Stealerium malware surge prompts concern over new attack tactics

Proofpoint threat researchers have reported a rise in the use of Stealerium-based malware by opportunistic cybercriminals.

Recent analysis by Rob Kinner, Kyle Cucci, and the Proofpoint Threat Research Team has highlighted an increasing trend in malware campaigns leveraging Stealerium, an open-source infostealer initially made available for "educational purposes." Stealerium, along with related malware families such as Phantom Stealer, is used to extract sensitive information from compromised systems.

Information theft shift

Proofpoint's research notes that cybercriminals are increasingly prioritising the acquisition of identities and credential information through information-stealing malware. While many threat actors continue to use malware-as-a-service options like Lumma Stealer and Amatera Stealer, some shift towards one-off purchases or adoption of open-source code repositories, including Stealerium.

Stealerium became available on GitHub in 2022, labelled for "educational purposes only." Its open-source nature provides valuable insight for cyber defenders, but equally benefits malicious actors who adapt or enhance its code to develop new, evasive variants.

Proofpoint researchers have observed a surge in the number and diversity of Stealerium-based campaigns, including a renewed focus in mid-2025 after a period of diminished activity. In May 2025, the threat actor TA2715 employed Stealerium in a campaign, marking its first significant reappearance in Proofpoint's email threat data since early 2023. Another actor, TA2536, used Stealerium in late May 2025, having previously favoured Snake Keylogger.

Campaign techniques

These malware campaigns are wide-ranging in their reach and use a variety of email lures and delivery mechanisms. Stealerium-based campaigns can comprise hundreds to tens of thousands of messages, utilising different file types to deliver their payload, including compressed executables, JavaScript files, VBScript, ISO and IMG images, as well as ACE archives.

Emails used in these campaigns often impersonate establishments such as charities, banks, or courts, employing financial or urgent subject lines such as "Payment Due" or "Court Summons." Notable campaign examples include a May 2025 incident where TA2715 posed as a Canadian charity with a "request for quote" message, and further campaigns in June 2025 that used travel, hospitality, or "Xerox Scan" payment-related themes. Proofpoint identified that these attackers also use social engineering tactics, occasionally sending sexually explicit material or legal threats, such as a "court date" notification in July 2025 to prompt recipients to act.

Payload and execution

On execution, Stealerium commands the infected system to run "netsh wlan" to enumerate Wi-Fi profiles and available networks, a process suggesting potential lateral movement or attempted geolocation. Some campaigns execute scripts to exclude their operations from Windows Defender protections using PowerShell, and use scheduled tasks for persistence. In some cases, variants employ Chrome's Remote Debugging capability to bypass browser security and access sensitive data.

Technical details

Stealerium is built on the .NET framework and targets a broad range of valuable information for exfiltration. This includes browser data, credit card details, gaming session tokens, cryptocurrency wallet contents, and sensitive documents. Its adaptability is evident in its support for multiple delivery and exfiltration methods, such as Zulip chat, GoFile, Discord webhooks, Telegram API, and SMTP.

Proofpoint categorises several related malware under the Stealerium designation due to heavy code overlap. For instance, Phantom Stealer, which markets itself as an "ethical hacking" tool, shares substantial source code similarities, often referencing Stealerium in its codebase. The key differentiators are found in metadata such as report headers. Other malware families, like Warp Stealer, also share these codebases.

Features and evasion

Stealerium harbours several tactics to resist analysis and detection. Its execution involves anti-analysis checks, creation of mutexes, and temporary storage of data in dedicated directories before exfiltration. It can detect sandbox environments or emulation, blocklisted usernames, hardware identifiers, and even processes. If these checks fail, the malware is designed to self-destruct.

One notable feature is its ability to dynamically download new blocklists from public GitHub repositories, complicating efforts to detect the malware with static threat signatures.

The malware's configuration, including exfiltration methods and data targets (such as banking or cryptocurrency data), is versatile. Settings are often secured using AES encryption, with keys embedded in its configuration for decryption at runtime.

An additional component includes a mechanism to detect adult content in open browsers, triggering the capture of both desktop and webcam screenshots. This may be used for so-called "sextortion" campaigns, where criminals blackmail victims using sensitive imagery or deceptive claims.

Industry observations

"Stealerium, being open-source, free, and capable of exfiltrating vast sensitive data via multiple mediums, warrants close monitoring. Recent campaigns from May to July 2025 confirm its continued use in opportunistic operations, with TA2715 activity leading to broader threat hunting. Organisations should monitor for 'netsh wlan' activity, suspicious PowerShell defender exclusions, headless Chrome execution, and large data exfiltration to unpermitted services or URLs, ideally preventing such outbound traffic."

Proofpoint researchers advise security professionals to be vigilant in monitoring anomalies such as unexpected "netsh wlan" commands, suspicious PowerShell activity related to Windows Defender policies, and high data transfer to unfamiliar services or URLs, to help detect emerging Stealerium-related threats within their networks.