A recent malware campaign featuring the TROX Stealer has gained attention for its sophisticated exfiltration capabilities, targeting sensitive data such as stored credit cards, browser credentials, cryptocurrency wallets, and session files of services like Discord and Telegram.
Sublime’s Threat Research team highlighted TROX Stealer as a malware-as-a-service (MaaS) offering that exploits urgency to design and deploy scaleable attack chains.
First analyzed in December 2024, the infostealer has rapidly emerged as a potent threat to consumer systems rather than enterprise networks, leveraging technical precision and organized infrastructure.
Phishing Emails as Delivery Mechanism
TROX Stealer’s attack chain begins with phishing emails employing urgency-based themes to manipulate victims into downloading malicious files.
Subject lines such as “Urgent Notice: Legal Action Scheduled for Your Debt” and “Immediate Payment Required to Prevent Legal Action” are crafted to create panic.
These emails direct victims to domains like documents[.]debt-collection-experts[.]com, hosting an executable file disguised as debt collection documents.
The malware employs unique tokens to ensure files are downloaded only once, preventing redundant downloads that could raise suspicion or aid researchers.
Upon execution, the downloaded file initiates a multi-stage installation process involving Python scripting, Nuitka compilation, Node.js interpreters, and obfuscated WebAssembly (Wasm) binaries to evade detection and analysis.
The campaign’s infrastructure reveals meticulous planning. Domains such as debt-collection-experts[.]online were registered as early as April 2024, with routine updates to SSL certificates and hosting configurations preceding attack phases.
TROX’s distribution network also utilized Cloudflare services for protection and integration with TOR exit nodes for anonymity.
Notably, malware binaries and modules were hosted on public repositories like GitHub to discreetly facilitate distribution.
During the installation stage, the malware uses multiple layers of obfuscation, such as Zstd compression and dynamic temporary folder creation, to conceal its activities.
An embedded Node.js interpreter executes encoded JavaScript and WebAssembly code for further payload deployment.
Sublime’s researchers identified over 71 function types and 4,700 functions embedded in the Wasm binary, showcasing extensive junk code designed to impede reverse engineering.
Data Theft Capabilities
Once installed, TROX Stealer employs standard data extraction techniques, querying application databases to collect sensitive information.
These include credit card details stored in web browsers, cryptocurrency wallet credentials, and user data from Discord and Telegram.
Data is exfiltrated via channels like GoFile and Telegram APIs. The malware’s reliance on pre-existing stealing methods highlights the accessibility of such attack mechanisms in the cybercrime ecosystem, as documented SQL queries and APIs are repurposed for malicious intent.
Although TROX Stealer leverages advanced techniques for evasion, its core functionality data theft based on application database queries offers avenues for detection.
Sublime successfully prevented delivery of phishing emails through AI-powered filters targeting unusual sender domains, overly urgent subject lines, and suspicious file attachments, such as Python-generated PDFs.
Notable file hashes further aid identification of malware samples, including DebtCollectionCase#######.exe and node700.exe.
The TROX Stealer campaign illustrates the growing complexity of modern malware, combining urgency-based phishing attacks with multi-layered technical strategies to exfiltrate sensitive data.
While MaaS frameworks like TROX make advanced malware accessible to bad actors, robust detection mechanisms and proactive security practices can mitigate their impact.
Researchers and organizations must remain vigilant to evolving malware techniques while leveraging AI-driven solutions to detect and neutralize threats at the earliest stages.
Indicators of Compromise (IOCs)
| Category | Identifier | Value |
|---|---|---|
| Domain | debt-collection-experts[.]com | |
| Domain | documents[.]debt-collection-experts[.]com | |
| Domain | debt-collection-experts[.]online | |
| Domain | download.debt-collection-experts[.]online | |
| Domain | downloads.debt-collection-experts[.]online | |
| Domain | docs.debt-collection-experts[.]online | |
| IP Address | 89.185.82.34 – Central to this campaign’s operations | 89.185.82.34 |
| IP Address | 172.22.117.177 – Receives system profiles from malware | 172.22.117.177 |
| File Hash | DebtCollectionCase#######.exe (SHA256) | c404baad60fa3e6bb54a38ab2d736238ccaa06af877da6794e0e4387f8f5f0c6 |
| File Hash | DebtCollectionCase#######.exe (SHA1) | ae5166a8e17771d438d2d5e6496bee948fce80a4 |
| File Hash | DebtCollectionCase#######.exe (MD5) | c568b578da49cfcdb37d1e15a358b34a |
| File Hash | node700.exe (SHA256) | 12069e203234812b15803648160cc6ad1a56ec0e9cebaf12bad249f05dc782ef |
| File Hash | node700.exe (SHA1) | 29a13e190b6dd63e227a7e1561de8edbdeba034b |
| File Hash | node700.exe (MD5) | f5f75c9d71a891cd48b1ae9c7cc9f80d |
| File Hash | TROX Stealer (SHA256) | 5d7ed7b8300c94e44488fb21302a348c7893bdaeef80d36b78b0e7f0f20135df |
| File Hash | TROX Stealer (SHA1) | 6deea67690f90455280bc7dfed3c69d262bf24f6 |
| File Hash | TROX Stealer (MD5) | fedb7287bcccc256a8dad8aeace799f7 |
| vpn@esystematics[.]de | ||
| vpn@contactcorporate[.]de | ||
| vpn@evirtual-provider[.]de |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
