A new wave of phishing attacks delivering the StrelaStealer information stealing malware has been detected, according to Palo Alto Networks Unit 42 researchers. The campaign is said to have impacted more than 100 organizations across the EU and US.

The attacks involve spam emails with attachments that eventually launch the StrelaStealer’s DLL payload. StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s command-and-control (C2) server. Using this information, the threat actors behind the campaign could gain access to the victim's email accounts and perpetrate further attacks.

First seen in November 2022, the StrelaStealer email campaigns have been primarily targeting the EU and United States. Since then, two large-scale StrelaStealer campaigns have been observed in November 2023 and January 2024, targeting high tech, finance, professional and legal, manufacturing, government, energy, insurance, and construction sectors in the EU and the US.

The more recent campaigns have not changed much, according to Unit 42. The new variant of StrelaStealer is delivered through a zipped JScript and it employs an updated obfuscation technique in the DLL payload.

“The payload DLL is still identifiable with the strela string. However, we can see that the threat actor has updated the malware in an attempt to evade detection,” the researchers noted.

The malware relies on obfuscation techniques to make analysis in sandboxed environments more difficult.

“With each new wave of email campaigns, threat actors update both the email attachment, which initiates the infection chain, and the DLL payload itself,” the threat research team said.