On this page:
Threat Detection
April 10, 2025
Deep dive analysis of TROX Stealer, an urgency-based MaaS offering
When we feel urgency, we often skip critical thinking and basic security practices. Attackers know this and use it to their advantage. Sublime’s Threat Research team commonly finds malicious campaigns centered on the theme of “urgent” emails and it's why we have urgent
intent classification to catch them with AI.
Urgency is also an important part of the attack model. Bad actors need to stay ahead of security teams, so they need tools that let them design, deploy, and iterate on massive attack campaigns quickly. Malware as a Service (MaaS) was created to meet this need. In this post, we'll do a deep dive analysis of a unique, urgency-based MaaS offering named TROX Stealer and some of its unique indicators that suggest how the authors develop and deploy their attacks.
TROX Stealer, first seen by our team in December 2024, appears to be an obscure and undocumented information stealer with capabilities to exfiltrate sensitive data, including stored credit cards, browser credentials, cryptocurrency wallets, and session files for services like Discord and Telegram.
Prior to the attack campaign that we’ll focus on, the specific malware was identified and briefly discussed on Twitter by threat researcher RussianPanda. As we have been unable to identify any other sources of public information and research this post will focus on a deep dive analysis of this specific attack chain.
The following sections detail not only how the TROX Stealer installation process works technically, but more importantly, reveal the development patterns that demonstrate how this malware was packaged for large-scale deployment. We'll also examine the distribution mechanisms, including how the attackers leverage urgent messaging to deliver their payload.
TROX Stealer is a unique infostealer that, while first analyzed in the wild in December 2024, has traces of activity that show it may have been initially released in April 2024 and marketed as a MaaS product. Like many other malware families being sold as MaaS, TROX could be licensed on a weekly basis for use in attack campaigns. As these rental periods are so short, MaaS attack campaigns are typically very quick and last only a few days.
TROX is marketed as malware that targets everyday consumers instead of enterprise networks. It is advertised as being able to steal stored credit cards as well as sensitive data from all major web browsers and chat clients like Discord and Telegram.
We observed attackers using TROX Stealer to send urgent-sounding emails to many of our customers across various industries. While we primarily saw campaigns targeting security companies (cybersecurity insurance, managed security service providers, etc.), we also saw some targeting a major university, a solar energy corporation, and more.
While the attacker slightly altered their tactics per message (likely automated with an LLM), each came with a sense of urgency surrounding debt or legal action. Subjects include:
The email body contains HTML rendered text that includes a link to obtain legal documents. If clicked, the link directs to a domain used by the attacker, documents[.]debt-collection-experts[.]com
, to download the attack executable named DebtCollectionCase#######.exe
.
In each example, this file uses a seven-digit random number, represented here by the # symbols. Specifically, the URL contains a token ID unique to the email, such as hxxps://documents.debt-collection-experts.com/download?token=abe186e045cbf8a0a078cf221f2fe532
, that ensures that the download only occurs once. This is often a method used to prevent researchers from downloading the file again for analysis as well as to prevent re-infecting an already compromised system.
Our research exposed a small scale online infrastructure used by this attack and other similar ones from the same malware author.
Pivoting off the attack domain name of documents[.]debt-collection-experts[.]com
, we found two domains debt-collection-experts[.]com
and debt-collection-experts[.]online
were registered simultaneously on April 26, 2024, nine months before the December attack campaign. Initially, these domains had different hosts. The .online
domain first resolved to IP 192.64.119.79
, while its subdomains (download.
, downloads.
, and docs.
) pointed to the 89.185.82.x
range. The .com
domain appeared to use Cloudflare's protection services, as evidenced by its redirection to the 104.21.x.x
and 172.67.140.x
IP addresses.
The IP address 89.185.82.34
appears central to this campaign's operations, hosting both download[.]debt-collection-experts[.]online
and potentially other attack infrastructure. Online blocklists suggest this IP address was also being used as a TOR exit node. Analysis of the malware author's online activity suggests that the TROX Stealer was first released back in April 2024 and was continually marketed since then, with the author relying heavily on these domain names for selling the malware service.
