Banking data under threat as Stealerium open-source malware makes a comeback
In the realm of cybercrime, a new threat has emerged, one that goes by the name of Stealerium. This malware, written in .NET, has been causing concern among cybersecurity experts due to its versatile methods of data exfiltration.
Stealerium has been observed using various channels for data transmission, including SMTP, Discord webhooks, the Telegram API, Gofile, and Zulip. The malware's creators have also been found to dynamically load current blocklists from public GitHub repositories, making it difficult to predict its next move.
Between May and July 2025, the cybercrime group "Scattered Lapsus$ Hunters" was actively involved in deploying Stealerium and its variants in attacks. These attacks targeted the internal systems of various organizations, including US agencies and the UK's National Crime Agency (NCA). The attacks were predominantly observed in Europe and Asia, although no other specific groups besides "Scattered Lapsus$ Hunters" were explicitly named as attackers using Stealerium during this period.
Technically, the attackers employ a variety of tactics. They use compressed EXE files, JavaScript and VBScript files, ISO and IMG images, and ACE archives to deliver Stealerium. Once inside a system, Stealerium collects sensitive data, such as Wi-Fi profiles and nearby network information.
Stealerium's configuration files contain parameters for command and control (C2) servers, exfiltration, lists of targeted services, and are partially encrypted using AES. The malware also employs numerous anti-analysis techniques, such as startup delays, system parameter checks against blocklists, process and service recognition, anti-emulation, and self-deletion upon suspicion.
To reduce the risk from this malware, Proofpoint advises a three-pronged approach: technical detection, network monitoring, and employee awareness. This includes staying vigilant for lures that often reference urgency or financial relevance, such as fake invoices, court summons, donation receipts, and wedding themes.
It's important to note that Stealerium is not a standalone threat. Other software with significant code overlaps with Stealerium include Phantom Stealer and Warp Stealer. Proofpoint treats Stealerium, Phantom Stealer, and Warp Stealer as variants of the same threat unless there are substantial functional differences. Some samples of Phantom Stealer contain references to both Stealerium and Phantom Stealer, suggesting code recycling.
The open-source infostealer Stealerium, released on GitHub in 2022, has seen an increase in attack campaigns. Stealerium's variant, Phantom Stealer, shares large portions of its code with Stealerium and differs mainly in data transmission methods.
As the cyber threat landscape continues to evolve, it's crucial for individuals and organizations to stay informed and vigilant against threats like Stealerium. By understanding the tactics used by these malicious actors, we can better protect ourselves and our data.
