Redazione RHC : 8 September 2025 14:29
Researchers at Proofpoint, a leader in cybersecurity and information protection, have detected a worrying increase in the use of open-source malware, such as Stealerium and Phantom Stealer, by opportunistic cybercriminals. These tools, originally “for educational purposes,” are becoming effective weapons for stealing sensitive data, putting corporate identities and information at risk.
Threat actors are increasingly focusing their efforts on infostealers, as identity theft has become a top priority in the cybercrime landscape. While many favor “malware-as-a-service” offerings, such as Lumma Stealer or Amatera Stealer, a growing number of criminals are turning to disposable or freely available solutions on platforms like GitHub. Stealerium is a prime example.
Emerged in 2022 as open-source malware on GitHub, Stealerium is still available for download “for educational purposes only.” While it may be useful for security experts to develop detection signatures, it also offers dangerous “training” to attackers. The latter can easily adopt, modify, and even improve the code, resulting in malware variants that are increasingly difficult to detect and combat.
“It’s unclear to what extent Phantom Stealer is related to Stealerium, but the two families share a very large portion of code, and it’s likely that Phantom Stealer reused code from Stealerium,” explain Proofpoint researchers. Many analyzed samples, in fact, reference both in their code, highlighting a close relationship between the two threats.
Stealerium is a full-featured infostealer, written in .NET, capable of exfiltrating a wide range of data, including: cookies and browser credentials; credit card data (via web form scraping); session tokens from gaming services (e.g., Steam); cryptocurrency wallet details; sensitive files of various types; keylogging and clipboard data; information about installed apps, hardware, and Windows product keys; VPN service data (NordVPN, OpenVPN, ProtonVPN, etc.), Wi-Fi network information and passwords.
A particularly disturbing feature is Stealerium’s ability to detect adult content in open browser tabs and capture desktop screenshots and webcam images. This functionality can be used for “sextortion” tactics, a growing phenomenon in cybercrime.
Although Stealerium has been around for some time, Proofpoint researchers have recently observed a surge in campaigns distributing code based on this malware. In particular, a May 2025 campaign linked to the TA2715 actor brought Stealerium back into the spotlight, having not seen significant use since early 2023. TA2536, another low-sophistication cybercriminal, also deployed it in late May 2025, a notable shift considering both had recently favored Snake Keylogger.
The campaigns, involving message volumes ranging from a few hundred to tens of thousands, used a variety of persuasive lures and delivery mechanisms. The emails, impersonating organizations such as charitable foundations, banks, courts, and document services, contained malicious attachments such as compressed executables, JavaScript, VBScript, ISO files, IMG files, and ACE archives. The emails’ subject lines, often urgent or financially sensitive (“Payment Due,” “Court Summons,” “Donation Invoice”), were intended to trick victims into opening the attachments.
Proofpoint recommends that organizations closely monitor for activity such as the use of “netsh wlan,” suspicious use of PowerShell Defender exclusions, and running Chrome without a graphical interface—all behaviors consistent with Stealerium infections. It’s also essential to monitor large amounts of data leaving the network, especially to unauthorized services and URLs, or to block outgoing traffic to such services entirely.
Redazione