Troll Stealer

Troll Stealer uses HTTP to communicate to command and control infrastructure.(Citation: S2W Troll Stealer 2024)

Troll Stealer creates and executes a PowerShell script to delete itself.(Citation: S2W Troll Stealer 2024)

Troll Stealer performs XOR encryption and Base64 encoding of data prior to sending to command and control infrastructure.(Citation: S2W Troll Stealer 2024)

Troll Stealer encrypts gathered information on victim devices prior to exfiltrating it through command and control infrastructure.(Citation: S2W Troll Stealer 2024)

Troll Stealer encrypts data sent to command and control infrastructure using a combination of RC4 and RSA-4096 algorithms.(Citation: S2W Troll Stealer 2024)

Troll Stealer creates a mutex during installation to prevent duplicate execution.(Citation: S2W Troll Stealer 2024)

Troll Stealer creates and can execute a BAT script that will delete the malware.(Citation: S2W Troll Stealer 2024)

Troll Stealer is typically installed via a dropper file that masquerades as a legitimate security program installation file.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)

Troll Stealer has been delivered as a VMProtect-packed binary.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024)

Troll Stealer, along with its associated dropper, utilizes legitimate, stolen code signing certificates.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024)

Troll Stealer is dropped as a DLL file and executed via `rundll32.exe` by its installer.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024)

Troll Stealer collects all data in victim `.ssh` folders by creating a compressed copy that is subsequently exfiltrated to command and control infrastructure. Troll Stealer also collects key information associated with the Government Public Key Infrastructure (GPKI) service for South Korean government information systems.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)