S1183: StrelaStealer
StrelaStealer is an information stealer malware variant first identified in November 2022 and active through late 2024. StrelaStealer focuses on the automated identification, collection, and exfiltration of email credentials from email clients such as Outlook and Thunderbird.[1][2][3][4]
Analyst context for executives and security teams
StrelaStealer matters because its stated purpose is to find, collect, and exfiltrate email credentials from Windows email clients such as Outlook and Thunderbird. For leaders, the business issue is not just malware cleanup: stolen mailbox credentials can affect communications integrity, identity response, audit evidence, and the organization’s ability to trust email during an incident.
Executive priority
Treat this as an identity-and-communications resilience scenario. Ask whether the organization can quickly determine which Windows endpoints use local email clients, whether email credential theft would be visible, and whether SOC and IR teams can connect endpoint execution, obfuscated payloads, and outbound exfiltration activity into one incident narrative. Because ATT&CK provides no official detection text for this software, coverage should be proven through local telemetry validation rather than assumed from tool ownership.
Technical view
ATT&CK lists StrelaStealer as Windows malware focused on automated identification, collection, and exfiltration of email credentials. Related behaviors include user-driven malicious file execution, PowerShell/cmd/JavaScript execution, rundll32 proxy execution, system information discovery, automated collection and exfiltration, web-protocol C2, encoded or obfuscated C2 traffic, packed/compressed/encoded files, masquerading, and execution guardrails. SOC teams should validate detection chains that join suspicious script or rundll32 activity, unusual access to Outlook or Thunderbird-related credential material, obfuscated or masqueraded artifacts, and outbound web traffic consistent with C2 or exfiltration.
Likely telemetry
- Windows endpoint process creation for PowerShell, cmd, JavaScript/JScript engines, and rundll32.exe
- File creation, file metadata, and content-scanning evidence for packed, compressed, encoded, renamed, or masqueraded payloads
- Endpoint events showing access to Outlook and Thunderbird credential-related data or profile locations
- Network telemetry for outbound web-protocol communications, C2-like sessions, encoded data, and automated exfiltration patterns
- Script logging and command-line arguments where available
Detection direction
- Do not rely on a single malware name or signature; the relationships emphasize obfuscation, packing, compression, encoding, masquerading, and renamed utilities.
- Tune detections around behavior chains: user-opened file leading to script or rundll32 execution, followed by email-client credential access and outbound web traffic.
- Baseline legitimate rundll32, PowerShell, cmd, and JavaScript activity to reduce false positives while preserving visibility into unusual parent-child process relationships and command lines.
- Inspect outbound web traffic for encoded or obfuscated content, but account for the fact that normal web traffic can look noisy without endpoint correlation.
- Confirm whether endpoint tooling records file type mismatches, suspicious names or locations, and packed or compressed artifacts; these are common blind spots for static-only controls.
Mitigation priorities
- Prioritize protection and response procedures for email-client credential theft, including rapid credential invalidation and mailbox access review where applicable.
- Harden and monitor Windows script execution paths and rundll32 usage, focusing on abuse rather than blocking legitimate administration blindly.
- Reduce user-executed malicious file risk through attachment/file handling controls and user-facing safeguards appropriate to the environment.
- Strengthen outbound web traffic monitoring and egress controls so automated exfiltration over C2 or web protocols is easier to identify and contain.
- Ensure incident response playbooks connect endpoint containment with identity, mailbox, and communications-impact decisions.
Analyst notes and limits
The most decision-relevant point is the combination of Windows endpoint execution, credential-focused collection from local email clients, and automated exfiltration. Glexia would treat this as a SOC plus identity response validation case: can teams prove what ran, what mailbox credentials may have been accessed, and what left the network?
The supplied ATT&CK object has no official detection text, no aliases, and no top-level tactics specified. Several behavior details come from relationships to ATT&CK techniques, not from a full procedure description. Local endpoint, email-client, identity, and network evidence is required before assessing exposure or control effectiveness.
StrelaStealer
StrelaStealer is an information stealer malware variant first identified in November 2022 and active through late 2024. StrelaStealer focuses on the automated identification, collection, and exfiltration of email credentials from email clients such as Outlook and Thunderbird.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1001 | Data Obfuscation | StrelaStealer encrypts the payload of HTTP POST communications using the same XOR key used for the malware's DLL payload.CitationDCSO StrelaStealer 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | StrelaStealer exfiltrates collected email credentials via HTTP POST to command and control servers.CitationDCSO StrelaStealer 2022CitationPaloAlto StrelaStealer 2024CitationFortgale StrelaStealer 2023CitationIBM StrelaStealer 2024 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | StrelaStealer variants have included excessive mathematical functions padding the binary and slowing execution for anti-analysis and sandbox evasion purposes.CitationFortgale StrelaStealer 2023 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | StrelaStealer communicates externally via HTTP POST with encrypted content.CitationDCSO StrelaStealer 2022CitationFortgale StrelaStealer 2023CitationIBM StrelaStealer 2024 |
| Enterprise | T1622 | Debugger Evasion | StrelaStealer variants include functionality to identify and evade debuggers.CitationFortgale StrelaStealer 2023 |
| Enterprise | T1027 | Obfuscated Files or Information | StrelaStealer has been distributed in ISO archives.CitationDCSO StrelaStealer 2022 StrelaStealer has been delivered in encrypted, password-protected ZIP archives.CitationIBM StrelaStealer 2024 |
