In our ongoing research into modern infostealers, we have tracked the evolution of NWHStealer, a Rust-based malware that continues to adapt its distribution methods. Attackers behind this stealer are leveraging new technologies to evade detection and maximize reach. Recently, our hunting activities revealed the use of Bun, a relatively new JavaScript runtime, as part of the delivery chain. Bun is a legitimate, high-performance toolkit designed to replace Node.js, integrating a runtime, package manager, test runner, and bundler into a single executable. Its novelty and limited visibility in malware campaigns make it an attractive option for adversaries seeking stealth and operational flexibility.

What is NWHStealer?

NWHStealer is a modular Rust-based infostealer capable of harvesting sensitive data from multiple sources. It is distributed through diverse lures, including Node.js scripts, MSI installers, and now Bun-based JavaScript loaders. Attackers frequently host malicious files on legitimate platforms such as GitHub, GitLab, MediaFire, Itch.io, and SourceForge, blending their activity into normal software distribution ecosystems. Once installed, NWHStealer can collect system information, steal browser and crypto wallet data, exfiltrate credentials from FTP clients and messaging apps, inject malicious code into browser processes, deploy additional payloads such as XMRig, bypass UAC, achieve persistence via scheduled tasks, and dynamically update its C2 infrastructure through Telegram.

The Bun JavaScript Runtime in Malware Distribution

Bun, built in Zig and powered by Apple’s JavaScriptCore engine, is designed for speed and efficiency. Its runtime, package manager, test runner, and bundler make it a powerful development tool. However, attackers have repurposed Bun to package malicious JavaScript loaders into larger executables, complicating detection. In recent campaigns, archives disguised as game trainers or cracked software contained Installer.exe, embedding Bun-bundled JavaScript code. A secondary loader, dw.exe, provided redundancy, ensuring infection even if the primary Bun loader failed. This dual-loader strategy highlights the attackers’ emphasis on resilience and adaptability.

Technical Analysis of the Bun Loader

The Bun loader executes obfuscated JavaScript code divided into two modules: sysreq.js, which performs anti-virtualization checks using PowerShell and WMI commands, and memload.js, which handles C2 communication and payload decryption. The loader evaluates hardware, processes, usernames, and virtualization indicators using a scoring system to decide whether to proceed with infection. It communicates with C2 servers such as silent-harvester.cc, sending encrypted system data, screenshots, and timestamps. Payloads are retrieved via AES-encrypted requests and injected using Win32 APIs accessed through Bun’s bun:ffi module. This integration of Bun with native APIs demonstrates a sophisticated blending of modern JavaScript tooling with low-level system exploitation.

Indicators of Compromise (IOCs)

Domains: whale-ether[.]pro, cosmic-nebula[.]cc, silent-harvester[.]cc, silent-orbit[.]cc, support-onion[.]club Hashes: d3a896f450561b2546b418b469a8e10949c7320212eb1c72b48e2b1e37c34ba5, 96fe4ddfe256dc9d2c6faea7c18e2583cd9d9c0099a4ad2cf082f569ee8379f4

How to Stay Safe

Given the widespread distribution of NWHStealer, users must adopt strict hygiene practices. Always download software from official sources, verify publishers and signatures, and scrutinize archives for inconsistencies. Be cautious with downloads from platforms like GitHub or SourceForge unless the developer’s reputation is established. Attackers are constantly creating new profiles and lures, making vigilance essential.

Our Opinion on This Case

The adoption of Bun in NWHStealer’s distribution chain is a striking example of how attackers exploit emerging technologies to stay ahead of defenders. Bun’s novelty and efficiency make it appealing for legitimate developers, but its integration into malware campaigns underscores the dual-use nature of modern tools. By embedding malicious JavaScript into Bun bundles, attackers achieve stealth, resilience, and compatibility across environments. The dual-loader strategy, with both Bun-based and dw.exe loaders, reflects a deliberate focus on redundancy, ensuring infection even if one vector fails. From a defensive standpoint, this case highlights the urgent need for security teams to expand detection beyond traditional malware signatures. Behavioral monitoring of legitimate utilities, runtime analysis of bundled executables, and anomaly detection in PowerShell/WMI usage are critical. Organizations must adopt defense-in-depth strategies, combining endpoint telemetry, threat intelligence, and proactive hunting. Ultimately, the NWHStealer campaign demonstrates that attackers are not only innovating with malware code but also with distribution ecosystems. As new runtimes and frameworks emerge, defenders must anticipate their misuse and adapt accordingly.