"Pitched as being available 'for educational purposes', the infostealer can exfiltrate a wide range of data, from browser credentials and crypto wallets to Wi-Fi profiles and VPN configurations. This is achieved through multiple channels such as SMTP, Discord, Telegram, GoFile, and Zulip, researchers noted. In some cases, it's being used for sextortion, capturing screenshots and webcam images when pornography-related content is detected in open browser tabs."
"Proofpoint said Stealerium has flown under the radar for some time now, but researchers have observed a huge spike in activity between May and August this year, including campaigns linked to threat actors TA2536 and TA2715. "Both of these actors recently favored Snake Keylogger (also known as VIP Recovery), so the use of Stealerium was notable," researchers said in a detailing the campaigns. "Proofpoint researchers identified additional campaigns through August 2025 that employed a variety of persuasive lures and delivery mechanisms."
"Recent campaigns have used a wide range of social engineering techniques, researchers noted, including payment notices, legal threats, travel bookings, and adult-themed content. These are often with compressed executables such as JavaScript, VBScript, ISO, or IMG attachments. The team also spotted multiple campaigns leveraging travel, hospitality, and even wedding-themed lures. The subject lines generally convey urgency or financial importance, including 'Payment Due', 'Court Summons' and Donation Invoice."
Stealerium is an infostealer that can harvest browser credentials, cryptocurrency wallets, Wi‑Fi profiles, VPN configurations, screenshots, and webcam images. Data exfiltration occurs via SMTP, Discord, Telegram, GoFile, and Zulip. Activity spiked between May and August with campaigns linked to threat actors TA2536 and TA2715, marking notable Stealerium use after prior reliance on Snake Keylogger. Campaigns deploy diverse social‑engineering lures including payment notices, legal threats, travel and wedding themes, and adult content, frequently delivered as compressed executables (JavaScript, VBScript, ISO, IMG) with urgent subject lines. Some operations use sextortion by detecting pornography‑related open tabs to capture images.
Read at IT Pro
Unable to calculate read time
Collection
[
|
...
]