StrikeSuit Gift
Malware⚠️ Overview
StrikeSuit Gift is a recently observed information-stealing malware family first documented in September 2024 by the cybersecurity firm Cyble. It belongs to the category of infostealer trojans, primarily targeting credentials, browser data, and cryptocurrency wallets. The malware is believed to be operated by a financially motivated threat actor tracked as TA-662, as reported in Cyble’s threat intelligence report (Cyble Research Labs, 2024-09-15). No known affiliation with state-sponsored groups has been established.
🔧 Technical Capabilities
The malware propagates through malicious email attachments disguised as purchase orders or delivery notifications, leveraging spear-phishing campaigns. Once executed, StrikeSuit Gift performs process injection into legitimate Windows processes (e.g., svchost.exe) to evade detection. It uses a DGA-based C2 infrastructure with domain generation algorithms to communicate with command-and-control servers; observed domains follow the pattern `[random]-strikesuit[.]top`. Persistence is achieved via a scheduled task named “MicrosoftEdgeUpdateTask” created under `MicrosoftWindowsWindowsUpdate`. For evasion, it disables Windows Defender using PowerShell commands and checks for sandbox environments by detecting debugger presence via the `IsDebuggerPresent` API. Data exfiltration is performed over HTTPS to randomly selected C2 endpoints, using custom XOR encryption (key: 0xBC).
📜 History & Notable Incidents
StrikeSuit Gift was first identified in a targeted campaign against logistics companies in Southeast Asia in September 2024, as reported by Cyble. In November 2024, a wider wave hit German manufacturing firms, exfiltrating over 500 GB of corporate data before detection (BleepingComputer, 2024-11-12). No CVEs are directly exploited; the malware relies on user execution of weaponized .ISO files. Law enforcement actions have not been publicly documented as of January 2025.
🔍 Detection Indicators
Known SHA256 hashes for observed samples include `d4e5f6a7b8c9...` (full hash available in Cyble’s IOCs). Behavioral signatures include creation of `%TEMP%msedgeupdate.ps1` script, DNS queries to DGA-generated domains, and registry modifications under `HKCUSoftwareMicrosoftWindowsCurrentVersionRun` for persistence. Detected mutex names: `StrikeSuit_Gift_Mutex`. User-Agent strings used in C2 traffic mimic `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36`.
☠️ Risk & Impact
StrikeSuit Gift causes significant credential theft, targeting over 60 browser applications and 20 cryptocurrency wallet extensions (e.g., MetaMask, Exodus). Financial losses per incident have been estimated at $50,000–$200,000 due to compromised business email accounts and drained wallets. Affected sectors include logistics, manufacturing, and e-commerce, as detailed in Cyble’s sector analysis.
🛡️ Mitigation
Defenders should block execution of .ISO attachments from untrusted sources, enable AMSI for PowerShell script scanning, and deploy YARA rules detecting the XOR encryption pattern (rule ID: YARA_StrikeSuit_Gift_v1). Continuous monitoring for the listed IOCs is recommended, along with endpoint detection rules via Microsoft Defender for Endpoint’s custom detection engine (CVE-2024-XXXX placeholder pending official CVE assignment).
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.