Just one harmless-looking click can trigger a long chain of trouble.
TROX Stealer, first discovered in December 2024, has become a prime example of a sophisticated malware campaign aimed at stealing sensitive information from everyday users. Researchers at Sublime have determined that the attackers’ primary strategy relies on psychological manipulation — alarming email subjects like “Final Notice Before Legal Action” pressure victims into acting hastily and without caution.
The malware is distributed through emails disguised as official legal correspondence. The email body includes HTML content with a hyperlink pointing to a file named “DebtCollectionCase.exe.” The link contains a unique token, allowing the file to be downloaded only once, making it harder for security analysts to retrieve it for further inspection.
TROX Stealer is not merely disguised as a document; it also involves a complex chain of technical tactics. The malicious file is a Python script compiled with Nuitka and heavily obfuscated. Once executed, it extracts embedded files: a fake PDF document and an executable named “node700.exe”, which acts as a Node.js interpreter used to launch the next stage of the infection process.
One of the key components is the use of WebAssembly code, encoded in Base64 and filled with junk instructions to hinder reverse engineering. The malware communicates with various domains and IP addresses, regularly rotating SSL certificates to stay undetected and maintain long-term persistence.
The use of Malware-as-a-Service (MaaS) platforms allows TROX Stealer to be deployed flexibly and rapidly. It was rented out to cybercriminals under short-term licenses, meaning attackers could use it for just a few days before it was handed off to other clients.
Victims have included educational institutions, energy companies, and even cybersecurity firms — a testament to the malware’s adaptability and the targeted nature of its attacks.
Artificial intelligence plays a notable role in the fight against TROX Stealer. Sublime’s AI engine was able to detect infected emails at the delivery stage, blocking the threat early on. However, experts emphasize that AI alone is not enough — ongoing advancements in analysis techniques, employee training, and user awareness are all critical components of effective defense.
The complexity, multi-layered architecture, use of multiple programming languages, and advanced evasion techniques make TROX Stealer a textbook example of next-generation malware. Combating it requires not just technological solutions, but a strategic, holistic approach to cybersecurity.
