Stealerium: How an Open-Source Infostealer Is Being Used in Phishing Campaigns

Proofpoint threat researchers have uncovered a surge in campaigns distributing Stealerium-based malware, an open-source infostealer first released on GitHub in 2022 “for educational purposes.” While it was initially overlooked in favor of more popular malware-as-a-service (MaaS) offerings, Proofpoint now observes a growing number of opportunistic cybercriminals adopting and modifying Stealerium for real-world attacks.

As the researchers explain: “Threat actors are increasingly pivoting to information stealers, as targeting identity becomes a priority for cybercriminals.”

Stealerium’s availability as freely downloadable code has accelerated its use. Proofpoint notes: “While open-source malware can be helpful for detection engineers and threat hunters to understand the patterns of behavior for which they can develop threat detection signatures, it also provides a different kind of education to malicious actors.”

This dual-use nature has spawned multiple variants, with Phantom Stealer and Warp Stealer sharing significant code overlap. For this reason, Proofpoint groups them all under the Stealerium family until clear divergence emerges.

Proofpoint’s telemetry shows Stealerium returning to the threat landscape in mid-2025:

• May 2025 (TA2715): A campaign impersonated a Canadian charitable organization with a “request for quote” lure, delivering Stealerium through compressed executables.
• Late May 2025 (TA2536): Another low-sophistication actor deployed Stealerium, diverging from their usual reliance on Snake Keylogger.
• June 23, 2025: Travel-themed lures impersonating booking requests targeted the hospitality, education, and finance sectors.
• June 24, 2025: A global campaign used a fake “Xerox Scan” payment lure. The malware not only installed Stealerium but also executed network reconnaissance via Wi-Fi profile harvesting.
• July 2, 2025: Legal-themed emails warned recipients of an impending lawsuit, with IMG files and embedded VBScript payloads delivering Stealerium.

Message volumes ranged from a few hundred to tens of thousands, with lures designed to exploit fear, urgency content.

Stealerium is written in .NET and has evolved into a versatile and dangerous infostealer. Proofpoint highlights its broad set of features:

• Credential Theft: Browser cookies, saved logins, credit card details, and session tokens for services like Steam and BattleNet.
• System Reconnaissance: Enumerates installed apps, hardware info, and saved Wi-Fi networks.
• Crypto Theft: Targets wallets such as MetaMask and Exodus.
• Sextortion Feature: Detects NSFW content in browsers and triggers both desktop and webcam screenshots for potential blackmail.
• Persistence & Evasion: Uses scheduled tasks, PowerShell to add Windows Defender exclusions, and extensive anti-analysis checks.

Notably, Proofpoint observed remote debugging abuse in Chrome to bypass security mechanisms like App-Bound Encryption, enabling the theft of cookies and sensitive browser data.

Stealerium’s flexibility extends to its numerous exfiltration methods:

• SMTP: Stolen data archived and emailed to attacker-controlled inboxes.
• Discord Webhooks: Leveraging chat infrastructure for theft.
• Telegram: API-based data transfer to attacker accounts.
• GoFile: Abuse of free-tier file hosting for staging stolen data.
• Zulip Chat: A unique exfiltration vector rarely seen in the wild.

This range of options makes detection and blocking more challenging for defenders.

Proofpoint stresses that the renewed adoption of Stealerium highlights the enduring appeal of open-source malware for cybercriminals: “Although the malware has existed for a while, Proofpoint researchers recently observed an uptick in campaigns delivering Stealerium-based malware.”

Related Posts:

• Hacker exploits Google App script to spread malware
• Temptation from Money: Lazarus APT extended to cryptocurrencies
• Hackers Exploit YouTube for Game Cracks, Steal Your Data
• Beware of Fake Google Meet Invites: ClickFix Campaign Spreading Infostealers
• Compromised Credentials: New Cyberattack Exploits Industry Email Accounts