S1183: StrelaStealer
StrelaStealer is an information stealer malware variant first identified in November 2022 and active through late 2024. StrelaStealer focuses on the automated identification, collection, and exfiltration of email credentials from email clients such as Outlook and Thunderbird.[1][2][3][4]
Analyst context for executives and security teams
StrelaStealer matters because its stated purpose is to find, collect, and exfiltrate email credentials from Windows email clients such as Outlook and Thunderbird. For leaders, the business issue is not just malware cleanup: stolen mailbox credentials can affect communications integrity, identity response, audit evidence, and the organization’s ability to trust email during an incident.
Executive priority
Treat this as an identity-and-communications resilience scenario. Ask whether the organization can quickly determine which Windows endpoints use local email clients, whether email credential theft would be visible, and whether SOC and IR teams can connect endpoint execution, obfuscated payloads, and outbound exfiltration activity into one incident narrative. Because ATT&CK provides no official detection text for this software, coverage should be proven through local telemetry validation rather than assumed from tool ownership.
Technical view
ATT&CK lists StrelaStealer as Windows malware focused on automated identification, collection, and exfiltration of email credentials. Related behaviors include user-driven malicious file execution, PowerShell/cmd/JavaScript execution, rundll32 proxy execution, system information discovery, automated collection and exfiltration, web-protocol C2, encoded or obfuscated C2 traffic, packed/compressed/encoded files, masquerading, and execution guardrails. SOC teams should validate detection chains that join suspicious script or rundll32 activity, unusual access to Outlook or Thunderbird-related credential material, obfuscated or masqueraded artifacts, and outbound web traffic consistent with C2 or exfiltration.
Likely telemetry
- Windows endpoint process creation for PowerShell, cmd, JavaScript/JScript engines, and rundll32.exe
- File creation, file metadata, and content-scanning evidence for packed, compressed, encoded, renamed, or masqueraded payloads
- Endpoint events showing access to Outlook and Thunderbird credential-related data or profile locations
- Network telemetry for outbound web-protocol communications, C2-like sessions, encoded data, and automated exfiltration patterns
- Script logging and command-line arguments where available
Detection direction
- Do not rely on a single malware name or signature; the relationships emphasize obfuscation, packing, compression, encoding, masquerading, and renamed utilities.
- Tune detections around behavior chains: user-opened file leading to script or rundll32 execution, followed by email-client credential access and outbound web traffic.
- Baseline legitimate rundll32, PowerShell, cmd, and JavaScript activity to reduce false positives while preserving visibility into unusual parent-child process relationships and command lines.
- Inspect outbound web traffic for encoded or obfuscated content, but account for the fact that normal web traffic can look noisy without endpoint correlation.
- Confirm whether endpoint tooling records file type mismatches, suspicious names or locations, and packed or compressed artifacts; these are common blind spots for static-only controls.
Mitigation priorities
- Prioritize protection and response procedures for email-client credential theft, including rapid credential invalidation and mailbox access review where applicable.
- Harden and monitor Windows script execution paths and rundll32 usage, focusing on abuse rather than blocking legitimate administration blindly.
- Reduce user-executed malicious file risk through attachment/file handling controls and user-facing safeguards appropriate to the environment.
- Strengthen outbound web traffic monitoring and egress controls so automated exfiltration over C2 or web protocols is easier to identify and contain.
- Ensure incident response playbooks connect endpoint containment with identity, mailbox, and communications-impact decisions.
Analyst notes and limits
The most decision-relevant point is the combination of Windows endpoint execution, credential-focused collection from local email clients, and automated exfiltration. Glexia would treat this as a SOC plus identity response validation case: can teams prove what ran, what mailbox credentials may have been accessed, and what left the network?
The supplied ATT&CK object has no official detection text, no aliases, and no top-level tactics specified. Several behavior details come from relationships to ATT&CK techniques, not from a full procedure description. Local endpoint, email-client, identity, and network evidence is required before assessing exposure or control effectiveness.
