Intel Name: Recent strelastealer infection chain involves decoy pdf files
Date of Scan: February 11, 2025
Impact: High
Summary: Recent StrelaStealer activity continues leveraging WebDAV servers to distribute malware. Since late January 2025, decoy PDF files have been observed during the infection process. The WebDAV and C2 server at 193.143.1[.]205 remains active, hosting both the decoy PDF and StrelaStealer malware as of February 10, 2025. While the decoy PDF itself is not malicious, it features a blurred image to mislead victims. The malicious .js files execute only if the victim’s Windows system is set to the following German-speaking languages or locales: Austria, Germany, Liechtenstein, Luxembourg, or Switzerland.
