New Malware "Strela Stealer" Targets Outlook with Advanced Obfuscation Techniques

Cybersecurity firm Trustwave has recently published their analysis of a sophisticated information-stealing malware called “Strela Stealer”. This threat employs advanced obfuscation techniques to conceal its operations, making it particularly challenging for security researchers to analyze.

Dangerous New Threat Targeting Email Applications

On March 6, 2025, Trustwave released a detailed analysis of the Strela Stealer malware. This malicious software primarily targets email account information from Mozilla Thunderbird and Microsoft Outlook, aiming to steal sensitive credentials and server details.

European Countries in the Crosshairs

First observed in late 2022, Strela Stealer has been conducting highly targeted attacks against specific European nations. The primary targets include:

• Spain
• Italy
• Germany
• Ukraine

The malware spreads through large-scale phishing campaigns, with recent attacks impersonating legitimate company invoice emails. Instead of actual invoices, victims receive ZIP files containing the malware.

Infection Process and Advanced Techniques

Step-by-Step Infection Method

The Strela Stealer infection follows a sophisticated multi-stage process:

1. Phishing Email Delivery: Attackers send fake invoice emails written in the target country’s native language, encouraging recipients to open the attached ZIP file.
2. Malware Execution: The ZIP file contains a JScript format script that leverages Windows Script Host (wscript.exe) to initiate the attack.
3. Target Validation: Before proceeding, the script checks the system’s language settings and only advances to the next stage if the computer is located in targeted countries (Germany, Austria, Switzerland, etc.).
4. Payload Deployment: The script downloads the main DLL file (the actual malware) from a public WebDAV server. To avoid raising suspicion, it simultaneously displays a fake PDF document to the user.
5. Data Theft: The malware collects email account information including passwords and server details, then transmits the stolen data to attacker-controlled servers.

Attribution and Infrastructure

According to research from IBM X-Force, Strela Stealer is likely operated by a threat actor group known as “Hive0145”. The malware’s command and control (C2) servers are hosted on Russian Bulletproof hosting providers, which are known for their anonymity and resistance to legal measures.

Technical Analysis of Obfuscation Methods

What makes Strela Stealer particularly concerning is its sophisticated code obfuscation techniques:

• Multiple layers of code obfuscation
• Encrypted payloads
• Dynamic manipulation of virtual memory
• Custom loaders that mask malware behavior

These technical measures significantly complicate the detection and analysis efforts of security researchers.

Evolving Threat Landscape

Strela Stealer represents an evolving threat in the information-stealing malware category. While maintaining its focus on specific countries, the attackers continue to refine their social engineering tactics, increasingly leveraging legitimate business email formats to deceive victims.

Protecting Against Email-Based Attacks

To reduce the risk of falling victim to Strela Stealer and similar email-based cyber attacks, consider implementing these security measures:

• Avoid opening suspicious email attachments
• Enable multi-factor authentication (MFA) for all accounts
• Install and maintain updated security software
• Regularly back up important data
• Stay informed about the latest cyber threats

For both organizations and individual users, maintaining awareness of emerging threats and implementing appropriate safeguards is essential in today’s cybersecurity landscape.