StrelaStealer
StrelaStealer is an information stealer malware variant first identified in November 2022 and active through late 2024. StrelaStealer focuses on the automated identification, collection, and exfiltration of email credentials from email clients such as Outlook and Thunderbird.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1001 | Data Obfuscation | StrelaStealer encrypts the payload of HTTP POST communications using the same XOR key used for the malware's DLL payload.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel | StrelaStealer exfiltrates collected email credentials via HTTP POST to command and control servers.[1][2][3][4] |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | StrelaStealer variants have included excessive mathematical functions padding the binary and slowing execution for anti-analysis and sandbox evasion purposes.[3] |
| Enterprise | T1071.001 | Web Protocols Sub-technique | StrelaStealer communicates externally via HTTP POST with encrypted content.[1][3][4] |
| Enterprise | T1622 | Debugger Evasion | StrelaStealer variants include functionality to identify and evade debuggers.[3] |
| Enterprise | T1027 | Obfuscated Files or Information | StrelaStealer has been distributed in ISO archives.[1] StrelaStealer has been delivered in encrypted, password-protected ZIP archives.[4] |
| Enterprise | T1553.002 | Code Signing Sub-technique | StrelaStealer variants have used valid code signing certificates.[4] |
| Enterprise | T1480 | Execution Guardrails | StrelaStealer variants only execute if the keyboard layout or language matches a set list of variables.[3][4] |
| Enterprise | T1036.003 | Rename Legitimate Utilities Sub-technique | StrelaStealer has used a renamed, legitimate `msinfo32.exe` executable to sideload the StrelaStealer payload during initial installation.[1] |
| Enterprise | T1204.002 | Malicious File Sub-technique | StrelaStealer relies on user execution of a malicious file for installation.[1] |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | StrelaStealer uses XOR-encoded strings to obfuscate items.[1] |
| Enterprise | T1059.007 | JavaScript Sub-technique | StrelaStealer has been distributed as a malicious JavaScript object.[2][3][4] |
| Enterprise | T1218.011 | Rundll32 Sub-technique | StrelaStealer DLL payloads have been executed via `rundll32.exe`.[2][4] |
| Enterprise | T1518 | Software Discovery | StrelaStealer variants use COM objects to enumerate installed applications from the "AppsFolder" on victim machines.[4] |
| Enterprise | T1027.002 | Software Packing Sub-technique | StrelaStealer variants have used packers to obfuscate payloads and make analysis more difficult.[2] |
| Enterprise | T1059.001 | PowerShell Sub-technique | StrelaStealer variants have used PowerShell scripts to download or drop payloads, including obfuscated variants to connect to a WebDAV server to download and executed an encrypted DLL for installation.[4] |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | StrelaStealer has included BAT files in some instances for installation.[3][4] |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | StrelaStealer payloads have used control flow obfuscation techniques such as excessively long code blocks of mathematical instructions to defeat sandboxing and related analysis methods.[2][3] |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | StrelaStealer has been distributed as a spearphishing attachment.[1] |
| Enterprise | T1027.015 | Compression Sub-technique | StrelaStealer has been delivered via JScript files in a ZIP archive.[2][3] |
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | StrelaStealer enumerates the registry key `HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\` to identify the values for "IMAP User," "IMAP Server," and "IMAP Password" associated with the Outlook email application.[1][3][4] |
| Enterprise | T1036 | Masquerading | StrelaStealer PE executable payloads have used uncommon but legitimate extensions such as `.com` instead of `.exe`.[4] |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | StrelaStealer utilizes a hard-coded XOR key to encrypt the content of HTTP POST requests to command and control infrastructure.[4] |
| Enterprise | T1574.001 | DLL Sub-technique | StrelaStealer has sideloaded a DLL payload using a renamed, legitimate `msinfo32.exe` executable.[1] |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | StrelaStealer payloads have tailored filenames to include names identical to the name of the targeted organization or company.[4] |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | StrelaStealer variants check system language settings via keyboard layout or similar mechanisms.[3][4] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | StrelaStealer payloads have included strings encrypted via XOR.[1] StrelaStealer JavaScript payloads utilize Base64-encoded payloads that are decoded via certutil to create a malicious DLL file.[2][3] |
| Enterprise | T1105 | Ingress Tool Transfer | StrelaStealer installers have used obfuscated PowerShell scripts to retrieve follow-on payloads from WebDAV servers.[4] |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | StrelaStealer variants include the use of mutex values based on the victim system name to prevent reinfection.[3] |
| Enterprise | T1082 | System Information Discovery | StrelaStealer variants collect victim system information for exfiltration.[4] |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | StrelaStealer searches for and if found collects the contents of files such as `logins.json` and `key4.db` in the `$APPDATA%\Thunderbird\Profiles\` directory, associated with the Thunderbird email application.[1][3] |
| Enterprise | T1119 | Automated Collection | StrelaStealer attempts to identify and collect mail login data from Thunderbird and Outlook following execution.[1][2][3][4] |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | StrelaStealer has been distributed as a DLL/HTML polyglot file.[1][4] |
| Enterprise | T1020 | Automated Exfiltration | StrelaStealer automatically sends gathered email credentials following collection to command and control servers via HTTP POST.[1][4] |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 45e86b27412c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DCSO StrelaStealer 2022
DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024.
Open source URL -
[2]
PaloAlto StrelaStealer 2024
Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024.
Open source URL -
[3]
Fortgale StrelaStealer 2023
Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
Open source URL -
[4]
IBM StrelaStealer 2024
Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024.
Open source URL -
[5]
mitre-attack S1183Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.