A newly identified malware strain known as TROX Stealer has emerged as a significant threat to consumer data security, leveraging psychological manipulation and technical sophistication to exfiltrate sensitive information.

First observed in December 2024 by Sublime Security analysts, this Malware-as-a-Service (MaaS) product targets stored credit card details, browser credentials, cryptocurrency wallets, and session files for platforms like Discord and Telegram.

The malware operates on a weekly subscription model, enabling rapid deployment of short-lived campaigns that prioritize volume over persistence.

TROX Stealer distinguishes itself through its exploitation of urgency-based social engineering.

Attackers deliver payloads via emails disguised as debt collection notices or legal threats, capitalizing on victims’ anxiety to bypass scrutiny.

These messages, often generated using large language models (LLMs), direct recipients to spoofed domains hosting malicious executables.

The payloads employ multi-layered obfuscation techniques, including Python-to-native binary compilation and WebAssembly (Wasm) smuggling, to evade detection.

Sublime Security researchers identified that the malware’s infrastructure reveals a methodical approach to operational security.

Attack domains such as documents[.]debt-collection-experts[.]com use tokenized download links to prevent re-infection and complicate analysis.

The campaign’s backbone relies on IP addresses like 89.185.82.34—a suspected Tor exit node—and Cloudflare-protected servers, illustrating the authors’ investment in anonymization.

Infection Mechanism: From Social Engineering to Silent Execution

The infection chain begins with a carefully crafted email urging immediate action to avoid legal consequences.

A typical subject line, “Final Warning: Legal Action Pending for Your Account,” directs victims to a link labeled “DEBT COLLECTION COURT DOCUMENTS.”

Clicking this link triggers a download of an executable file named DebtCollectionCase#######.exe, where the placeholder represents a unique seven-digit identifier.

The downloaded executable, compiled using Nuitka to convert Python scripts into native binaries, extracts components to a temporary directory (%Temp%\onefile_11536_133873237425638862).

These components include:-

• A decoy PDF (e.g., client_pdf_case_388.pdf) mimicking legitimate legal documents
• A Node.JS interpreter (node700.exe) embedding malicious JavaScript
• Support libraries like libcrypto-3.dll and python312.dll

The Python script orchestrates file execution, as revealed by internal documentation extracted during analysis:-

 
```python  
def install_files(user_profile, target_dir, source_dir, exe_pattern, pdf_pattern):  
    # Copies 'node*.exe' and PDFs to AppData  
    ...  
def run_files(user_profile, target_dir, exe_pattern, pdf_pattern):  
    # Executes the Node.JS binary and opens the decoy PDF  
    ...  
```

The decoy PDF contains metadata artifacts such as Modified: Copy\040388, a signature of automated generation via PyPDF2.

Meanwhile, the Node.JS binary executes a Base64-encoded WebAssembly module, enabling Rust-compiled payloads to run in memory:-

```javascript  
var bytes = Buffer2.from("AGFzbQEAAAABvwRHYAJ/fwBgAX8AYAJ/fwF/YAN/f38Bf2ADf39/A...");  
var wasmModule = new WebAssembly.Module(bytes);  
var wasmInstance = new WebAssembly.Instance(wasmModule, imports);  
```

This 2MB Wasm blob contains over 4,700 functions, many interacting with system APIs to harvest data.

Upon execution, the malware transmits a JSON profile of the victim’s system to 172.22.117.177:2777, including hardware specs and OS details:-

```json  
{  
  "username": "admin",  
  "osType": "Windows_NT",  
  "cpuModel": "Intel(R) Core(TM) i5-6400",  
  "totalMemoryGB": "3.99"  
}  
```

The IP, registered to “STARK INDUSTRIES SOLUTIONS LTD.” in London, resolves to a server hosting additional payloads (*.json and *.js files), suggesting dynamic C2 capabilities.

TROX Stealer’s use of urgency-themed lures and rapidly shifting infrastructure complicates traditional IOC-based detection.

Defenders should prioritize behavioral monitoring for processes like node*.exe spawning from temporary directories and outbound connections to high-risk IPs.

The malware’s reliance on Wasm and LLM-generated decoys underscores the need for advanced email security solutions capable of intercepting socially engineered threats before they reach end-users.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Also Read: