Do Son 
VirusTotal data showing URL connection associations to a malicious IP related to this campaign
TROX Stealer, first identified in December 2024, stands as a striking example of a sophisticated malware campaign designed to harvest sensitive information from unsuspecting users. Researchers at Sublime have determined that the attackers’ primary tactic relies on psychological manipulation—alarming emails with subject lines like “Final Notice Before Legal Action” are crafted to induce panic and provoke hasty, unthinking responses.
The malware is distributed via emails that mimic official legal correspondence. Within the email body lies embedded HTML content containing a hyperlink labeled “DebtCollectionCase.exe.” This link includes a unique token allowing the malicious file to be downloaded only once—thereby complicating efforts by security analysts to retrieve it for examination.
TROX Stealer is not merely disguised as a document; it is embedded within a sophisticated technical delivery chain. The malicious file is a Python script compiled using Nuitka and heavily obfuscated. Upon execution, it extracts embedded files: a fake PDF document and an executable named “node700.exe”—a bundled Node.js interpreter used to execute the next stages of infection.
A pivotal element of the payload involves WebAssembly code, encoded in Base64 and padded with junk instructions to hinder analysis. The malware communicates with multiple domains and IP addresses, frequently refreshing its SSL certificates to evade detection and sustain prolonged activity.
Its propagation model is based on a Malware-as-a-Service platform, offering attackers flexibility and rapid deployment capabilities. TROX Stealer was leased under short-term licenses, allowing cybercriminals to operate it for limited durations before the malware was redistributed to new clients.
Victims span a wide spectrum—including educational institutions, energy firms, and even cybersecurity companies—underscoring the malware’s adaptability and the targeted nature of its campaigns.
Particularly noteworthy is the role of artificial intelligence in combating this threat. Sublime’s detection engine successfully flagged TROX Stealer-laden emails at the delivery stage, thwarting attacks early. However, experts caution that AI alone is insufficient: continuous evolution in analysis techniques, staff training, and heightened user awareness remain essential.
The complexity of TROX Stealer—its layered architecture, use of multiple programming languages, and advanced evasion tactics—makes it emblematic of a new generation of malware. Combating such threats requires not only technological innovation but a strategic, multidimensional approach to cybersecurity.
