Attackers Abuse Bun JavaScript Runtime to Spread NWHStealer Infostealer

Threat actors are distributing NWHStealer, a Rust-based infostealer (malware designed to exfiltrate credentials, browser data, and cryptocurrency wallet information), by packaging it inside the Bun JavaScript runtime — a legitimate, high-performance development tool — to evade antivirus and endpoint detection. Malwarebytes researchers published their analysis on May 6, 2026, documenting how attackers are hosting malicious ZIP archives on trusted platforms including GitHub, GitLab, MediaFire, and SourceForge to reach victims.

NWHStealer and Bun: Technical Details

Why Bun Makes Detection Harder

Bun is a modern JavaScript and TypeScript runtime built as a high-performance alternative to Node.js. Released publicly in 2022, it compiles JavaScript directly to native machine code using the JavaScriptCore engine and packages applications into single self-contained executables. Because Bun is still relatively new and rarely appears in malware samples, security tools lack the behavioral signatures to recognize malicious Bun bundles the way they recognize malicious Node.js or Electron applications — both of which have accumulated years of detection rules. Attackers exploit this coverage gap by packaging their malicious JavaScript payload inside a Bun runtime executable, where it looks like a legitimate developer application to scanners without JavaScript-specific deobfuscation capabilities.

Infection Chain

Victims reach the malware through game cheats, game trainers, and cracked software distributed as ZIP archives:

• MOUSE_PI_Trainer_v1.0.zip
• FiveM Mod.zip (FiveM is a popular Grand Theft Auto V modification platform)

The archives are hosted on GitHub, GitLab, MediaFire, and SourceForge — platforms that carry inherent legitimacy and whose URLs are often trusted by proxy and web filtering solutions.

Execution flow:

• The victim extracts and runs Installer.exe, which embeds the Bun JavaScript runtime alongside obfuscated malicious JavaScript.
• A fallback executable dw.exe executes if the primary loader fails.
• Two JavaScript components are invoked:
• sysreq.js — anti-virtualization and sandbox detection
• memload.js — C2 communication and payload decryption/execution

Anti-Virtualization Checks

sysreq.js runs more than 10 PowerShell commands to detect virtual environments before proceeding. It checks:

• CPU core count (virtual machines often show fewer cores)
• Disk space (sandboxes frequently use small disks)
• Screen resolution (headless sandboxes may report non-standard resolutions)
• MAC address prefixes for known hypervisors

It compares gathered values against known indicators for QEMU, Seabios, Bochs, VBox, VMware, VirtualBox, KVM, and Xen. If a virtual environment is detected, the malware terminates without executing — preventing detonation inside security sandboxes.

Payload Decryption

memload.js decrypts the final NWHStealer payload using a two-stage scheme:

• Strings in the JavaScript are obfuscated with XOR plus Base64 encoding
• The final binary payload uses AES-256-CBC decryption with a nonce and authentication tag

Once decrypted, the payload is injected into memory using standard Win32 API calls: VirtualAlloc, CreateThread, and RtlAddFunctionTable.

NWHStealer Capabilities

NWHStealer is written in Rust, a systems programming language increasingly favored by malware authors because Rust binaries are large (harder for scanners to hash-match), strip-friendly (less metadata), and do not require runtime dependencies that might trigger behavioral alerts.

The stealer collects:

• Browser credentials and cookies — Chrome, Chromium-based browsers, Firefox
• Browser extension data — targeting cryptocurrency wallet extensions (MetaMask, Phantom, etc.)
• Application credentials — FileZilla (FTP client), Steam (gaming platform), Discord (messaging platform)
• System information — OS version, installed security software, connected hardware

Beyond credential theft, NWHStealer injects code into browser processes to execute additional payloads and has been observed dropping XMRig, a legitimate cryptocurrency miner repurposed for cryptojacking (unauthorized use of victim CPU resources to mine cryptocurrency for the attacker).

Persistence and privilege escalation:

• Creates a scheduled task (Windows Task Scheduler entry) for persistence across reboots
• Attempts UAC bypass (User Account Control bypass — exploiting Windows prompts to gain elevated administrator privileges without user approval)

Command-and-control updates:

NWHStealer retrieves updated C2 addresses from Telegram — another legitimate platform used to avoid network-level C2 blocking. The current C2 domains observed in Malwarebytes' analysis:

• whale-ether[.]pro and cosmic-nebula[.]cc — NWHStealer primary C2
• silent-harvester[.]cc, silent-orbit[.]cc, support-onion[.]club — Bun loader C2

Exploitation Status

No CVE (Common Vulnerabilities and Exposures identifier) number is associated with this campaign. NWHStealer does not exploit a software vulnerability — it relies on social engineering (luring victims with game cheats and cracked software) and legitimate tool abuse. There is no CVE/CVSS score applicable.

