Cybersecurity researchers have issued a warning over a significant rise in the use of Stealerium malware.
Analysis from Proofpoint shows the malware strain is being used to harvest sensitive data from victims worldwide.
Pitched as being available 'for educational purposes', the infostealer can exfiltrate a wide range of data, from browser credentials and crypto wallets to Wi-Fi profiles and VPN configurations.
This is achieved through multiple channels such as SMTP, Discord, Telegram, GoFile, and Zulip, researchers noted.
In some cases, it's being used for sextortion, capturing screenshots and webcam images when pornography-related content is detected in open browser tabs.
Proofpoint said Stealerium has flown under the radar for some time now, but researchers have observed a huge spike in activity between May and August this year, including campaigns linked to threat actors TA2536 and TA2715.
"Both of these actors recently favored Snake Keylogger (also known as VIP Recovery), so the use of Stealerium was notable," researchers said in a blog post detailing the campaigns.
"Proofpoint researchers identified additional campaigns through August 2025 that employed a variety of persuasive lures and delivery mechanisms. While most campaigns are not attributed to tracked threat actors, the initial TA2715 activity marked the first observed use of Stealerium in Proofpoint threat data in over a year."
How hackers are using Stealerium malware
Recent campaigns have used a wide range of social engineering techniques, researchers noted, including payment notices, legal threats, travel bookings, and adult-themed content.
These are often with compressed executables such as JavaScript, VBScript, ISO, or IMG attachments.
The team also spotted multiple campaigns leveraging travel, hospitality, and even wedding-themed lures. The subject lines generally convey urgency or financial importance, including 'Payment Due', 'Court Summons' and Donation Invoice.
In one instance, Proofpoint identified a TA2715 campaign impersonating a Canadian charitable organization with a 'request for quote' lure. The messages contained a compressed executable attachment that, when executed, downloaded and installed Stealerium.
Upon execution, Stealerium issues a series of 'netsh wlan' commands to enumerate saved Wi-Fi profiles and nearby wireless networks.
Several campaigns also leveraged PowerShell to add Windows Defender exclusions and used scheduled tasks for persistence and evasion.
Meanwhile, the malware has a particular feature that focuses on pornography-related data. Researchers said it is able to detect adult content-related browser tabs and takes a desktop screenshot as well as a webcam image capture.
This, researchers said, is likely to be used later for sextortion.
"While this feature is not novel among cyber crime malware, it is not often observed," the researchers said.
The company advised organizations to monitor for activity involving 'netsh wlan', suspicious use of PowerShell defender exclusions, and headless Chrome executions which are consistent with post-infection behaviors.
Similarly, they should keep an eye out for large amounts of data leaving networks, particularly to services and URLs that aren't permitted for use in the organization, or prevent outbound traffic to these services altogether.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Is diversity still a challenge in the channel?Industry Insights Despite progress, diversity remains a challenge in the tech channel, as women represent less than a quarter of the UK’s tech workforce and still face structural and cultural barriers
-
How the UK is leading Europe at AI-driven manufacturingIn-depth A new report puts the country on top of the charts in adopting machine learning on the factory floor in several critical measures
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
