Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
Lucid Stealer Deep Dive
Posted on: 05 June 2024 | Author: Foresiet
A publication-safe corporate blog analysis of a Node.js SEA information stealer and remote-access trojan.
Introduction
Foresiet Threat Intel Team identified and statically analyzed a newly observed Lucid Stealer build promoted through Telegram-linked underground channels. The sample is not a generic packed executable: it is a Lucid-branded credential stealer, wallet stealer and remote-access toolkit packaged inside a legitimate Node.js Single Executable Application wrapper.
The blog below reframes the full technical report into a public, corporate-style deep dive: what the operation is, how the payload is packaged, what the decoded logic does, how the infection chain progresses, and which detections defenders can use today.
Blog Structure
Section | Topic | What the reader gets |
01 | Executive Summary | High-level impact and public sharing posture. |
02 | Threat Context | Promotion timeline, operator narrative and infrastructure evidence. |
03 | Technical Findings | Packaging, SEA loader, decrypted payload and recovered components. |
04 | Capability Analysis | Theft, injection, wallet, RAT, HVNC and DDoS capability coverage. |
05 | Infection Flow Deep Dive | Phase-by-phase execution flow with defender-observable signals. |
06 | Configuration and IOCs | Hashes, network indicators, host artifacts and configured values. |
07 | Detection and Response | Hunting logic and containment priorities for enterprise teams. |
08 | Conclusion | Assessment and recommendations for ongoing tracking. |
Executive Summary
The Foresiet Threat Intel Team identified, decoded and analyzed a Lucid Stealer sample: a commercially promoted Windows information stealer and remote-access trojan built on the Node.js Single Executable Application format. The work covered archive triage, layer-by-layer static deobfuscation, recovery of the encrypted second-stage JavaScript payload, and correlation of Telegram and web infrastructure.
The recovered build is materially more capable than a basic credential stealer. Static analysis confirms user-level persistence, privilege-escalation attempts, broad browser credential and cookie theft, Discord token theft and client injection, cryptocurrency wallet theft, keylogging, screenshot capture, remote shell and file-manager functions, DDoS command support, and HVNC-style hidden desktop control.
ASSESSMENT: Confidence is HIGH. Lucid branding, loader variables, embedded configuration, payload modules and supporting infrastructure were recovered directly through static analysis. The sample was not executed, and the live command-and-control service was not contacted.
18 Browsers targeted | 14 Wallet targets | 4 Native addons | 100 MB SEA payload | HIGH Confidence |
Theme | Public blog takeaway |
Primary finding | Lucid Stealer combines data theft with post-infection remote control, including HVNC-style operator access. |
Packaging | A legitimate Node.js runtime carries the malicious SEA blob, making the outer executable look like a large Node application. |
Public posture | Screenshots and indicators are sanitized for awareness sharing; direct links and handles are redacted or defanged. |
Defender priority | Hunt for behavior and staging patterns, not only hashes, because the operator has claimed future re-platforming work. |
Threat Context and Infrastructure Evidence
Lucid Stealer is distributed as a paid malware-as-a-service product through a dedicated Telegram presence and a hosted web control panel. Foresiet began tracking the operation after observing renewed promotion activity tied to the Telegram channel and then obtained a live build for static examination.
Threat Context and Infrastructure Evidence
Date | Observed operator narrative |
22 May 2026 | The channel posted that the project was closed, citing the departure of a second operator and a temporary pause. |
Late May 2026 | Followers were told to stay tuned for a possible return with an improved product. |
31 May 2026 | The operator announced a relaunch, stated that the site was being rebuilt from scratch, and teased future releases. |
31 May 2026 | The operator claimed a planned migration from Node.js to Java to improve evasion and performance, ruled out free memberships, and directed buyers to private contact. |
This timeline matters to defenders because it signals an actively maintained toolkit. The claimed re-platforming suggests future builds may differ at the code level while retaining the same operator branding, commercial model and infrastructure patterns.