MITRE ATT&CK techniques observed:

• T1566.002 — Phishing: Spearphishing Link (malicious archives on file-sharing sites)
• T1059.007 — Command and Scripting Interpreter: JavaScript
• T1082 — System Information Discovery (CIM/WMI queries in sysreq.js)
• T1497.001 — Virtualization/Sandbox Evasion
• T1548.002 — Abuse Elevation Control Mechanism: UAC Bypass
• T1053.005 — Scheduled Task/Job: Scheduled Task (persistence)
• T1555.003 — Credentials from Password Stores: Credentials from Web Browsers
• T1102 — Web Service (Telegram C2 address retrieval)

Who Is Affected

Windows users who download game trainers, mods, or cracked software from file-sharing platforms. The distribution via legitimate hosting (GitHub, SourceForge) raises the risk for users who apply a "if it's on GitHub it's safe" heuristic — a heuristic that is no longer reliable.

There is no sector-specific targeting; NWHStealer appears opportunistic. The harvested credentials (browser logins, cryptocurrency wallets, Discord) suggest a financially motivated actor seeking sellable credentials for account-takeover operations or direct cryptocurrency theft.

What You Should Do Right Now

• Block the C2 domains at DNS and proxy level. Add whale-ether[.]pro, cosmic-nebula[.]cc, silent-harvester[.]cc, silent-orbit[.]cc, and support-onion[.]club to your DNS blocklist.
• Hash-check the IOCs. Query your EDR (Endpoint Detection and Response) for the SHA-256 hashes below. Focus on systems where users have administrator rights and a history of downloading games or software from unofficial sources.
• Alert on suspicious scheduled task creation. A SIEM rule triggering on new schtasks.exe /create invocations from non-IT processes is a high-fidelity indicator for this and many other infostealers.

# PowerShell: list recently created scheduled tasks
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | Select-Object TaskName, TaskPath, Date

• Educate users about cheat software risk. Game trainers and cracks are a persistent infostealer delivery vector. This is a policy and awareness problem as much as a technical one.
• Rotate credentials on any system where the IOCs are found. Priority: browser-saved passwords, Discord tokens, any cryptocurrency wallet seed phrases accessible from the machine.
• Deploy Malwarebytes Browser Guard or equivalent. The Malwarebytes report notes that their Browser Guard product blocks the known malicious domains associated with this campaign.

Indicators of Compromise

SHA-256 file hashes:

• d3a896f450561b2546b418b469a8e10949c7320212eb1c72b48e2b1e37c34ba5
• 96fe4ddfe256dc9d2c6faea7c18e2583cd9d9c0099a4ad2cf082f569ee8379f4

Key file names: Installer.exe, dw.exe, sysreq.js, memload.js

C2 domains:

• whale-ether[.]pro
• cosmic-nebula[.]cc
• silent-harvester[.]cc
• silent-orbit[.]cc
• support-onion[.]club

Background: Understanding the Risk

The use of legitimate developer runtimes as malware carriers has a documented history. Attackers have previously weaponized Electron (used in Visual Studio Code and Slack), Node.js, and Python to package infostealers that blend into developer environments. Bun represents the newest iteration of this evasion category: a runtime that is sufficiently obscure to avoid existing AV signatures but widely enough known in developer circles to appear plausible when found on a system.

This technique — living inside a legitimate runtime — is harder to block than traditional executable malware because security products must either flag all Bun executables (creating enormous false-positive rates in developer environments) or develop Bun-specific behavioral analysis. Neither option is quick to implement.

The XMRig side-payload is also worth noting. Infostealers dropping cryptocurrency miners have become common as a secondary monetization mechanism: if stolen credentials are low value, the attacker still profits from CPU cycles. Organizations monitoring for unexpected CPU utilization spikes may detect NWHStealer through this secondary effect before credential theft is identified.

The reliance on Telegram for C2 address distribution is another established evasion pattern. Blocking Telegram at the enterprise perimeter is feasible in high-security environments but impractical in most organizations where Telegram is used for legitimate communication. Behavioral detection — looking for processes that open Telegram API connections at startup rather than user interaction — is the more reliable approach.

Conclusion

NWHStealer's use of the Bun JavaScript runtime closes a detection gap that most security tools have not yet addressed. Users downloading software from unofficial sources — including GitHub repositories and SourceForge pages — should treat any executable that bundles an unfamiliar runtime as suspicious until verified. Security teams should prioritize adding the C2 domains to blocklists and alerting on scheduled task creation from non-IT processes.