Hackers Use Bun Runtime to Spread NWHStealer via Code Hosts

Security researchers found a campaign that uses the Bun JavaScript runtime to package and deliver the Rust-based infostealer known as NWHStealer. Attackers distribute ZIP archives that include an Installer.exe built with Bun and, in some cases, a fallback dw.exe loader and a Readme file that instructs users to run the fallback if the main installer fails. The archives are hosted on code repositories and file-sharing services to increase the chance of downloads.

The Bun-bundled executable contains an obfuscated JavaScript payload stored in a .bun section. The code is organized into two main modules. One module, labeled sysreq.js, runs multiple anti-virtualization checks using PowerShell CIM and WMI commands. The checks examine CPU count, disk identifiers, BIOS and baseboard manufacturers, screen resolution, attached USB devices, installed software counts, running processes and certain usernames. The module uses a scoring system based on those checks and will stop execution if the environment appears to be a sandbox or virtual machine.

The second module, memload.js, handles command-and-control communication and payload handling. The loader collects system details, a base64-encoded screenshot and other telemetry, then reports that data to a C2 endpoint. It requests a seed and an encrypted payload from the C2, derives an AES key and decrypts the next stage using AES-256-CBC. The decrypted payload is injected into memory and executed.

To perform the injection, the Bun loader uses the bun:ffi module to call native Windows APIs, including VirtualAlloc, VirtualProtect, LoadLibraryA, GetProcAddress, RtlAddFunctionTable, CreateThread and SearchPathA. Those calls enable the loader to allocate memory, change protections, resolve functions and create threads that run the injected code.

The injected component is NWHStealer, a Rust-based infostealer that collects system information, browser data, saved passwords and cryptocurrency wallet data. It can extract credentials from FTP clients and messaging apps, including FileZilla, Steam and Discord. NWHStealer can inject code into browser processes, execute additional payloads such as cryptocurrency miners, attempt to bypass User Account Control and create scheduled tasks to achieve persistence. Researchers observed the malware can receive updated C2 addresses and configuration data from external services.

Operators use game cheats and popular software as lures; observed archive names include MOUSE_PI_Trainer_v1.0.zip, FiveM Mod.zip, VampireCrawlers_Trainer_v1.0.zip and TradingView-Activation-Script-0.9.zip. Some ZIP files include a DW folder with dw.exe, a self-injection loader variant. The Readme file in those archives instructs users to run dw.exe if Installer.exe fails, providing a fallback delivery path.

Researchers linked multiple domains to the operation. Domains tied to the Bun loaders include silent-harvester.cc and silent-orbit.cc, while whale-ether.pro and cosmic-nebula.cc were associated with NWHStealer command-and-control. Analysis produced numerous file hashes for distributed samples.

Researchers recommend that security teams and end users verify file publishers and digital signatures, inspect archive contents for unexpected files or instructions, prefer downloads from official vendor sites and use browser-level protections to block known malicious pages before they load.