Cyber Security News

TROX Stealer Harvests Sensitive Data Including Stored Credit Cards and Browser Credentials

Cybersecurity experts at Sublime have uncovered a complex malware campaign revolving around TROX Stealer, an information stealer that employs urgency to deceive victims.

This malware, first detected in December 2024, highlights an intricate attack chain designed to extract sensitive data from everyday consumers.

TROX Stealer’s success hinges on the psychological tactic of urgency, prompting victims to bypass critical thinking.

Attackers leverage urgent-sounding emails with subjects like “Last Opportunity to Settle Debt Before Legal Action” or “Final Warning: Legal Action Pending for Your Account,” creating a sense of panic.

Malware as a Service (MaaS) platforms facilitate quick deployment and iteration of large-scale attack campaigns by attackers.

TROX Stealer was licensed on a weekly basis for a few days of exclusive use, demonstrating its rapid action capacity.

The Distribution Mechanism

Attackers targeted diverse sectors, including security companies, universities, and solar energy corporations, using TROX Stealer.

The emails contained HTML-generated text with a link to download supposed legal documents.

TROX Stealer TROX Stealer
SQL queries and variable names used by the malware to target stored credit cards

This link redirected to a domain controlled by the attacker, where the malware, disguised as ‘DebtCollectionCase#######.exe’, was hosted.

The URL included a token ID, ensuring that the download only occurred once, preventing researchers from easily re-downloading the file for analysis.

Technical Sophistication

TROX Stealer’s installation process is characterized by several evasion techniques:

  • Initial Delivery: A Nuitka-compiled Python script, wrapped in multiple layers of obfuscation, is downloaded as a Windows executable from the attacker’s domain.
  • Execution: The downloaded file decompresses embedded files into a temporary folder, executing ‘client_pdf_case_388.pdf’, a decoy document, and ‘node700.exe’, a Node.JS interpreter, further executing scripts to maintain infection.
The decoy PDF file header that shows unique indicators
  • WebAssembly: The malware uses WebAssembly (Wasm) code encoded in Base64, employing extensive junk code to obscure its functionality and hinder analysis.

The infrastructure behind TROX Stealer includes various domains and IP addresses, with routine certificate management ensuring its persistence.

Accoeding to the Report, Sublime’s AI detection engine has been instrumental in preventing these attacks at the email delivery stage.

However, the sophistication of TROX Stealer, particularly its use of multiple programming languages and evasion techniques, highlights an evolving threat landscape.

Cybersecurity measures must adapt, integrating AI and advanced analytics to stay ahead of these complex threats. Awareness and vigilance remain essential in mitigating the risks posed by malware like TROX Stealer.

Indicators of Compromise (IOCs)

CategoryIdentifierValue
Domaindebt-collection-experts[.]com
Domaindocuments[.]debt-collection-experts[.]com
Domaindebt-collection-experts[.]online
Domaindownload.debt-collection-experts[.]online
Domaindownloads.debt-collection-experts[.]online
Domaindocs.debt-collection-experts[.]online
IP Address89.185.82.34 – Central to this campaign’s operations89.185.82.34
IP Address172.22.117.177 – Receives system profiles from malware172.22.117.177
File HashDebtCollectionCase#######.exe (SHA256)c404baad60fa3e6bb54a38ab2d736238ccaa06af877da6794e0e4387f8f5f0c6
File HashDebtCollectionCase#######.exe (SHA1)ae5166a8e17771d438d2d5e6496bee948fce80a4
File HashDebtCollectionCase#######.exe (MD5)c568b578da49cfcdb37d1e15a358b34a
File Hashnode700.exe (SHA256)12069e203234812b15803648160cc6ad1a56ec0e9cebaf12bad249f05dc782ef
File Hashnode700.exe (SHA1)29a13e190b6dd63e227a7e1561de8edbdeba034b
File Hashnode700.exe (MD5)f5f75c9d71a891cd48b1ae9c7cc9f80d
File HashTROX Stealer (SHA256)5d7ed7b8300c94e44488fb21302a348c7893bdaeef80d36b78b0e7f0f20135df
File HashTROX Stealer (SHA1)6deea67690f90455280bc7dfed3c69d262bf24f6
File HashTROX Stealer (MD5)fedb7287bcccc256a8dad8aeace799f7
Emailvpn@esystematics[.]de
Emailvpn@contactcorporate[.]de
Emailvpn@evirtual-provider[.]de

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Robinhood Ransomware Operator Arrested for Attacks on Government and Private Networks

On May 27, 2025, Iranian national Sina Gholinejad, 37, pleaded guilty in a North Carolina…

8 minutes ago

CISA Releases Executive Guide on SIEM and SOAR Platforms for Rapid Threat Detection

In today’s rapidly evolving threat landscape, Security Information and Event Management (SIEM) and Security Orchestration,…

32 minutes ago

MATLAB, Serving Over 5 Million Users, Hit by Ransomware Attack

MathWorks, the renowned developer of MATLAB and Simulink, has been grappling with the aftermath of…

2 hours ago

CISA Publishes ICS Advisories Highlighting New Vulnerabilities and Exploits

On May 27, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a new Industrial…

3 hours ago

Chrome Security Patch Addresses High-Severity Vulnerabilities Enabling Code Execution

The Chrome team at Google has officially released Chrome 137 to the stable channel for…

3 hours ago

Zero-Interaction libvpx Flaw in Firefox Allows Attackers to Run Arbitrary Code

Mozilla has released Firefox 139, addressing several critical and moderate security vulnerabilities that posed significant…

4 hours ago