhttps://www.mend.io/blog/theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected/\r\nPage 1 of 4\n\nTo understand what’s going on in this file, we debugged it to see how it decrypts its original strings during runtime\r\nusing bitwise operations. After a couple of iterations, we found the url that downloads the second stage of the\r\nattack.\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 3\r\nFigure 3. The host server is revealed through the debugging process\r\nIt’s worth mentioning that a couple of days later, we found another 4 packages that use the same techniques to\r\nspread that malware, but this time in one version, the attacker exposed its full source code under this heavy\r\nobfuscation which you can see here.\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown code\r\nFigure 4. Fully deobfuscated Index.js file\r\nSo the main goal behind this code is to download an exe file from a discord server and execute it.\r\nSecond stage analysis\r\nUploading our sample to Virustotal shows us that it is fully undetected by any vendor, as the analysis gives us zero\r\nresults.\r\nLooking at the details tab, we can see that this sample is actually a Nullsoft installer which is a tool for creating\r\nWindows installers, and it’s widely used due to its power and flexibility. Moreover, Nullsoft installer is an archive\r\nwhich means we can extract its content using tools like 7-zip.\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 4\r\nFigure 5. Virustotal results show this sample is fully undetected\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 5\r\nFigure 6. Nullsoft installer evidence\r\nUpon extracting the sample, we found a bigger exe file (~134Mb) named Fewer.exe.\r\nAnalyzing this file in Detect It Easy tool we can see that it is actually an electron desktop application.\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 6\r\nFigure 7. A new bigger exe file was found\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 7\r\nFigure 8. Detect It Easy results point to the Electron app\r\nhttps://www.mend.io/blog/theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected/\r\nPage 2 of 4\n\nTo get the source code that was built into this electron app, we can look inside the resources folder. There we can\r\nfind an app.asar file, which can be extracted using an asar plugin for 7-zip, and here we have the full source code\r\nof that sample.\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 8\r\nFigure 9. App.asar file that includes the source code of the app\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 9\r\nFigure 10. Extracted app source code\r\nWhen looking at the batch file we can see the instruction that is being used to build this app using the electron-builder command for Windows.\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 10\r\nFigure 11. Instructions from batch file\r\nAnalyzing the gavy.js file we found that this file is in charge of decrypting the full source code of the stealer.\r\nReplacing the final function statement with a console.log method will reveal the code.\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 11\r\nFigure 12. Original gavy.js file\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 12\r\nFigure 13. Altered gavy.js file to decrypt its content\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 13\r\nFigure 14. A snippet from the info stealer source code\r\nEvidence in the wild\r\nWhile looking for evidence of this new variant in the wild, we found a github repository that seemed to be the\r\nsource of this stealer and includes the name we found inside.\r\nInspecting closer, we can confirm that this is the source as it includes the same files we extracted from the Nullsoft\r\ninstaller and the same batch file that is in charge of the electron app build. This repository was created a month\r\nago, corresponding to our analysis from Virustotal that showed the first analysis of this variant was a couple of\r\nweeks ago, and was probably initiated by the attacker to check the detection for their malware.\r\nThere’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected -\r\ncrazydown 14\r\nhttps://www.mend.io/blog/theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected/\r\nPage 3 of 4\n\nFigure 15. Freshly created repository to host the source code\r\nCore functionalities\r\nThe core functionalities of this stealer are pretty similar to different stealers and variants of the well known “Wasp\r\nStealer” which we detected all over the last year, both on NPM and PYPI.\r\nIt has the ability to steal cookies, browser history, wallet addresses, autofills, discord tokens, Instagram and Tiktok\r\nsessions, and much more. The main difference is that it has an auto obfuscating process using crypter.js file, and\r\nthe way it is getting built using electron to look like a legitimate app and stay fully undetectable.\r\nConclusion\r\nThe new Electron-based infostealer depicts the constant evolution of supply chain threats. While its capabilities\r\nare concerning, the bigger issue is how adversaries are able to masquerade their tools as legitimate software.\r\nBy using trusted frameworks like Electron, they make detection way more difficult. However, through ongoing\r\nthreat research and analysis, we can unravel their techniques and better protect users.\r\nWe at Mend.io are committed to this mission and will keep developing solutions to detect and block every new\r\ntechnique that will be used by attackers to compromise our users.\r\nSource: https://www.mend.io/blog/theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected/\r\nhttps://www.mend.io/blog/theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.mend.io/blog/theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected/" ], "report_names": [ "theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446568, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/77d7cd1e69fbed81ef56d3a399f4b5d372d09dcb.pdf", "text": "https://archive.orkl.eu/77d7cd1e69fbed81ef56d3a399f4b5d372d09dcb.txt", "img": "https://archive.orkl.eu/77d7cd1e69fbed81ef56d3a399f4b5d372d09dcb.jpg" } }