title:
Attackers are using the legitimate JavaScript runtime Bun to distribute the Rust-based NWHStealer infostealer, leveraging its novelty to evade detection.
Attackers have adopted a novel distribution method for the Rust-based infostealer NWHStealer, packaging it with the legitimate JavaScript runtime Bun to evade security tools. Bun, an all-in-one JavaScript and TypeScript toolkit designed as a modern replacement for Node.js, is relatively new and has not been widely seen in malware campaigns. This novelty helps the malicious executables blend in, as security products are less likely to flag them compared to more commonly abused runtimes.
NWHStealer is a sophisticated infostealer that targets a wide range of sensitive data. Once installed, it can collect system information, steal credentials and cookies from browsers, exfiltrate data from cryptocurrency wallets, and harvest information from FTP applications like FileZilla and messaging apps such as Steam and Discord. The malware can also inject malicious code into browser processes, bypass User Account Control (UAC), achieve persistence via scheduled tasks, and retrieve new command-and-control (C2) addresses from Telegram.
The infection chain begins with a malicious ZIP archive, often disguised as game-related software or other popular applications. Examples of lure filenames include "MOUSE_PI_Trainer_v1.0.zip," "FiveM Mod.zip," and "TradingView-Activation-Script-0.9.zip," and "AutoTune 2026.zip." The archive contains an executable that embeds obfuscated JavaScript code bundled with the Bun runtime. In some cases, a secondary loader (dw.exe) is included as a fallback if the primary Bun-based loader fails to contact its C2 server.
The use of legitimate platforms like GitHub, GitLab, MediaFire, Itch.io, and SourceForge to host the malicious archives further aids in evading detection. Attackers continuously create new profiles and lures to distribute the stealer, making it difficult for users to distinguish between legitimate software and malware. The Bun runtime's integration of a JavaScript runtime, package manager, test runner, and bundler into a single executable allows attackers to package malicious code into larger, less suspicious files.
Malwarebytes researchers detected the campaign through hunting activities and provided a detailed technical analysis of the JavaScript loader. The obfuscated code is split into two parts: sysreq.js, which performs anti-virtualization checks using a scoring system, and memload.js, which communicates with the C2 server to download and execute additional payloads. This modular approach allows the attackers to adapt the malware's behavior based on the target environment.
The adoption of Bun for malware distribution highlights a broader trend of attackers leveraging legitimate, modern development tools to stay ahead of detection. As security tools improve at identifying traditional malware delivery methods, threat actors are increasingly turning to less common runtimes and packaging techniques. This campaign serves as a reminder that even legitimate, well-intentioned software can be repurposed for malicious ends.
To protect against such threats, users should only download software from official websites and exercise caution with downloads from platforms like GitHub or file-sharing sites unless they trust the source. Checking the profile and reputation of the publisher, examining archive contents for consistency, and verifying file signatures before execution can help reduce the risk of infection. Installing browser security extensions can also block malicious sites before they load.