
Employees in Germany and Spain face a new insidious campaign that delivers a mail credential stealer called Strela Stealer. This malware has greatly improved since it was first discovered two years ago.
Cyble researchers have discovered a new Strela Stealer campaign. The recent iteration of the malware is much improved, stealthier, and more effective at circumventing conventional security defenses.
This campaign predominantly targets users in Central and Southwestern Europe, mainly in Germany and Spain. However, the malware could be adapted to target users anywhere around the world.
The attack starts with phishing emails carrying ZIP file attachments. One obtained example of a carefully crafted email in the German language has a theme to resemble the invoice for a recent product purchase. It asks users to verify or process the transaction.

The ZIP file contains a highly obfuscated JavaScript (JS) file. Attackers use string substitution to generate and execute the hidden code, meaning it needs to be deobfuscated and decoded to trigger and initiate a PowerShell command, which reaches out to a WebDAV server to execute malicious DLL.
WebDAV allows users to collaborate on files and directories on a web server. Attackers exploit this functionality to change the malware on the fly.
The DLL file acts as a loader for the main payload. While it includes a single export function, researchers found it hard to analyze.
“The DLL includes numerous conditional jump instructions, making analysis more challenging and potentially causing the disassembler to crash. Furthermore, several functionalities may not work properly in the debugger with default settings due to the extensive branching and conditions,” Cyble Research and Intelligence Labs explained in the report.
The malicious DLL file is not saved on the disk and evades detection by security products.
The final payload, Strela Stealer, was first discovered in 2022 and has improved greatly since then. Now, it employs control flow obfuscation to make its code harder to analyze, avoids disk-based persistence, hides its main window while displaying a fake error message, encrypts the stolen data with strong encryption, and uses reliable command-and-control communication.
The sample of Strela Stealer that Cyble analyzed was highly targeted. Before execution, it checks for German, Spanish, and Basque (a region in Spain) locales. Then, it collects credentials from mail clients (Outlook, Thunderbird), gathers system information, and sends exfiltrated information to treat an actor-controlled server.
“The recent iterations of the Strela Stealer campaign reveal a notable advancement in malware delivery techniques, highlighting increased sophistication and stealth,” Cyble researchers warn.
“By employing spear-phishing emails that contain ZIP file attachments, the malware successfully circumvents conventional security defenses.”
The researchers’ main recommendation is to educate employees on how to detect phishing attempts. Other mitigations include implementing robust endpoint security solutions, strict access controls on WebDAV servers, limiting execution of PowerShell and other scripts on endpoints where it’s not necessary for business operations, and others.
Your email address will not be published. Required fields are markedmarked