The malware author maintained their infrastructure through routine certificate management. The original Google Trust Services certificate for debt-collection-experts[.]online
was issued on April 26, 2024, the same day as domain registration. In August 2024, a Let's Encrypt certificate was generated for documents[.]debt-collection-experts[.]com
, suggesting preparation for a new campaign phase.
In December 2024, just weeks before the attack campaign analyzed here, both domains showed significant infrastructure updates. New Google Trust Services certificates were issued for both domains and their subdomains, and the infrastructure appears to have been consolidated behind Cloudflare's protection services. During this period, the author heavily marketed their malware service on online hacking forums, corresponding with this activity.
This pattern of domain registration, certificate management, and infrastructure evolution demonstrates a methodical approach to maintaining attack infrastructure over a nine-month period, with specific preparations visible before each campaign phase.
Additionally, during execution, we saw a system profile being sent to a set IP address containing information about the victim’s system. The first stage malware file sent a large set of JSON data to 172.22.117.177
on TCP port 2777. An example of this content is shown below:
This IP address on this port was found to be used for multiple connections within this campaign, as evidenced by the process filenames making the connection.
The malware distributed from the email link contained multiple layers of obfuscation to hide the original logic. While many of these layers are not malicious by themselves, the unique combination shows a developer going above and beyond to protect their code. This is often seen in malware that is sold on hacking forums to protect malicious intellectual property.
Once downloaded by a victim, the malware is delivered as a 21MB file that was found to be a Nuitka-compiled executable.
Nuitka is an open source tool that is used to convert and compile a Python script to a native Windows application. For the purpose of anti-analysis, this simply removes an initial Python script from being easily extracted, but the executable is still easily analyzed using known tools.
Nuitka keeps the files used for execution within an internal resource that is compressed with Zstd streaming algorithm. Analysis showed that the original executable simply extracted multiple embedded files from this resource and stored them uncompressed to a temporary folder, %Temp%\\onefile_11536_133873237425638862
, where the digits are dynamically created based upon the process ID and system time to ensure a unique folder is made.
Upon extraction, the malware is executed using its hardcoded filename DebtCollectionCase1751448.exe
. Moments later, after completing its installation, the malware deletes these extracted files. The list below shows the list of extracted files from this specific sample.
A variety of these files, such as the .pyd Python Libraries and .dll files, are support libraries to the executable files. The notable files are:
Though compiled into an executable, there were many artifacts left behind that allowed us to rebuild the basic script structure. By injecting into the running Python code and manipulating it in memory, we were able to gather the author-defined names of the functions, variables, and even the author’s documentation. However, the actual code could not be directly retrieved.
When manually run, we can see output generated in the screenshot below that shows node700.exe
and client_pdf_case_388.pdf
both copied to a newly created %Temp%\\assistant
folder. From here, each is then executed.
The client_pdf_case_388.pdf file is the legitimate decoy document regarding debt collection from an English financial firm, as shown earlier. Metadata from the PDF shows unique Indicators of Compromise (IOCs) that could be used for future identification. This includes the file being created by the PyPDF2 Python library, showing the author’s automatic creation of PDFs from text, and a unique Modified value of "Copy\040388". As a note, Sublime has a Detection Rule for this type of automatic creation: Attachment: Python generated PDF with link
What is more interesting is the node700.exe file. This 50MB executable is a Node.JS language interpreter that is designed to store JavaScript directly in its own file for execution. Quick analysis showed large blocks of JavaScript, such as the code shown below:
Within the 2.5MB of exposed JavaScript code is a key indicator of the next attack stage: a large block of Base64 encoded data. In the screenshot below, we see a portion of this Base64 data decoded and then executed by functions from the rustwasm library, an open-source library used to compile Rust code into WebAssembly (Wasm).
There has been much written about Wasm exploits and payloads over the last few years. More recently, there has been public reporting on unique methods of embedding Wasm into existing code for execution in a victim’s environment, such as Wasm smuggling techniques documented by delivr.to.
While this code represents a minor step in the infection path, it has very unique aspects that are worth identifying. The start of the decoded 2 MB Base64 encoded Wasm binary is shown below. Notable in the metadata is the number of entries in the TYPE
structure. 71 entries (0x47) means that there are 71 different function types used by over 4,700 functions.
This suggests a high level of obfuscation and anti-analysis, which was proven during reverse engineering that discovered hundreds of thousands of lines of junk code. For the functions that would resolve to actual code, this junk code was typically undecipherable, as shown below.
