Cybersecurity experts issue urgent warning amid surge in Stealerium malware attacks

Malware concept image showing a laptop with skull and crossbones on screen, symbolizing a cyber attack.

(Image credit: Getty Images)

published 4 September 2025

Cybersecurity researchers have issued a warning over a significant rise in the use of Stealerium malware.

Analysis from Proofpoint shows the malware strain is being used to harvest sensitive data from victims worldwide.

Pitched as being available 'for educational purposes', the infostealer can exfiltrate a wide range of data, from browser credentials and crypto wallets to Wi-Fi profiles and VPN configurations.

This is achieved through multiple channels such as SMTP, Discord, Telegram, GoFile, and Zulip, researchers noted.

In some cases, it's being used for sextortion, capturing screenshots and webcam images when pornography-related content is detected in open browser tabs.

Proofpoint said Stealerium has flown under the radar for some time now, but researchers have observed a huge spike in activity between May and August this year, including campaigns linked to threat actors TA2536 and TA2715.

"Both of these actors recently favored Snake Keylogger (also known as VIP Recovery), so the use of Stealerium was notable," researchers said in a blog post detailing the campaigns.

"Proofpoint researchers identified additional campaigns through August 2025 that employed a variety of persuasive lures and delivery mechanisms. While most campaigns are not attributed to tracked threat actors, the initial TA2715 activity marked the first observed use of Stealerium in Proofpoint threat data in over a year."

How hackers are using Stealerium malware

Recent campaigns have used a wide range of social engineering techniques, researchers noted, including payment notices, legal threats, travel bookings, and adult-themed content.

These are often with compressed executables such as JavaScript, VBScript, ISO, or IMG attachments.

The team also spotted multiple campaigns leveraging travel, hospitality, and even wedding-themed lures. The subject lines generally convey urgency or financial importance, including 'Payment Due', 'Court Summons' and Donation Invoice.

In one instance, Proofpoint identified a TA2715 campaign impersonating a Canadian charitable organization with a 'request for quote' lure. The messages contained a compressed executable attachment that, when executed, downloaded and installed Stealerium.

Upon execution, Stealerium issues a series of 'netsh wlan' commands to enumerate saved Wi-Fi profiles and nearby wireless networks.

Several campaigns also leveraged PowerShell to add Windows Defender exclusions and used scheduled tasks for persistence and evasion.

Meanwhile, the malware has a particular feature that focuses on pornography-related data. Researchers said it is able to detect adult content-related browser tabs and takes a desktop screenshot as well as a webcam image capture.

This, researchers said, is likely to be used later for sextortion.

"While this feature is not novel among cyber crime malware, it is not often observed," the researchers said.

The company advised organizations to monitor for activity involving 'netsh wlan', suspicious use of PowerShell defender exclusions, and headless Chrome executions which are consistent with post-infection behaviors.

Similarly, they should keep an eye out for large amounts of data leaving networks, particularly to services and URLs that aren't permitted for use in the organization, or prevent outbound traffic to these services altogether.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.