An advanced new malware strain known as "LTX Stealer" has surfaced in the cyber threat landscape. It compromises Windows systems by using a special Node.js-based architecture. This malicious tool, which first surfaced in early 2026, is made to collect private user data, such as browser cookies, cryptocurrency wallet information, and login credentials.

The malware sets itself apart by including a complete Node.js runtime environment in its payload, which enables it to run sophisticated JavaScript code on the victim's computer natively without the framework needing to be installed beforehand. Usually, a Windows installer file called "Negro.exe" serves as the attack's misleadingly straightforward entry point. The genuine Inno Setup framework, a popular tool for making software installers, was used to create this file.

The malware successfully hides its malicious intent from routine security scans by enclosing itself in a trusted installation wrapper. A huge payload, approximately 271 MB in size, is dropped into the victim's system by the installer when it is executed. The malware was quickly discovered by Cyfirma analysts, who pointed out that the size of the file is a purposeful strategy to get around antivirus software, which frequently skips scanning large files in order to preserve system performance.

Once inside, Chromium-based browsers such as Microsoft Edge and Google Chrome are the target of LTX Stealer. It retrieves encryption keys from the "Local State" files, which are subsequently utilized to unlock session cookies and stored passwords. The malware simultaneously takes screenshots of the user's activities and searches for cryptocurrency wallets.

Before being exfiltrated to a command-and-control server, all stolen data is compressed. The infrastructure is resistant to takedowns because the attackers use cloud services like Cloudflare to conceal the actual location of their server and Supabase for authentication. Bytecode compilation for obfuscation LTX Stealer's strong reliance on sophisticated obfuscation techniques to thwart reverse engineering is one of its distinguishing technical features.

Updater.exe, the main payload, is a packaged Node.js application made with a tool called pkg rather than a typical executable. This creates a single binary that contains the malicious JavaScript logic, dependencies, and runtime. Properties of the LTX Stealer Installer (Source: Cyfirma) The developers used Bytenode to compile the JavaScript source into bytecode (.jsc) in order to further secure their code.

Through this conversion process, readable code is changed into a binary format that is very challenging for security researchers to decompile or examine. Flow of Chromium Master Key Decryption (Source: Cyfirma) The attackers raise the bar for analysis and detection by completely deleting the original source code, which guarantees that knowledge of Node.js internals is necessary to comprehend the malware's internal logic. The following actions should be taken by organizations to protect themselves from LTX Stealer:- Block Known Indicators: Set up firewalls and endpoint detection systems to prevent traffic to IP addresses linked to the malware's control panel and domains such as eqp.lol.

Keep an eye out for the creation of hidden or system-marked directories within user-accessible paths. Pay particular attention to those that imitate reputable vendors, such as "Microsoft Updater."

Flag Large Binaries: Examine unsigned executables that are abnormally large (greater than 100 MB) and display runtime characteristics typical of Node.js applications. Detect Credential Access: Keep an eye out for processes that repeatedly access browser "Local State" files and credential stores, as this is a strong sign of information theft. To receive more real-time updates, add ZeroOwl as a preferred source in Google.