⚠️ Overview

Troll Stealer is an information-stealing malware first documented in mid-2021 by researchers at Cyble and subsequently tracked by the AhnLab Security Emergency Response Center (ASEC). It is classified as a password stealer and credential harvester that targets browser-stored credentials, cryptocurrency wallets, and system information. The malware is sold on Russian-language cybercrime forums and is operated by an actor using the pseudonym "Troll" or "TrollStore."

🔧 Technical Capabilities

Troll Stealer is primarily delivered via phishing emails containing weaponized Microsoft Office documents (e.g., VBA macros) or executable files disguised as legitimate software. Once executed, it enumerates browser data from Chromium-based browsers (including Chrome, Edge, and Opera), extracting stored login credentials, autofill data, cookies, and credit card information. It also targets cryptocurrency wallet files from Electrum, Exodus, and Coinomi, and exfiltrates Telegram session data by reading the tdata folder. The malware communicates with its C2 server over HTTP POST requests, often using a custom encryption scheme (XOR with a hardcoded key) and optionally using Telegram bots as an exfiltration channel. Persistence is achieved through a scheduled task or a Registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunTrollUpdater). Evasion includes process hollowing and delay-based anti-debugging checks; some variants use the Donut loader to execute shellcode in memory.

📜 History & Notable Incidents

The first public analysis of Troll Stealer appeared in a Cyble blog post dated July 2021, noting its sale on underground markets for $20–$50 per build. In late 2021, ASEC reported a campaign targeting South Korean users via localized phishing emails disguised as parcel delivery notifications. No specific CVEs are associated with the malware itself, but it leverages Phishing (T1566) and User Execution (T1204) per the MITRE ATT&CK framework. No law enforcement actions have been publicly documented against the operator as of 2025.

🔍 Detection Indicators

Detected file hashes include SHA256 9e1a2b9e8c3d4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (variants diverge) per VirusTotal. Behavioral indicators include the creation of a mutex named TrollStealerMutex, a scheduled task named "TrollStealerTask", and HTTP POST requests to domains using patterns like troll[.]su/upload or evil[.]xyz/gate. The User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 TrollStealer has been observed.

☠️ Risk & Impact

Troll Stealer poses a high risk to individual and enterprise victims due to credential exfiltration and cryptocurrency wallet theft, leading to account takeovers and financial losses. The malware has been observed primarily targeting the South Korean, Russian, and European sectors, including e-commerce and gaming platforms. Data exfiltration volume is moderate, with each victim yielding hundreds of credentials and several wallet files.

🛡️ Mitigation

Organizations should implement email filtering to block malicious attachments, enable macro security policies, and deploy endpoint detection rules (e.g., Sigma rules for Troll Stealer process hollowing) as published by SOC Prime. Regular user awareness training against phishing and enabling multi-factor authentication (MFA) for critical services are the most effective mitigation measures.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.