Evidence Screenshots
The following screenshots are included from the sanitized report. They preserve the visual evidence of the operation while blurring actionable links and operator handles.
Figure 1. Lucid Stealer web authentication panel. The operation uses separate user/admin login paths, a license-key field and AES-256 branding. The address bar URL is redacted.
Figure 2. Telegram announcement channel with closure and relaunch narrative. The operator handle is redacted in both visible occurrences.
Figure 3. Telegram profile and distribution/vouch links. Actionable links are redacted while the channel identity, subscriber count and structure remain visible.
INFRASTRUCTURE READOUT: The panel and Telegram surfaces show a small but organized commercial operation: a hosted multi-tenant panel for customers, an announcement channel for product status, and a vouch/distribution path for sales and reputation. |
FAMILY-NAME NOTE: The “Lucid” name used throughout this blog is taken from the sample’s own embedded strings and configuration (LUCID-M8NJ-SLBQ-ROI2, LUCIDPay and __LUCID_* loader variables); it is operator self-branding, not an externally assigned family designation. The Node.js Single Executable Application packaging technique seen here has also been documented publicly in other commodity stealers, so this operator brand should not be confused with unrelated tools or platforms that share the word “Lucid.” |
Technical Findings
Packaging and Delivery
The sample is delivered as a password-protected WinZip-AES archive. The inner member is a roughly 100 MB Windows x64 executable that is, at the outer layer, a legitimate Node.js runtime. The malicious logic is carried inside the runtime as an embedded NODE_SEA_BLOB resource: an approximately 8.5 MB JavaScript application that stages helper components and decrypts the second-stage core payload.
Artifact | Detail | SHA-256 |
Outer archive | WinZip-AES password-protected ZIP | a380e66f381c9f88f4f221906f12b73e |
Inner payload | 100 MB Windows x64 Node.js SEA executable | 101351cff5f971cd39bd6280be02a5e0 |
Embedded app | ~8.5 MB NODE_SEA_BLOB JavaScript loader | 8422c48d6301426a39bf9b3d7f11bdbe |
Core payload | Decrypted JavaScript stealer/RAT, RC4-style plus XOR layer | cad3f0dde70a5d37c996abee75f39aff |
Recovered Components from the SEA Blob
The loader stores helper binaries as encoded chunk arrays that are reordered, base64-decoded and XOR-decrypted before being written to disk. Foresiet decoded each layer as a static analysis artifact.
Component | Role | SHA-256 |
SQLite helper | Bundled SQLite CLI used to query copied browser databases | 5e33fe030fb7c3bbe2bca1f70f21a406 |
UAC / elevation addon (inferred) | Native N-API addon invoked by the loader during privilege-escalation attempts; exact native method not confirmed by static analysis | fc52b15848191ad97213d49c7f3c2176 |
HVNC addon | Hidden VNC, screen and browser-control native module | 6fb83f431f43d7b13e411676cdaa98d8 |
RobotJS addon | Screen capture and synthetic input automation | 18e61b06068a8dd71e19ed3b117e4b08 |
Canvas addon | Image/canvas rendering for screenshots and streaming | f85e5b19198cc4800be76346bb2868ab |
Second-Stage Payload
The embedded loader holds the main stealer/RAT as an encrypted blob. Decryption uses an RC4-style PRGA keyed by an embedded value, followed by an XOR pass. The result is base64 JavaScript that the loader executes through eval().
The recovered bundle is modular, with discrete components for logging, configuration, remote desktop, ZIP handling, Discord theft and injection, wallets, cryptography, networking, browser theft, collection orchestration, keylogging, clipping, DDoS and C2 control.
WHY THIS MATTERS: The Node.js SEA wrapper is a delivery and concealment layer, not the core threat. The defensive value comes from tracking the staged helpers, decoded configuration, persistence pattern and network behavior. |
Capability Analysis
Foresiet mapped operator commands and data-theft routines recovered from the decoded payload. The resulting footprint shows a hybrid stealer/RAT: the sample can collect stored secrets at scale and also give an operator live post-infection control.
