StrelaStealer
According to PCRisk, StrelaStealer seeks to extract email account log-in credentials. At the time of writing, this program targets Microsoft Outlook and Mozilla Thunderbird email clients.
Following successful infiltration, StrelaStealer searches for "logins.json" (account/password) and "key4.db" (password database) within the "%APPDATA%\Thunderbird\Profiles\" directory - by doing so, it can acquire the credentials for Thunderbird.
Alternatively, if Outlook credentials are targeted - StrelaStealer seeks out the Windows Registry from where it can retrieve the program's key and "IMAP User", "IMAP Server", as well as the "IMAP Password" values. Since the latter is kept in an encrypted form, the malicious program employs the Windows CryptUnprotectData feature to decrypt it prior to exfiltration.
C2 Infrastructure
Last 7 days
| Date | C2 Hosts |
|---|---|
| Apr 9, 2026 | 1 |
Further Reading
Under the radar email credential stealer in development
We unravel the details of two large-scale StrelaStealer campaigns from 2023 and 2024. This email credential stealer has a new variant delivered through zipped JScript.
Explore Aryaka Threat Research Lab’s in-depth analysis of Strela Stealer malware. Learn how this info-stealer evades detection, exploits WebDAV, and exfiltrates credentials—and how Unified SASE as ...
IBM X-Force has been tracking ongoing Hive0145 campaigns delivering Strela Stealer malware for over a year. Learn more about the malware, the techniques for spreading it, and how to protect against...
Learn more about the techniques employed by StrelaStealer during its infection and how to leverage guardsix SIEM to detect it effectively.
In Part 2, we shift our focus to the malware campaigns linked to Proton66, where compromised WordPress websites were leveraged to target Android devices.