S1196: Troll Stealer
Troll Stealer is an information stealer written in Go associated with Kimsuky operations. Troll Stealer has typically been delivered through a dropper disguised as a legitimate security program installation file. Troll Stealer features code similar to AppleSeed, also uniquely associated with Kimsuky operations.[1][2]
Analyst context for executives and security teams
Troll Stealer matters because it represents a Windows information-stealing capability tied in ATT&CK to Kimsuky operations and to behaviors that collect local files, browser information, screenshots, private keys, and repository data before staging, archiving, and exfiltrating it over web/C2 channels. For leaders, the business issue is not just malware execution; it is whether sensitive data, authentication material, and user context on endpoints can be collected and moved out before the SOC can see the chain.
Executive priority
Prioritize this as an endpoint data-theft and espionage readiness scenario. Executives should ask whether Windows endpoints handling sensitive business, government, research, manufacturing, or partner data have sufficient prevention, logging, egress visibility, and incident-response playbooks for stealer activity. The relationship to code signing, masquerading as legitimate security software, rundll32, PowerShell/cmd, local staging, archiving, and web-protocol C2 makes this relevant to control assurance, certificate trust policy, endpoint hardening, and audit evidence around data protection.
Technical view
ATT&CK provides no official detection text, so defenders should validate coverage by chaining the related behaviors rather than relying on a single indicator. On Windows, test visibility for suspicious installer/dropper execution disguised as security software, packed or signed binaries, PowerShell and cmd execution, rundll32 proxy execution, discovery of system/network/browser/file information, access to private key material, screenshot activity, local staging/archive creation, deletion of artifacts, and outbound web traffic carrying encoded or encrypted data. Correlation is important: any one behavior can be benign, but execution plus discovery plus staging plus web/C2 exfiltration is materially stronger.
Likely telemetry
- Windows process creation telemetry, including parent/child relationships for installers, PowerShell, cmd.exe, and rundll32.exe
- Endpoint file events for dropped executables, packed binaries, staging directories, archive creation, and file deletion
- Code-signing and certificate metadata for newly executed or downloaded binaries
- Command-line and script block logging where enabled for PowerShell and Windows command shell activity
- Browser profile, file-system, repository, screenshot, and private-key access events where endpoint controls can record them
Detection direction
- Build detections around behavior sequences: disguised installer or suspicious signed binary execution followed by command shell use, discovery, collection, staging, archive creation, and outbound web traffic.
- Tune PowerShell, cmd.exe, and rundll32.exe analytics to account for legitimate administrative and software-installation activity; require context such as unusual parent process, user, path, certificate, or network destination.
- Review trust decisions for signed software. A valid signature alone should not suppress inspection when the binary is newly observed, unusually located, or associated with collection/exfiltration behavior.
- Validate visibility into collection targets named by the relationships: local files, browser information, screenshots, private keys, and information repositories.
- Look for exfiltration patterns over existing web/C2 channels, including encoded or encrypted payloads, but avoid assuming content inspection will be available for all HTTPS traffic.
Mitigation priorities
- Harden Windows endpoints against untrusted or unexpected software installation, especially installers presented as security tools.
- Apply application control and certificate-trust review processes that evaluate publisher, path, prevalence, and behavior rather than signature status alone.
- Restrict and monitor PowerShell, cmd.exe, and rundll32.exe use according to administrative need.
- Protect sensitive local data: reduce storage of private keys and credentials on endpoints, enforce secure key management, and limit repository access from user workstations where possible.
- Ensure EDR, logging, proxy, DNS, and firewall telemetry are retained long enough to reconstruct collection-to-exfiltration timelines.
Analyst notes and limits
The ATT&CK object identifies Troll Stealer as a Go-based information stealer associated with Kimsuky operations, typically delivered through a dropper disguised as a legitimate security program installation file, with code similarity to AppleSeed. Relationship context supplies the practical defensive map: execution through PowerShell/cmd/rundll32, discovery, local collection, staging, archiving, private-key access, code signing, web-protocol C2, encoded/encrypted communications, exfiltration, and file deletion.
MITRE does not provide official detection guidance for this object, and the supplied object lists Windows as the malware platform while some related techniques have broader platform metadata. This take does not assert active exploitation, local exposure, or guaranteed detection. Local validation requires environment-specific software inventory, certificate policy, endpoint logging, proxy visibility, and incident data-retention review.