| Enterprise | T1553.002 | Code Signing Sub-technique | StrelaStealer variants have used valid code signing certificates.CitationIBM StrelaStealer 2024 |
| Enterprise | T1480 | Execution Guardrails | StrelaStealer variants only execute if the keyboard layout or language matches a set list of variables.CitationFortgale StrelaStealer 2023CitationIBM StrelaStealer 2024 |
| Enterprise | T1036.003 | Rename Legitimate Utilities Sub-technique | StrelaStealer has used a renamed, legitimate `msinfo32.exe` executable to sideload the StrelaStealer payload during initial installation.CitationDCSO StrelaStealer 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | StrelaStealer relies on user execution of a malicious file for installation.CitationDCSO StrelaStealer 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | StrelaStealer uses XOR-encoded strings to obfuscate items.CitationDCSO StrelaStealer 2022 |
| Enterprise | T1059.007 | JavaScript Sub-technique | StrelaStealer has been distributed as a malicious JavaScript object.CitationPaloAlto StrelaStealer 2024CitationFortgale StrelaStealer 2023CitationIBM StrelaStealer 2024 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | StrelaStealer DLL payloads have been executed via `rundll32.exe`.CitationPaloAlto StrelaStealer 2024CitationIBM StrelaStealer 2024 |
| Enterprise | T1518 | Software Discovery | StrelaStealer variants use COM objects to enumerate installed applications from the "AppsFolder" on victim machines.CitationIBM StrelaStealer 2024 |
| Enterprise | T1027.002 | Software Packing Sub-technique | StrelaStealer variants have used packers to obfuscate payloads and make analysis more difficult.CitationPaloAlto StrelaStealer 2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | StrelaStealer variants have used PowerShell scripts to download or drop payloads, including obfuscated variants to connect to a WebDAV server to download and executed an encrypted DLL for installation.CitationIBM StrelaStealer 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | StrelaStealer has included BAT files in some instances for installation.CitationFortgale StrelaStealer 2023CitationIBM StrelaStealer 2024 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | StrelaStealer payloads have used control flow obfuscation techniques such as excessively long code blocks of mathematical instructions to defeat sandboxing and related analysis methods.CitationPaloAlto StrelaStealer 2024CitationFortgale StrelaStealer 2023 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | StrelaStealer has been distributed as a spearphishing attachment.CitationDCSO StrelaStealer 2022 |
| Enterprise | T1027.015 | Compression Sub-technique | StrelaStealer has been delivered via JScript files in a ZIP archive.CitationPaloAlto StrelaStealer 2024CitationFortgale StrelaStealer 2023 |
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | StrelaStealer enumerates the registry key `HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\` to identify the values for "IMAP User," "IMAP Server," and "IMAP Password" associated with the Outlook email application.CitationDCSO StrelaStealer 2022CitationFortgale StrelaStealer 2023CitationIBM StrelaStealer 2024 |
| Enterprise | T1036 | Masquerading | StrelaStealer PE executable payloads have used uncommon but legitimate extensions such as `.com` instead of `.exe`.CitationIBM StrelaStealer 2024 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | StrelaStealer utilizes a hard-coded XOR key to encrypt the content of HTTP POST requests to command and control infrastructure.CitationIBM StrelaStealer 2024 |
| Enterprise | T1574.001 | DLL Sub-technique | StrelaStealer has sideloaded a DLL payload using a renamed, legitimate `msinfo32.exe` executable.CitationDCSO StrelaStealer 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | StrelaStealer payloads have tailored filenames to include names identical to the name of the targeted organization or company.CitationIBM StrelaStealer 2024 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | StrelaStealer variants check system language settings via keyboard layout or similar mechanisms.CitationFortgale StrelaStealer 2023CitationIBM StrelaStealer 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | StrelaStealer payloads have included strings encrypted via XOR.CitationDCSO StrelaStealer 2022 StrelaStealer JavaScript payloads utilize Base64-encoded payloads that are decoded via certutil to create a malicious DLL file.CitationPaloAlto StrelaStealer 2024CitationFortgale StrelaStealer 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | StrelaStealer installers have used obfuscated PowerShell scripts to retrieve follow-on payloads from WebDAV servers.CitationIBM StrelaStealer 2024 |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | StrelaStealer variants include the use of mutex values based on the victim system name to prevent reinfection.CitationFortgale StrelaStealer 2023 |
| Enterprise | T1082 | System Information Discovery | StrelaStealer variants collect victim system information for exfiltration.CitationIBM StrelaStealer 2024 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | StrelaStealer searches for and if found collects the contents of files such as `logins.json` and `key4.db` in the `$APPDATA%\Thunderbird\Profiles\` directory, associated with the Thunderbird email application.CitationDCSO StrelaStealer 2022CitationFortgale StrelaStealer 2023 |
| Enterprise | T1119 | Automated Collection | StrelaStealer attempts to identify and collect mail login data from Thunderbird and Outlook following execution.CitationDCSO StrelaStealer 2022CitationPaloAlto StrelaStealer 2024CitationFortgale StrelaStealer 2023CitationIBM StrelaStealer 2024 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | StrelaStealer has been distributed as a DLL/HTML polyglot file.CitationDCSO StrelaStealer 2022CitationIBM StrelaStealer 2024 |
| Enterprise | T1020 | Automated Exfiltration | StrelaStealer automatically sends gathered email credentials following collection to command and control servers via HTTP POST.CitationDCSO StrelaStealer 2022CitationIBM StrelaStealer 2024 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 45e86b27412c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DCSO StrelaStealer 2022
DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024.
Open source URL -
[2]
PaloAlto StrelaStealer 2024
Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024.
Open source URL -
[3]
Fortgale StrelaStealer 2023
Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
Open source URL -
[4]
IBM StrelaStealer 2024
Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024.
Open source URL -
[5]
mitre-attack S1183Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.