{
	"id": "2a057c3d-1524-444c-9b39-e92c3d71c0b9",
	"created_at": "2026-04-06T00:21:48.554951Z",
	"updated_at": "2026-04-10T03:20:27.104533Z",
	"deleted_at": null,
	"sha1_hash": "9814ad5b2be97ffd11c93987566e4f6d27896408",
	"title": "Large-Scale StrelaStealer Campaign in Early 2024",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1254429,
	"plain_text": "Large-Scale StrelaStealer Campaign in Early 2024\r\nBy Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya, Vishwa Thothathri\r\nPublished: 2024-03-22 · Archived: 2026-04-05 13:24:17 UTC\r\nExecutive Summary\r\nStrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s\r\nC2 server. Upon a successful attack, the threat actor would gain access to the victim's email login information,\r\nwhich they can then use to perform further attacks. Since the first emergence of the malware in 2022, the threat\r\nactor behind StrelaStealer has launched multiple large-scale email campaigns, and there is no sign of them\r\nslowing down.\r\nRecently, our researchers have identified a wave of large-scale StrelaStealer campaigns impacting over 100\r\norganizations across the EU and U.S. These campaigns come in the form of spam emails with attachments that\r\neventually launch the StrelaStealer’s DLL payload.\r\nIn an attempt to evade detection, attackers change the initial email attachment file format from one campaign to\r\nthe next, to prevent detection from the previously generated signature or patterns. The malware author often\r\nupdates the DLL payload with better obfuscation and anti-analysis tricks, which makes it increasingly difficult for\r\nanalysts and security products to analyze.\r\nThis article delves deeper into the timeline of these more recent attacks and the evolving tactics employed by the\r\nmalware.\r\nThrough detection and intelligence provided by Advanced WildFire, Palo Alto Networks customers are better\r\nprotected from StrelaStealer through the following products:\r\nCortex XDR with Advanced WildFire is able to help detect new variants of StrelaStealer. Cortex XDR\r\nhelps prevent StrelaStealer’s attack chain.\r\nNext-Generation Firewalls with Cloud-Delivered Security Services, including Advanced WildFire\r\ndetection, Advanced URL Filtering and DNS Security categorize known C2 domains and IPs as malicious.\r\nPrisma Cloud Defender agents should be deployed on cloud-based Windows VMs to ensure they are\r\nprotected from these known malicious binaries. WildFire signatures can be used by both Palo Alto\r\nNetworks cloud services to ensure cloud-based Windows VM runtime operations are being analyzed and\r\nthose resources are protected.\r\nOrganizations can also engage the Unit 42 Incident Response team to help with a compromise or to provide\r\na proactive assessment to lower your risk.\r\nIntroduction to StrelaStealer\r\nStrelaStealer malware is an email credential stealer first documented by DCSO_CyTec in their blog on Medium\r\npublished on Nov. 8, 2022. Since the first emergence of the malware, the threat actor behind StrelaStealer has\r\nhttps://unit42.paloaltonetworks.com/strelastealer-campaign/\r\nPage 1 of 10\n\nlaunched multiple large-scale email campaigns, typically across the EU and U.S.\r\nFor example, the last large-scale campaign launched in 2023 was around the November time frame. Our\r\nresearchers have observed a new campaign launched in late January 2024 targeting multiple industries across the\r\nEU and U.S.\r\nThe basic goal of the StrelaStealer has not changed much, and the payload DLL is still identifiable with the strela\r\nstring. However, we can see that the threat actor has updated the malware in an attempt to evade detection.\r\nThis new variant of StrelaStealer is now delivered through a zipped JScript and it employs an updated obfuscation\r\ntechnique in the DLL payload. We will provide more technical analysis and detail in this article.\r\nLast Large-Scale Campaign of 2023\r\nSince the emergence of StrelaStealer, we have observed its threat operators initiate multiple large-scale\r\ncampaigns. WildFire researchers observed that the last large-scale campaign in 2023 happened in November,\r\ntargeting organizations in the U.S. and EU. Figure 1 below shows the timeline of the 2023 November campaign.\r\nFigure 1. November 2023 campaign.\r\nRecent Large-Scale Campaign in 2024\r\nA month into 2024, the threat actors behind StrelaStealer launched another large-scale campaign, again targeting\r\norganizations in the same geographic regions. Figure 2 below shows the timeline of the recent campaign that\r\npeaked on Jan. 29, 2024.\r\nhttps://unit42.paloaltonetworks.com/strelastealer-campaign/\r\nPage 2 of 10\n\nFigure 2. January 2024 campaign.\r\nThe language of the StrelaStealer spam email seen during this campaign is localized and the subject line has the\r\npattern of Factura/Rechnung/invoice####. Figure 3, below, is a sample email in German.\r\nFigure 3. Example spam email.\r\nFigure 4 shows that while this recent campaign seems to target organizations in many industries, organizations in\r\nthe high tech industry have been the largest target.\r\nhttps://unit42.paloaltonetworks.com/strelastealer-campaign/\r\nPage 3 of 10\n\nFigure 4. Count of StrelaStealer samples seen for top eight industries.\r\nTechnical Analysis of New StrelaStealer Variant\r\nOriginal StrelaStealer Infection Chain and Payload Recap\r\nAs discussed in DCSO’s blog on Medium, earlier versions of StrelaStealer infect the system via email with an\r\nattached .iso file. The .iso file contains a .lnk file and a HyperText Markup Language (HTML) file. The technique\r\nmakes use of polyglot files, which are files that can be treated differently based on the executing application.\r\nWhen the victim clicks on the .lnk file contained within the .iso file, it executes the HTML and then invokes\r\nrundll32.exe to execute the embedded StrelaStealer payload. The initial payload has some encrypted strings,\r\nwhich are decrypted during the execution using a fixed XOR key, as shown in Figure 5.\r\nFigure 5. Decryption key.\r\nUpdated Infection Chain\r\nThe current version of StrelaStealer spreads through spear phishing emails that contain a ZIP file attachment.\r\nOnce the user downloads and opens the archive, a JScript file is dropped onto the system.\r\nThe JScript file then drops a Base64-encrypted file and a batch file. The Base64-encrypted file is decoded with the\r\ncertutil -f decode command, resulting in the creation of a Portable Executable (PE) DLL file. Depending on the\r\nhttps://unit42.paloaltonetworks.com/strelastealer-campaign/\r\nPage 4 of 10\n\nuser's privileges, the file drops into either %appdata%\\temp or c:\\temp on the local disk. The DLL file is then\r\nexecuted through the exported function hello using rundll32.exe.\r\nPlease see Figure 6 for the infection chain of the previous version and the newer variant.\r\nFigure 6. Infection chain.\r\nUpdated Packer\r\nIn the newest variant of StrelaStealer seen in the January 2024 campaign, the packer has evolved and employs a\r\ncontrol flow obfuscation technique to render analysis more difficult.\r\nThe initial function shown in Figure 7 contains an example control flow obfuscation technique of excessively long\r\ncode blocks consisting of numerous arithmetic instructions. This serves as an anti-analysis technique, potentially\r\nleading to timeouts during the execution of samples in a sandbox environment.\r\nFigure 7. Obfuscation (excessively large code block).\r\nBoth the original and the new StrelaStealer payload are DLL files with a malicious export function called to\r\nlaunch the attack. Figure 8 shows the payload DLL’s malicious export function side by side.\r\nWe can see that the older version of StrelaStealer (left side of Figure 8) was not well obfuscated as these function\r\nblocks are clean and easily readable when disassembled. However, the latest version on the right side of Figure 8\r\nhttps://unit42.paloaltonetworks.com/strelastealer-campaign/\r\nPage 5 of 10\n\nshows that the threat actors have employed control flow obfuscation to evade analysis and detection.\r\nFigure 8. Export functions of old (left) and new (right) versions of StrelaStealer.\r\nBased on the configuration shown in Figure 9, the payload size and decryption key are used to decrypt the\r\npayload. The decrypted payload is a memory-mapped PE file that is not similar to the one found in the earlier\r\nversion of the StrelaStealer.\r\nhttps://unit42.paloaltonetworks.com/strelastealer-campaign/\r\nPage 6 of 10\n\nhttps://unit42.paloaltonetworks.com/strelastealer-campaign/\r\nPage 7 of 10\n\nFigure 9. Encrypted payload.