This WebAssembly binary also showed artifacts of how it was built with references to walrus 0.21.1
and wasm-bindgen 0.2.93 (bf9807c5a)
, which are interesting indicators to determine the toolchain used by the malware author. Notably, tool versions can be used to narrow a timeline of when the malware was created. This can greatly differ from the compilation time on the original executable as this core code could be reused for long periods of time in new campaigns. For example, Walrus version 0.21.1 was released in July 2024, superseded by 0.21.2 in September of the same year. Likewise, wasm-bindgen
0.2.93 was released in August 2024, superseded by 0.2.94 in October of the same year. Versioning alone shows that the core code here was written in August 2024 at the earliest.
While the steps taken up to this point show an interesting and unique approach to packaging the malware, they are simply overly-complicated attempts to avoid analysis. Ultimately, the final payload is not in this chain, but is eventually downloaded and executed from here.
The final TROX Stealer download was stored as an executable on a public GitHub account. Posted as a release to an empty repository, it could be retrieved via a direct URL. This executable represents the TROX Python-based script, also compiled with Nuitka.
For overall functionality, TROX uses existing data stealing methods to copy information out of the system and upload to GoFile or the author’s Telegram accounts. Most forms of stealing information were from querying application databases for sensitive information, a known and accepted risk in most web browsers. The code to perform this is well documented and easily available from many sources, and the content within TROX, as shown below, likely reuses existing work.
Likewise, additional functionality is apparent from the URLs used by the malware, as shown in the table below. Additional URLs were available pointing to the author’s Telegram bots and channels, which have been removed from this list.
At this point, an infostealer like TROX would either run in the background to continually collect data, or perform an initial data exfiltration and then exit.
TROX Stealer is a recent example of malware leveraging multiple programming languages and techniques to evade detection:
While the malware employs advanced evasion techniques, its core stealing capabilities rely on common methods like querying application databases for sensitive information. This, along with many other indicators described in this post, provide numerous opportunities for detection and prevention.
Sublime's AI-powered detection engine prevented this attack at the first layer by preventing it from being delivered to an inbox. The top signals in these attacks are:
Additionally, Sublime’s detection engine has existing rules that target the tools used to create malicious payloads, like PyPDF2.
See the full Message Query Language (MQL) that detected these attacks in these publicly available Detection Rules in the Core Feed:
If you’re interested in checking out Sublime and how we detect and prevent attempts to deliver malware via email originating attacks, you can create a free account today or request a demo. If you enjoyed this deep dive, check out Xloader deep dive: Link-based malware delivery via SharePoint impersonation.
DNS, Malicious domain
debt-collection-experts[.]com
documents[.]debt-collection-experts[.]com
debt-collection-experts[.]online
download.debt-collection-experts[.]online
downloads.debt-collection-experts[.]online
docs.debt-collection-experts[.]online
IP, Malicious server
89.185.82.34
172.22.117.177
DebtCollectionCase#######.exe file hash
SHA256: c404baad60fa3e6bb54a38ab2d736238ccaa06af877da6794e0e4387f8f5f0c6
SHA1: ae5166a8e17771d438d2d5e6496bee948fce80a4
MD5: c568b578da49cfcdb37d1e15a358b34a
node700.exe file hash
SHA256: 12069e203234812b15803648160cc6ad1a56ec0e9cebaf12bad249f05dc782ef
SHA1: 29a13e190b6dd63e227a7e1561de8edbdeba034b
MD5: f5f75c9d71a891cd48b1ae9c7cc9f80d
TROX Stealer file hash
SHA256: 5d7ed7b8300c94e44488fb21302a348c7893bdaeef80d36b78b0e7f0f20135df
SHA1: 6deea67690f90455280bc7dfed3c69d262bf24f6
MD5: fedb7287bcccc256a8dad8aeace799f7
Email, Malicious email sender address
vpn@esystematics[.]de
vpn@contactcorporate[.]de
vpn@evirtual-provider[.]de
Sublime releases, detections, blogs, events, and more directly to your inbox.
The latest research, attack spotlights, and product updates.
Experience Sublime’s adaptable email security platform and take control of your email environment today.