Infostealer Campaign Abuses Bun Runtime to Evade Detection

A credential-stealing campaign is distributing NWHStealer through fake gaming modifications and software installers, using the Bun JavaScript runtime to evade endpoint security tools. The technique exploits gaps in how security products handle newer development frameworks.

Malwarebytes researchers identified the campaign in early May 2026, noting that Bun's limited presence in security vendor detection signatures makes it an attractive packaging choice for malware authors.

How the Attack Works

Victims encounter the malware through enticing download lures: FiveM mods, TradingView activation scripts, AutoTune 2026 installers, and gaming trainers. The malicious archives contain an Installer.exe that bundles JavaScript code with the Bun runtime.

The infection chain proceeds in stages:

1. Initial execution - Installer.exe launches Bun with embedded JavaScript
2. Environment checks - A script called sysreq.js runs PowerShell and WMI queries to detect virtual machines
3. Payload delivery - If the system appears to be a real machine, memload.js contacts the C2 server
4. Stealer deployment - The final NWHStealer payload executes

The attackers included a fallback mechanism: a secondary loader named dw.exe sits in a "DW" folder and can take over if the primary Bun-based loader's C2 infrastructure goes offline. This redundancy ensures persistent infection capabilities even when defenders take down command servers.

Why Bun Evades Detection

Bun is a legitimate JavaScript runtime that's gained significant traction among developers since its 2022 release. Unlike Node.js, which has years of security research behind it, Bun's detection signatures in endpoint protection products remain immature.

Security tools generally rely on behavioral heuristics, file reputation, and known-bad signatures. A new runtime framework starts with a blank slate—no malicious samples in threat databases, no behavioral baselines to flag as anomalous. The attackers are exploiting this gap.

This mirrors patterns we've seen with other legitimate tools weaponized by threat actors. The supply chain attacks targeting npm packages similarly abuse the development ecosystem's trust model, and the DAEMON Tools campaign showed how legitimate software installers can become infection vectors.

Technical Evasion Details

The campaign implements multiple anti-analysis techniques:

• VM detection - PowerShell and WMI queries check for virtualization artifacts before payload delivery
• Encrypted communications - C2 traffic uses XOR encoding combined with base64, complicating network inspection
• String obfuscation - Configuration data and payload URLs are encrypted within the JavaScript code

These techniques aren't novel individually, but the combination makes automated analysis more difficult. Sandbox environments often fail the VM checks, and network monitoring tools may not decode the custom encryption without specific signatures.

What NWHStealer Takes

The Rust-based stealer targets a broad range of credentials and sensitive data:

• Browser data - Saved passwords, cookies, autofill data from Chrome, Firefox, Edge
• Cryptocurrency wallets - MetaMask, Exodus, and other browser-based wallets
• Application credentials - FileZilla, CoreFTP, Steam, Discord tokens
• System information - Hardware IDs, installed software, running processes

The stolen data gets exfiltrated to attacker-controlled infrastructure, typically ending up on criminal marketplaces within hours of theft.

Protecting Against This Threat

Defenders should focus on:

1. User education - Gaming mods, software cracks, and activation scripts remain top infection vectors
2. Application allowlisting - Restrict execution of unsigned binaries from download directories
3. Network monitoring - Watch for unusual outbound connections from JavaScript runtime processes
4. Endpoint detection tuning - Ensure security products flag Bun executing from non-development paths

For organizations concerned about infostealer threats, the fundamental advice remains unchanged: treat credential theft as a precursor to broader compromise. Stolen session cookies can bypass MFA, and harvested passwords often unlock additional accounts across services.

The use of Bun represents the latest iteration in an ongoing arms race. As security products adapt, attackers will move to the next undermonitored framework. Defense-in-depth—not reliance on any single detection mechanism—remains the only sustainable approach.