\r\nThe presence of strings like strela, server.php, key4.db and login.json within the decrypted payload provides an\r\nindication that it is associated with StrelaStealer.\r\nThe main purpose of StrelaStealer is to steal email login data from well-known email clients and send it back to\r\nthe C2 server defined in the malware configuration, as shown in Figure 10.\r\nFigure 10. StrelaStealer string as well as C2 server name.\r\nThe StrelaStealer threat actor incorporated several noteworthy modifications, possibly as means to avoid being\r\ndetected. For example, PDB strings (debugging symbol strings built in by the compiler) that were present in\r\nearlier versions of StrelaStealer, shown in Figure 11, can no longer be found in the samples from the latest\r\ncampaign. This makes it less obvious that this is a StrelaStealer binary and could render certain naive static\r\nsignatures useless if they relied on the existence of this string.\r\nFigure 11. PDB string from an early StrelaStealer sample.\r\nFigure 12 shows that the export name has changed from StrelaStealer to hello.\r\nhttps://unit42.paloaltonetworks.com/strelastealer-campaign/\r\nPage 8 of 10\n\nFigure 12. Export name changes from Strela to hello.\r\nConclusion\r\nStrelaStealer malware is an active email credential stealer that is always evolving. With each new wave of email\r\ncampaigns, threat actors update both the email attachment, which initiates the infection chain, and the DLL\r\npayload itself. Attackers do this to evade detection by security vendors.\r\nInformation stealers are not new to the threat landscape. Though not exactly novel, the various evasion techniques\r\nand updates employed by StrelaStealer are effective at evading detection from more reactive signature or pattern-based solutions.\r\nPalo Alto Networks Protection and Mitigation\r\nThrough the detection and intelligence provided by Advanced WildFire, Palo Alto Networks customers are better\r\nprotected from StrelaStealer through the following products:\r\nCortex XDR with Advanced WildFire: With cloud-delivered static and dynamic analysis capabilities,\r\nAdvanced WildFire is able to help detect new variants of StrelaStealer. Cortex XDR helps prevent\r\nStrelaStealer’s attack chain.\r\nNext-Generation Firewalls with cloud-delivered security services including Advanced WildFire detection,\r\nAdvanced URL Filtering and DNS Security categorize known C2 domains and IPs as malicious.\r\nPrisma Cloud Defender agents should be deployed on cloud-based Windows VMs to ensure they are\r\nprotected from these known malicious binaries. WildFire signatures can be used by both Palo Alto\r\nNetworks cloud services to ensure cloud-based Windows VM runtime operations are being analyzed and\r\nthose resources are protected.\r\nThe Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a\r\nproactive assessment to lower your risk.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nhttps://unit42.paloaltonetworks.com/strelastealer-campaign/\r\nPage 9 of 10\n\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 Hash Filetype\r\n0d2d0588a3a7cff3e69206be3d75401de6c69bcff30aa1db59d34ce58d5f799a\r\ne6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1\r\nDLL\r\nf95c6817086dc49b6485093bfd370c5e3fc3056a5378d519fd1f5619b30f3a2e\r\naea9989e70ffa6b1d9ce50dd3af5b7a6a57b97b7401e9eb2404435a8777be054\r\nb8e65479f8e790ba627d0deb29a3631d1b043160281fe362f111b0e080558680\r\nEML\r\n3189efaf2330177d2817cfb69a8bfa3b846c24ec534aa3e6b66c8a28f3b18d4b ZIP\r\n544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45 JS\r\n193[.]109[.]85[.]231 C2 server\r\nAdditional References\r\nNew StrelaStealer malware steals your Outlook, Thunderbird accounts – Bleeping Computer\r\nMalware analysis/Digital forensic: Strela Stealer – Medium\r\n#ShortAndMalicious: StrelaStealer aims for mail credentials – Medium\r\nSource: https://unit42.paloaltonetworks.com/strelastealer-campaign/\r\nhttps://unit42.paloaltonetworks.com/strelastealer-campaign/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/strelastealer-campaign/"
	],
	"report_names": [
		"strelastealer-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434908,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9814ad5b2be97ffd11c93987566e4f6d27896408.pdf",
		"text": "https://archive.orkl.eu/9814ad5b2be97ffd11c93987566e4f6d27896408.txt",
		"img": "https://archive.orkl.eu/9814ad5b2be97ffd11c93987566e4f6d27896408.jpg"
	}
}