Figure 4. Offensive capability footprint. Remote-control and file/shell operations dominate the command surface, while browser theft and HVNC are also prominent.
Figure 5. Configured target surface. This build targets 18 browsers, 21 clipper coin formats, seven desktop wallets, seven wallet extensions and four Discord client variants.
Figure 6. Recovered native module composition. Canvas and HVNC-related native modules account for the majority of decoded native code, consistent with screen and hidden-desktop functionality.
Infection Flow Deep Dive
The infection chain recovered from the static analysis shows a layered progression: delivery through a passworded archive, execution through a Node.js SEA wrapper, staging of helper binaries, persistence, optional privilege escalation, core payload decryption, collection, exfiltration and remote control.
Figure 7. Publication-safe infection-flow map for the recovered Lucid Stealer build.
Why the Infection Flow Is High-Risk
The flow is high-risk because it compresses several crimeware functions into one build. The payload does not stop after stealing browser credentials: it also prepares an operator control surface that can be used for follow-on access, manual browsing, file theft, additional payload staging, and hidden remote desktop activity.
The most reliable enterprise detections are behavioral. Hashes identify this specific build, but the operator has claimed active development and future platform changes. Hunting for temporary winupd self-copies, HKCU Run persistence, user-profile .node addon staging, browser database access patterns and the upload/log URI sequence will remain more resilient than relying only on static hashes.
DEEP-DIVE TAKEAWAY: Treat Lucid Stealer as a full compromise event. Browser tokens, saved passwords, Discord sessions, Roblox sessions and wallet seed/key material should be considered exposed if the sample was launched.
Configuration and Indicators of Compromise
Embedded Configuration
Setting | Value |
License key | LUCID-M8NJ-SLBQ-ROI2 |
C2 API base | hxxp://45[.]138[.]16[.]107:3001 |
Decoy directory | LUCIDPay |
Keylogger | Enabled; 5000 ms flush interval |
Clipper | Present but disabled in this recovered build |
Anti-debug / anti-persist | Enabled; anti-VM disabled |
Network Indicators
Indicator | Type | Context |
45[.]138[.]16[.]107:3001 | C2 | Primary command-and-control base endpoint (hard-coded in the sample) |
/upload | URI | Stolen-data archive upload endpoint |
/internal/log | URI | Metadata and keylog telemetry endpoint |
/dc-injector | URI | Discord injection payload retrieval |
/ws | URI | WebSocket C2 path |
lucidstealer[.]one | Domain | User-supplied panel domain; resolves to 85[.]239[.]155[.]68 (not embedded in sample) |
iloveyoulucid[.]space | Domain | User-supplied panel domain; resolved in DNS at analysis time (not embedded in sample) |
ghdfhfjhfg[.]webhop[.]me | Domain | User-supplied panel domain; no DNS resolution at analysis time |
0kt[.]one | Domain | User-supplied panel domain; resolved in DNS at analysis time (not embedded in sample) |
storedonutsmp[.]net | Domain | User-supplied panel domain; resolved in DNS at analysis time (not embedded in sample) |
85[.]239[.]155[.]68 | IP | Resolving infrastructure for lucidstealer[.]one at analysis time |
Evidence scope: the C2 endpoint hxxp://45[.]138[.]16[.]107:3001 is the only network indicator hard-coded in the analyzed sample, and its IP sits on AS210558. The panel domains listed above were supplied for correlation and are not present in the payload strings. At analysis time most resolved in DNS, but their listing in public IOC feeds could not be independently confirmed and should be treated as unverified supporting context rather than sample-derived indicators.
