New Lucid Stealer Malware Offers Hidden Remote Access and Targets 18 Browsers
A new Windows malware, Lucid Stealer, is being sold as a subscription service and targets 18 browsers, crypto wallets, and Discord tokens, while also featuring hidden remote access capabilities.
A new and concerning piece of Windows malware, dubbed Lucid Stealer, has emerged from underground channels, posing a significant threat due to its extensive capabilities and evasive nature. Discovered via Telegram, this malware is not just a simple credential stealer; it offers hidden remote access (HVNC) and can effectively grant attackers full control over infected systems. Researchers at Foresiet identified the threat, noting its packaging within a legitimate Node.js runtime to bypass standard security tools, allowing it to operate discreetly.
The malware is being marketed as a commercial service on a subscription basis, complete with a dedicated web panel, license keys, and ongoing support, indicating active development and investment by its operators. The developers briefly paused operations in late May 2026 before relaunching with a rebuilt infrastructure and plans to transition from Node.js to Java for enhanced evasion. This evolution underscores the persistent and adaptive nature of the threat.
Lucid Stealer's reach is broad, targeting a wide array of digital assets. The analyzed build is designed to compromise 18 different browsers, 21 cryptocurrency clipper formats, seven desktop wallets, seven wallet browser extensions, and four Discord client variants. It systematically extracts saved credentials, session cookies, autofill data, and browser history by employing a bundled SQLite tool to directly query browser databases.
Beyond traditional data theft, Lucid Stealer injects itself into Discord clients to steal authentication tokens and modifies the application to facilitate continuous data exfiltration. A particularly insidious feature is its clipboard monitoring, which allows it to silently swap cryptocurrency wallet addresses copied by users with those controlled by the attacker, directly facilitating theft from financial accounts.
What distinguishes Lucid Stealer from many other stealer malware is its integrated remote access module. This HVNC (Hidden Virtual Network Computing) capability allows attackers to gain visual control of a victim's machine without any visible window appearing on the user's screen. Coupled with a remote shell, file manager, keylogging, and screenshot capture functionalities, attackers achieve a level of access comparable to having physical control of the infected system.
The infection chain typically begins with a password-protected ZIP archive. Upon extraction, the malware initiates a multi-stage setup process, dropping helper files, establishing persistence through the Windows registry, and potentially attempting to escalate privileges. By the time the core payload is decrypted and executed, the attacker has already secured a stable foothold on the compromised system.
Given the malware's adaptive nature and plans for platform migration, security professionals are advised to prioritize behavior-based detection over solely relying on file hashes. Key indicators of infection include temporary self-copies in the Windows TEMP folder disguised as 'winupd' files, suspicious HKCU Run registry entries named 'WindowsUpdate,' and unexpected '.node' module files appearing in user profiles. Network defenders should also block known command-and-control (C2) IP addresses and monitor for suspicious POST requests to internal endpoints.