Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

LTX Stealer

LTX Stealer is a Windows information-stealing malware family, described by CYFIRMA as a new Node.js-based stealer and assessed as being offered as a Stealer-as-a-Service. It is distributed via a heavily obfuscated Inno Setup installer, including samples such as a file named "Negro.exe," which masquerades as a legitimate Windows application. The installer contains a very large encrypted archive, reported as over 375 MB, intended to overwhelm scanners and hinder static analysis. After execution, it drops an "updater.exe" payload into a hidden system directory; this payload is not a legitimate updater but a bundled Node.js runtime built with pkg, embedding malicious JavaScript and dependencies. The JavaScript is compiled to bytecode to complicate reverse engineering.

Its primary objective is data theft. LTX Stealer targets Chromium-based browsers, including Google Chrome and Microsoft Edge, and steals saved passwords, cookies, credentials, and active session tokens. CYFIRMA reported it uses a script named "decrypt.py" that follows Chromium decryption logic to bypass browser key protection. The malware also searches for cryptocurrency-related artifacts, including wallet-related files and browser extensions, with the apparent goal of stealing digital assets and draining cryptocurrency wallets.

The malware uses legitimate cloud services as part of its operator infrastructure. Reporting states it uses Supabase for backend functionality, including authentication and access control for an operator panel, while Cloudflare fronts backend services and helps mask infrastructure. CYFIRMA assessed that LTX Stealer abuses legitimate software frameworks and cloud services to maintain a low-noise profile and evade security controls.

Available reporting indicates LTX Stealer is marketed on criminal channels rather than being bespoke to a single intrusion. Evidence cited by CYFIRMA indicates Stealer-as-a-Service pricing tiers of USD 10 weekly and USD 25 monthly, suggesting low-cost, scalable distribution. High-confidence observed characteristics are: Windows targeting, Node.js runtime embedding, Inno Setup-based delivery, browser credential and session theft from Chromium-based browsers, cryptocurrency artifact targeting, and use of Supabase and Cloudflare in its backend infrastructure.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.006Web ServicesEvidence1

"hosting payloads on trusted cloud services such as Google Drive and OneDrive"; "retrieve next-stage shellcode payloads... hosted on trusted platforms like Cloudflare Pages, Netlify, and Discord"; "Cloudflare is leveraged to front backend services and mask infrastructure details"

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence4

"distributed via a heavily obfuscated Inno Setup installer"; "Delivered via a downloader in a ZIP archive"; "illegally modified game installers distributed via piracy platforms"

T1036MasqueradingEvidence2

"The infection begins with a file named Negro.exe, which presents itself as a standard Windows application. However, under the hood, it is a Trojan horse. The malware utilizes Inno Setup... to blend in with legitimate software distribution workflows."

T1564Hide ArtifactsEvidence1

"Once executed, the malware drops a payload named updater.exe into a hidden system directory."

Credential Access

3 techniques
T1539Steal Web Session CookieEvidence1

"...allowing it to recover saved passwords, cookies, and active session tokens."

T1555Credentials from Password StoresEvidence2

"LTX Stealer... conducts large-scale credential harvesting from Chromium-based browsers, targets cryptocurrency-related artifacts..."; "Marco Stealer... targets browser data, cryptocurrency wallet information..."

T1555.003Credentials from Web BrowsersEvidence2

“Once inside, LTX Stealer targets Chromium-based browsers... accesses the ‘Local State’ files to extract encryption keys... used to unlock saved passwords and session cookies.”

Collection

3 techniques
T1005Data from Local SystemEvidence1

“Simultaneously, the malware scans for cryptocurrency wallets...”

T1113Screen CaptureEvidence1

“...and takes screenshots of the user’s activity.”

T1560Archive Collected DataEvidence1

“All stolen data is compressed and prepared for exfiltration to a command-and-control server.”

Command and Control

3 techniques
T1071.001Web ProtocolsEvidence1

"The malware connects to a backend infrastructure powered by Supabase and fronted by Cloudflare, mimicking a professional SaaS application."

T1090ProxyEvidence1

“The attackers utilize cloud services like Supabase for authentication and Cloudflare to hide their server’s true location...”

T1105Ingress Tool TransferEvidence1

"The payload was built using pkg, which bundles JavaScript code, application dependencies, and the Node.js runtime into a single executable."

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Feb 12, 2026
ThreatsDay Bulletin: AI Prompt RCE, Claude 0-Click, RenEngine Loader, Auto 0-Days & 25+ Stories

Node.js-based Windows information stealer distributed via an obfuscated Inno Setup installer; harvests credentials from Chromium browsers and targets cryptocurrency artifacts, staging data for exfiltration using cloud-backed infrastructure.

Read more
the hacker newsNews
Feb 12, 2026
ThreatsDay Bulletin: AI Prompt RCE, Claude 0-Click, RenEngine Loader, Auto 0-Days & 25+ Stories

Node.js-based Windows information stealer that harvests credentials from Chromium browsers and targets cryptocurrency artifacts, staging data for exfiltration using cloud-backed infrastructure.

Read more
security online infoNews
Feb 12, 2026
Weaponized Code: LTX Stealer Abuses Node.js to Bypass Antivirus

Windows infostealer delivered via an obfuscated Inno Setup-based installer that embeds a full Node.js runtime and uses JavaScript bytecode compilation to hinder analysis. It steals Chromium browser data (passwords, cookies, session tokens) by leveraging Chromium decryption logic (via a decrypt.py script) and also searches for cryptocurrency wallet-related files/extensions. Operates as a Stealer-as-a-Service with backend infrastructure using Supabase and Cloudflare.

Read more
risky biz rssNews
Feb 11, 2026
Chinese cyber-spies breached all of Singapore's telcos

Windows infostealer that embeds a full Node.js runtime to execute.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.