A newly identified piece of Windows malware is raising serious concerns among cybersecurity professionals for its wide reach and unusually deep set of capabilities.
Discovered through underground channels linked to Telegram, the threat known as Lucid Stealer goes far beyond stealing a few stored passwords. It can take full control of an infected machine without the victim ever noticing anything is wrong.
What makes this malware particularly dangerous is how it disguises itself. The entire malicious package is wrapped inside a legitimate Node.js runtime, making it look like a normal software application to most standard security tools.
This clever packaging allows it to slip past basic defenses while quietly carrying out a wide range of harmful activities in the background.
Researchers at Foresiet identified and statically analyzed this Lucid Stealer build after noticing renewed activity tied to a dedicated Telegram channel promoting the tool as a paid, subscription-based product.
Foresiet said in a report shared with Cyber Security News (CSN) that the sample is far more capable than a typical credential stealer, combining data theft with live remote access in a single build.
The malware is sold as a commercial service, complete with a hosted web panel, license keys, and an active support channel.
The operators briefly shut down the project in late May 2026 before relaunching it days later, announcing a full rebuild of the site and even a planned move away from Node.js toward Java for better evasion. This shows that the people behind it are actively investing in improving and expanding the threat.
The situation is especially serious because infections should be treated as full compromises. Credentials, browser cookies, Discord sessions, crypto wallet keys, and Roblox session data are all at risk the moment the malware runs.
Defenders are urged to act fast and assume everything stored on the infected machine has already been seen by the attacker.
New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens
Lucid Stealer is built to steal from nearly every corner of a user’s digital life. The analyzed build targets 18 browsers, 21 cryptocurrency clipper formats, seven desktop wallets, seven wallet browser extensions, and four Discord client variants.
It goes after saved credentials, session cookies, autofill data, and browser history using a bundled SQLite tool to query copied browser databases directly.
The malware injects itself into Discord clients to steal tokens and modify the app to send stolen data back continuously. It also monitors clipboard activity, so any crypto wallet address a victim copies can be silently swapped with one controlled by the attacker.
These capabilities work together to drain both financial accounts and communication platforms at the same time.
What truly sets this threat apart is its remote access module. The malware includes a hidden desktop control feature, called HVNC, that lets operators take over a machine visually without opening any visible window on the victim’s screen.
Combined with a remote shell, a file manager, keylogging, and screenshot capture, the attacker has essentially the same access as if they were sitting in front of the machine themselves.
Infection Chain and Detection Guidance for Defenders
The malware arrives in a password-protected ZIP archive. Once opened, it runs through a layered setup process that drops helper files, sets up persistence in the Windows registry, and optionally tries to gain elevated privileges.
By the time the main payload decrypts and runs, the attacker already has a stable foothold.
Security teams should focus on behavior-based detection rather than relying only on file hashes, since the operators have already announced plans to rebuild the malware on a new platform.
Hunting for temporary self-copies in the Windows TEMP folder disguised as “winupd” files, suspicious HKCU Run registry entries named WindowsUpdate, and unexpected .node module files appearing in user profiles are among the strongest signals of an active infection.
Network defenders should block all traffic to the known C2 address and watch for repeated POST requests to internal log and upload endpoints as additional confirmation.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | a380e66f381c9f88f4f221906f12b73e1f43517c8e5f6affcaca71fad3340d5f | Outer WinZip-AES password-protected ZIP archive |
| SHA-256 | 101351cff5f971cd39bd6280be02a5e0e8f08d9874cae78b971e3a421a7050f6 | Inner 100 MB Windows x64 Node.js SEA executable (primary payload) |
| SHA-256 | 8422c48d6301426a39bf9b3d7f11bdbe e7708e8a4e58171f38a5b5e51a8a53b8 | Embedded ~8.5 MB NODE_SEA_BLOB JavaScript loader |
| SHA-256 | cad3f0dde70a5d37c996abee75f39aff8e7603862f071a8c85cb48ee5482750f | Decrypted JavaScript stealer/RAT core payload |
| SHA-256 | 5e33fe030fb7c3bbe2bca1f70f21a406716961aefdfb1bc030d7c65b7db055e9 | Bundled SQLite helper binary |
| SHA-256 | fc52b15848191ad97213d49c7f3c21760e1cc9507d5fb0d77fa75b7620c0deac | UAC/elevation native N-API addon |
| SHA-256 | 6fb83f431f43d7b13e411676cdaa98d8ce005ffd61eed9d1d117698476acfb44 | HVNC hidden desktop control native module |
| SHA-256 | 18e61b06068a8dd71e19ed3b117e4b0800f6dfbf252f381961dbb15b44ecc481 | RobotJS screen capture and synthetic input addon |
| SHA-256 | f85e5b19198cc4800be76346bb2868abdd45acbb314968cf2fe41cb18b502bfa | Canvas addon for screenshots and streaming |
| IP Address | 45[.]138[.]16[.]107:3001 | Primary C2 command-and-control endpoint (hard-coded in sample, AS210558) |
| IP Address | 85[.]239[.]155[.]68 | Resolving infrastructure for lucidstealer[.]one at analysis time |
| Domain | lucidstealer[.]one | User-supplied panel domain |
| Domain | iloveyoulucid[.]space | User-supplied panel domain; resolved in DNS at analysis time |
| Domain | ghdfhfjhfg[.]webhop[.]me | User-supplied panel domain; no DNS resolution at analysis time |
| Domain | 0kt[.]one | User-supplied panel domain; resolved in DNS at analysis time |
| Domain | storedonutsmp[.]net | User-supplied panel domain; resolved in DNS at analysis time |
| URI | /upload | Stolen-data archive upload endpoint |
| URI | /internal/log | Metadata and keylog telemetry endpoint |
| URI | /dc-injector | Discord injection payload retrieval endpoint |
| URI | /ws | WebSocket C2 communication path |
| File | %TEMP%\winupd_<random>.exe | Hidden self-copy of the loader |
| File | %TEMP%_sq3e_<pid>.exe | Dropped SQLite helper binary |
| File | %LOCALAPPDATA%\Common\<id>*.node | Dropped native addons (UAC, HVNC, RobotJS, Canvas) |
| File | %TEMP%\Data_<hwid>.zip | Staged exfiltration archive |
| File | %TEMP%\uac.log.txt | Loader and elevation activity log |
| File | %TEMP%\lucid_err.log | Loader error log |
| Registry Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate | Autorun persistence value pointing to loader self-copy |
| Crypto Address | bc1qj0uraqhgquwcwdlhazy7ahzypz7r987z89dhwe | BTC clipper replacement address (disabled in this build) |
| Crypto Address | 0x239df70C0d328dEb4187A8B50a70ead8cbb1f48D | ETH clipper replacement address (disabled in this build) |
| Crypto Address | LYUQyhrqHS9VXzRkQWRHvVEtr5aCCSoVig | LTC clipper replacement address (disabled in this build) |
| License Key | LUCID-M8NJ-SLBQ-ROI2 | Embedded license key found in sample configuration |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
