The cybercrime ecosystem continues to evolve, and one of the most recent threats causing concern among experts is Stealerium, an open-source malware that, although originally created for educational purposes, is increasingly exploited by cybercriminal groups.
According to the latest analysis from cybersecurity firm Proofpoint, Stealerium and other information stealers that share parts of their code, such as Phantom Stealer, have begun to feature prominently in numerous malicious campaigns over recent months. Its appeal lies in its extensive data theft capabilities: from browser cookies and credentials, to credit card information, gaming session tokens, cryptocurrency wallets, or even confidential documents.
Researchers point out that this type of malware is not new, but they’ve detected a notable increase in its distribution, especially in operations linked to cybercrime groups TA2715 and TA2536. The most common entry point is through fraudulent emails, disguised as legitimate communications from banks, foundations, courts, or administrative services. These messages often include malicious attachments in formats such as compressed executable files, JavaScript, VBScript, ISO, IMG, or ACE, and use subject lines designed to trigger immediate alarm, with phrases like “pending payment,” “judicial summons,” or “donation invoice.”
Apart from information theft, Stealerium can be used in and shares techniques with other malware families. Its major danger is its open-source nature: available on repositories like GitHub, any cybercriminal can modify, adapt, and generate new variants, greatly complicating detection efforts by traditional defenses.
Proofpoint’s team warns:
“Although many attackers still rely on the malware-as-a-service model, there is a rising trend toward adopting open-source programs. This encourages the emergence of multiple, hard-to-trace versions, making defense significantly more challenging.”
In this context, experts recommend that organizations strengthen their network monitoring. Specifically, they urge vigilance against suspicious activities such as executing ‘netsh wlan’, manipulating exclusions in PowerShell Defender, or using Chrome in headless mode, behaviors often associated with post-infection activity. They also emphasize the importance of controlling outbound traffic, especially if large data transfers are detected to unknown or unauthorized domains.
The rise of Stealerium highlights a troubling reality: free access to high-performance malware not only democratizes attack tools among groups of varying skill levels but also raises the risk of a massive proliferation of variants. For experts, it marks a new era in which the line between educational software and digital weapons of cybercrime becomes increasingly blurred.