Cybersecurity experts issue urgent warning amid surge in Stealerium malware attacks
Proofpoint researchers said they've seen a big uptick in use of Stealerium malware, which is being used in a wide range of phishing campaigns
Cybersecurity researchers have issued a warning over a significant rise in the use of Stealerium malware.
Analysis from Proofpoint shows the malware strain is being used to harvest sensitive data from victims worldwide.
Pitched as being available 'for educational purposes', the infostealer can exfiltrate a wide range of data, from browser credentials and crypto wallets to Wi-Fi profiles and VPN configurations.
This is achieved through multiple channels such as SMTP, Discord, Telegram, GoFile, and Zulip, researchers noted.
In some cases, it's being used for sextortion, capturing screenshots and webcam images when pornography-related content is detected in open browser tabs.
Proofpoint said Stealerium has flown under the radar for some time now, but researchers have observed a huge spike in activity between May and August this year, including campaigns linked to threat actors TA2536 and TA2715.
"Both of these actors recently favored Snake Keylogger (also known as VIP Recovery), so the use of Stealerium was notable," researchers said in a blog post detailing the campaigns.
"Proofpoint researchers identified additional campaigns through August 2025 that employed a variety of persuasive lures and delivery mechanisms. While most campaigns are not attributed to tracked threat actors, the initial TA2715 activity marked the first observed use of Stealerium in Proofpoint threat data in over a year."
How hackers are using Stealerium malware
Recent campaigns have used a wide range of social engineering techniques, researchers noted, including payment notices, legal threats, travel bookings, and adult-themed content.
These are often with compressed executables such as JavaScript, VBScript, ISO, or IMG attachments.
The team also spotted multiple campaigns leveraging travel, hospitality, and even wedding-themed lures. The subject lines generally convey urgency or financial importance, including 'Payment Due', 'Court Summons' and Donation Invoice.
In one instance, Proofpoint identified a TA2715 campaign impersonating a Canadian charitable organization with a 'request for quote' lure. The messages contained a compressed executable attachment that, when executed, downloaded and installed Stealerium.
Upon execution, Stealerium issues a series of 'netsh wlan' commands to enumerate saved Wi-Fi profiles and nearby wireless networks.
Several campaigns also leveraged PowerShell to add Windows Defender exclusions and used scheduled tasks for persistence and evasion.
Meanwhile, the malware has a particular feature that focuses on pornography-related data. Researchers said it is able to detect adult content-related browser tabs and takes a desktop screenshot as well as a webcam image capture.
This, researchers said, is likely to be used later for sextortion.
"While this feature is not novel among cyber crime malware, it is not often observed," the researchers said.
The company advised organizations to monitor for activity involving 'netsh wlan', suspicious use of PowerShell defender exclusions, and headless Chrome executions which are consistent with post-infection behaviors.
Similarly, they should keep an eye out for large amounts of data leaving networks, particularly to services and URLs that aren't permitted for use in the organization, or prevent outbound traffic to these services altogether.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
The UK AI revolution: navigating the future of the intelligent enterpriseAs AI reshapes industries and societies, decision-makers in the UK face a critical choice: build a sovereign future or merely import it.
-
Turning the UK AI revolution into a sovereign realityThe UK AI Revolution documentary series posed difficult questions about AI’s hype, control, and future. Now, IT leaders must find the architectural answers
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
-
Supply chain and AI security in the spotlight for cyber leaders in 2026News Organizations are sharpening their focus on supply chain security and shoring up AI systems
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
