Technical Analysis: The Emergence of the Hybrid Lucid Stealer/RAT Framework

A sophisticated new iteration of the Lucid Stealer has been identified, marking a significant shift from simple credential harvesting to a hybrid threat model that merges large-scale information theft with robust Remote Access Trojan (RAT) capabilities. Unlike traditional malware that relies on simple packing, this build utilizes a Node.js Single Executable Application (SEA) to wrap its malicious logic within a legitimate runtime environment, significantly complicating initial detection.

The Foresiet Threat Intelligence Team successfully conducted a deep-dive static analysis of this sample, which is currently being circulated through specialized Telegram-linked underground channels. By analyzing the sample without execution, researchers were able to recover the embedded JavaScript loader and decrypt the core payload, providing a high-fidelity view of the attacker’s infrastructure and operational capabilities.

Execution Flow and Payload Architecture

The infection chain begins with a password-protected WinZip-AES archive containing a massive ~100 MB Windows x64 Node.js SEA executable. This large file size is a deliberate obfuscation tactic, leveraging the legitimate Node.js runtime to hide the actual malicious intent.

Once initialized, the following stages occur:

• Stage 1: An 8.5 MB NODE_SEA_BLOB JavaScript loader initializes within the runtime.
• Stage 2: The loader rebuilds and drops various helper binaries to the local disk.
• Stage 3: A second-stage JavaScript payload is decrypted and executed. To protect its core logic, the malware utilizes an RC4-style Pseudo-Random Generation Algorithm (PRGA) combined with an XOR pass.

The architecture is highly modular. Analysts have successfully extracted components designed for:

• Data Exfiltration: Browser credential and cookie theft, Discord token harvesting/injection, and multiple cryptocurrency wallet targeting routines.
• Surveillance: Keylogging, periodic screenshot capture, and High-Level Hidden Virtual Machine (HVNC) style desktop control.
• System Control: Remote shell access, file manager functions, DDoS commands, and synthetic input via RobotJS.

The malware also bundles specialized tools such as a SQLite CLI for querying local browser databases, a native addon for privilege escalation, and a canvas image module to render and stream screen captures to the operator.

Operational Intelligence and Threat Landscape

Evidence suggests this is not the work of a lone actor, but rather a structured commercial “Malware-as-a-Service” (MaaS) operation. Correlations between Telegram promotional activity, a hosted multi-tenant web control panel, and a specific development lifecycle (notably a rapid relaunch in late May 2026) point toward a professionalized backend.

Interestingly, the operator has publicly signaled an intention to migrate the codebase from Node.js to Java. This move is aimed at evading current defense heuristics and optimizing the performance of the RAT components, suggesting that the threat will continue to evolve.

Defensive Posture and Detection Strategies

From a security engineering perspective, an infection by this build must be treated as a full system compromise. The malware’s breadth—targeting 18 different browsers, various wallet extensions, and four different Discord client versions—means that if execution is detected, all stored credentials, active sessions, and cryptographic seed phrases must be considered compromised.

Because the operator is actively iterating on the build, static file hashes (IoCs) are of limited value and will likely lead to false negatives. Defenders should instead focus on behavioral indicators of compromise (BIoCs):

• Persistence: Monitor for suspicious HKCU Run registry modifications.
• Staging: Watch for temporary files mimicking system updates (e.g., winupd) and the staging of .node addons within user profiles.
• Anomalous Access: Detect unauthorized SQLite queries against browser profile directories.
• Network Patterns: Monitor for the specific upload/log URI sequences identified in the decoded configuration.

Enterprises are advised to prioritize immediate containment on suspected hosts and initiate a comprehensive credential reset across the environment. For a complete technical breakdown, including sanitized hashes and network indicators, refer to the full Foresiet technical report.