ThreatCluster

NWHStealer Malware Campaign Evolves with Bun Loader and Anti-VM Techniques

First seen 8 May 2026, 10:09 UTC GbhackersCybersecuritynews 86% similarity 70

Article Content

Browse articles
ThreatCluster

The NWHStealer infostealer has adopted a new distribution method utilizing the Bun JavaScript runtime, enhancing its delivery infrastructure. This Rust-based malware targets Windows systems, leveraging Bun's performance to package malicious code effectively. The threat actors are employing anti-VM checks to evade detection and analysis, indicating a sophisticated approach to malware deployment. The campaign signifies a shift in tactics, as attackers experiment with emerging technologies to bypass traditional security measures. The full scope of the impact is still being assessed, but the use of encrypted command and control (C2) channels raises concerns about data exfiltration. Cybersecurity researchers are actively monitoring the situation as it develops.

Key Points: • NWHStealer now uses the Bun JavaScript runtime for enhanced malware delivery. • Attackers employ anti-VM evasion techniques to avoid detection. • The campaign utilizes encrypted C2 channels, complicating threat mitigation.

ThreatCluster AI

Timeline

2026-05-08
NWHStealer campaign reported
Cybersecurity researchers identified a new delivery method for NWHStealer using Bun, marking a significant evolution in its tactics.
Gbhackers
2026-05-08
Bun JavaScript runtime leveraged
The malware's delivery infrastructure now incorporates Bun, allowing for more effective evasion of traditional detection methods.
Cybersecuritynews

Community

Browse all →