Troll Stealer
Troll Stealer is an information stealer written in Go associated with Kimsuky operations. Troll Stealer has typically been delivered through a dropper disguised as a legitimate security program installation file. Troll Stealer features code similar to AppleSeed, also uniquely associated with Kimsuky operations.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1005 | Data from Local System | Troll Stealer gathers information from infected systems such as SSH information from the victim's `.ssh` directory.CitationSymantec Troll Stealer 2024 Troll Stealer collects information from local FileZilla installations and Microsoft Sticky Note.CitationS2W Troll Stealer 2024 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Troll Stealer encrypts gathered information on victim devices prior to exfiltrating it through command and control infrastructure.CitationS2W Troll Stealer 2024 |
| Enterprise | T1113 | Screen Capture | Troll Stealer can capture screenshots from victim machines.CitationS2W Troll Stealer 2024CitationSymantec Troll Stealer 2024 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Troll Stealer performs XOR encryption and Base64 encoding of data prior to sending to command and control infrastructure.CitationS2W Troll Stealer 2024 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Troll Stealer has been delivered as a VMProtect-packed binary.CitationS2W Troll Stealer 2024CitationASEC Troll Stealer 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | Troll Stealer collects the MAC address of victim devices.CitationS2W Troll Stealer 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Troll Stealer uses HTTP to communicate to command and control infrastructure.CitationS2W Troll Stealer 2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Troll Stealer creates and executes a PowerShell script to delete itself.CitationS2W Troll Stealer 2024 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Troll Stealer, along with its associated dropper, utilizes legitimate, stolen code signing certificates.CitationS2W Troll Stealer 2024CitationASEC Troll Stealer 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Troll Stealer can create and execute Windows batch scripts.CitationS2W Troll Stealer 2024 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Troll Stealer is typically installed via a dropper file that masquerades as a legitimate security program installation file.CitationS2W Troll Stealer 2024CitationSymantec Troll Stealer 2024 |
| Enterprise | T1552.004 | Private Keys Sub-technique | Troll Stealer collects all data in victim `.ssh` folders by creating a compressed copy that is subsequently exfiltrated to command and control infrastructure. Troll Stealer also collects key information associated with the Government Public Key Infrastructure (GPKI) service for South Korean government information systems.CitationS2W Troll Stealer 2024CitationSymantec Troll Stealer 2024 |
| Enterprise | T1560 | Archive Collected Data | Troll Stealer compresses stolen data prior to exfiltration.CitationS2W Troll Stealer 2024 |
| Enterprise | T1213 | Data from Information Repositories | Troll Stealer gathers information from the Government Public Key Infrastructure (GPKI) folder, associated with South Korean government public key infrastructure, on infected systems.CitationS2W Troll Stealer 2024CitationSymantec Troll Stealer 2024 |
| Enterprise | T1083 | File and Directory Discovery | Troll Stealer can enumerate and collect items from local drives and folders.CitationS2W Troll Stealer 2024 |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | Troll Stealer creates a mutex during installation to prevent duplicate execution.CitationS2W Troll Stealer 2024 |
| Enterprise | T1082 | System Information Discovery | Troll Stealer can collect local system information.CitationS2W Troll Stealer 2024CitationSymantec Troll Stealer 2024 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Troll Stealer is dropped as a DLL file and executed via `rundll32.exe` by its installer.CitationS2W Troll Stealer 2024CitationASEC Troll Stealer 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Troll Stealer exfiltrates collected information to its command and control infrastructure.CitationS2W Troll Stealer 2024 |
| Enterprise | T1217 | Browser Information Discovery | Troll Stealer collects information from Chromium-based browsers and Firefox such as cookies, history, downloads, and extensions.CitationS2W Troll Stealer 2024CitationSymantec Troll Stealer 2024 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Troll Stealer encrypts data sent to command and control infrastructure using a combination of RC4 and RSA-4096 algorithms.CitationS2W Troll Stealer 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Troll Stealer creates and can execute a BAT script that will delete the malware.CitationS2W Troll Stealer 2024 |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d8b3d298507f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
S2W Troll Stealer 2024
Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
Open source URL -
[2]
Symantec Troll Stealer 2024
Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
Open source URL -
[3]
mitre-attack S1196Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.