Researchers in cybersecurity are worried about Stealerium, an open-source malware that was theoretically phased out years ago but has now experienced its first unexpected resurgence. According to industry researchers at Proofpoint, between May and August 2025, there will be an explosion of this so-called super-efficient social engineering that boasts of being used to steal sensitive information in organizations worldwide, as cybercriminals take advantage of its widely available nature to amass a sizable number of its potentially dangerous tools.
Ways cybercriminals can use this open-source malware to their benefit
The researchers at Proofpoint have noticed that more opportunistic cybercriminals are applying malware that is built on Stealerium, an open-source malware that can be used to learn. Other stealerium overlap a great deal of their code with Stealerium, including Phantom Stealer, and cybercriminals are increasingly turning to information stealers as their priority target, making this visual identification a high-value focus.
It can also be assumed that open-source malware is a positive habit of introducing the malware detection engineers and threat hunters easily to behavioral patterns, yet also to train malicious actors. These actors are in a position to take over, introduce modifications, and even trivialize and improve the open-source code, and this will result in a distribution of variants that cannot be easily identified or defended. Proofpoint email threat data, and in particular Stealerium, which Proofpoint had not actively marketed since the start of 2023, were revitalised in May 2025 as part of a campaign associated with the cybercriminal entity TA2715.
What makes this malware present unprecedented threats to organizations
Stealerium, which is written in .NET, has a feature set that can exfiltrate a variety of data, including session tokens to gaming services like Steam, browser cookies, credit card information from web forms, cryptocurrency wallets, and other sensitive information.ย The malware can search for content related to pornography, recognize tabs in the browser that contain adult content, take screenshots of desktop computers, and take pictures with a webcam. It is likely used to extort viewers.
The recent frauds have also used several social engineering tricks to defraud their victims by use of fake payment notification tables, threatening lawsuits, and travel arrangements. Volume of messages typically ranges between several hundred and tens of thousands of messages per campaign, and Steelerium campaigns typically send emails with a wide variety of file types.
The use of fear and doing what must be done in the campaigns by attackers
Efforts- similar to numerous threat actors- consisting of campaigns, individuals sending Stealerium frequently employ social engineering, which also requires fear, frustration, or excitement to entice individuals to consider their messages with a sense of urgency. Some Stealerium lures exhibit adult content, and those that inform recipients that they are being sued. A single campaign recorded on tool 2 July 2025 had a court date of 15 July 2025, to add urgency to the email, and had messages that had IMG disk image files rather than embedded VBScripts.
Stealerium contains numerous anti-analysis and anti-sandbox tricks, such as delays in execution to foil automated sandboxes, probing of blocklisted usernames, computer names, IP addresses, and GPU adapter names. The malware has anti-emulation functionality that checks and balances against blocklisted processes and services running. If these conditions are not met, the malware can self-destruct.
The ease of access and flexibility of the malware posed a serious threat to both individuals and businesses, as it is hardly resisted by common defenses. Such activities as netsh wlan, suspicious use of PowerShell defender exclusions, and headless Chrome execution are typical of the post-infection behaviors that organizations should track. Also, organizations are advised to pay attention to substantial data that exists on the network, especially to services and URLs that are not allowed for utilization within the organization.