Host Artifacts
Artifact | Detail |
%TEMP%\winupd_<random>.exe | Hidden self-copy of the loader |
%TEMP%\_sq3e_<pid>.exe | Dropped SQLite helper carrying SQLite version metadata |
%LOCALAPPDATA%\Common\<id>\*.node | Dropped native addons for UAC, HVNC, RobotJS and canvas functionality |
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate | Autorun persistence value |
%TEMP%\Data_<hwid>.zip | Staged exfiltration archive |
%TEMP%\uac.log.txt and %TEMP%\lucid_err.log | Loader and elevation activity logs |
Disabled Clipper Wallet Addresses
Artifact | Detail |
%TEMP%\winupd_<random>.exe | Hidden self-copy of the loader |
%TEMP%\_sq3e_<pid>.exe | Dropped SQLite helper carrying SQLite version metadata |
%LOCALAPPDATA%\Common\<id>\*.node | Dropped native addons for UAC, HVNC, RobotJS and canvas functionality |
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate | Autorun persistence value |
%TEMP%\Data_<hwid>.zip | Staged exfiltration archive |
%TEMP%\uac.log.txt and %TEMP%\lucid_err.log | Loader and elevation activity logs |
Replacement wallet addresses configured in the disabled clipper module remain useful as detection indicators because they can appear in string scans, memory captures or adjacent builds.
Coin | Configured replacement address |
BTC | bc1qj0uraqhgquwcwdlhazy7ahzypz7r987z89dhwe |
ETH | 0x239df70C0d328dEb4187A8B50a70ead8cbb1f48D |
LTC | LYUQyhrqHS9VXzRkQWRHvVEtr5aCCSoVig |
Detection and Response Guidance
High-Signal Host Detections
- Unknown Node/SEA executable creating user-profile .node modules.
- Creation of %TEMP%\winupd_<8 chars>.exe with an HKCU Run value named WindowsUpdate pointing at it.
- Dropped _sq3e_<pid>.exe carrying SQLite version metadata.
- Hidden PowerShell elevation using Start-Process with Verb RunAs.
- Browser SQLite databases copied or read immediately after browser processes are terminated.
- Discord client file changes paired with suspicious token collection activity.
- Repeated outbound POSTs to /internal/log and /upload, plus a WebSocket session to the C2 host.
Network Detections
- Any connection to 45[.]138[.]16[.]107:3001 or associated panel infrastructure.
- URI patterns /internal/log, /upload, /dc-injector and /ws in the same endpoint sequence.
- Connections to hxxp://ip-api[.]com/json immediately before or during host telemetry collection.
Immediate Response if Executed
Response lane | Action |
Containment | Isolate the host from the network and preserve memory/disk if deeper forensics are required. |
Persistence removal | Remove the Run-key persistence, dropped loader copy, SQLite helper, native addons and staged archives. |
Identity response | Treat browser-saved credentials, cookies, Discord tokens, Roblox sessions and wallet seed/key material as compromised; rotate passwords and revoke sessions/tokens. |
Endpoint assurance | Run a full offline AV/EDR scan or reimage if the payload was launched on a production host. |
Network control | Block observed C2 and associated panel infrastructure while monitoring for lookalike or successor infrastructure. |
Conclusion
The build examined by Foresiet is not a benign Node.js application or a generic packed executable. It is a Lucid-branded stealer and remote-access trojan with persistence, privilege-escalation attempts, broad credential and cookie theft, Discord token theft and injection, wallet theft, keylogging, screenshot capture, remote shell and file operations, DDoS support and HVNC hidden-desktop control, all confirmed through static analysis.
The supporting infrastructure – a hosted multi-tenant panel and an actively maintained Telegram presence – combined with the operator’s stated intent to re-platform the malware, indicates a live, commercially motivated and evolving threat. Defenders should treat the indicators in this blog as current for the analyzed build and prioritize behavior-based hunting.
Most Reliable Indicators for This Build
Indicator | Value |
Payload SHA-256 | 101351cff5f971cd39bd6280be02a5e0 |
Primary C2 | 45[.]138[.]16[.]107:3001 |
Persistence value | HKCU Run value named WindowsUpdate |
Self-copy pattern | %TEMP%\winupd_<random>.exe |
Native staging pattern | %LOCALAPPDATA%\Common\<id>\*.node |
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.