Threat Research

Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers

Proofpoint
Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers

Proofpoint observed an uptick in campaigns delivering Stealerium-based info-stealers between May and July 2025, with multiple low-sophistication cybercrime actors (e.g., TA2715, TA2536) using varied lures and delivery types to deploy the open-source Stealerium and related variants. The malware exfiltrates a wide range of data (browser credentials, cookies, crypto wallets, Wi‑Fi profiles, webcam/screenshots for potential sextortion) via SMTP, Discord, Telegram, GoFile, and Zulip, and employs multiple anti-analysis checks and dynamic blocklists. #Stealerium #PhantomStealer #TA2715

Keypoints

  • Proofpoint detected renewed and increasing use of Stealerium-based stealers in email campaigns from May–July 2025, including activity linked to TA2715 and TA2536.
  • Delivery mechanisms include compressed executables, JavaScript, VBScript, IMG/ISO disk images, and ACE archives, with lures impersonating charities, banks, courts, travel/hospitality, and invoices.
  • Stealerium is an open-source .NET stealer (original GitHub and re-uploads exist) and shares substantial code overlap with other families such as Phantom Stealer and Warp Stealer.
  • Capabilities include broad data collection (cookies, credentials, credit card data, session tokens, crypto wallets, Wi‑Fi profiles, keylogging, clipboard, files) plus adult-content detection and webcam/desktop capture for sextortion.
  • Exfiltration methods observed or supported: SMTP (commonly observed), Discord webhooks, Telegram API, GoFile uploads, and Zulip API.
  • Post-infection behaviors include running netsh wlan commands to enumerate Wi‑Fi, use of PowerShell to add Defender exclusions, scheduled tasks for persistence, and headless Chrome remote-debugging for data extraction.
  • Anti-analysis features include sleep delays, username/computer/IP/GPU/MachineGUID blocklists (including dynamically downloaded blocklists), anti-emulation timing checks, and self-destruct functionality.

MITRE Techniques

  • [T1204] User Execution – Emails with urgent/financial lures and attachments (compressed executables, JS, VBS, IMG, ISO, ACE) were used to trick users into executing Stealerium (“messages contained a compressed executable attachment that, when executed, downloaded and installed Stealerium”).
  • [T1105] Ingress Tool Transfer – Download and install of payloads from attached or staged files, e.g., VBScript/JS downloading a compressed executable which installed Stealerium (“the VBScript downloaded the payload as a compressed executable which installed Stealerium”).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell used to add Windows Defender exclusions and as part of loaders/persistence (“leveraged PowerShell to add Windows Defender exclusions and used scheduled tasks for persistence and evasion”).
  • [T1016] System Network Configuration Discovery – Use of “netsh wlan” commands to enumerate saved Wi‑Fi profiles and nearby wireless networks for reconnaissance (“issues a series of ‘netsh wlan’ commands to enumerate saved Wi‑Fi profiles and nearby wireless networks”).
  • [T1106] Native API – Usage of headless Chrome with “–remote-debugging-port” to extract browser data bypassing protections (“Remote Debugging … exploited by various information stealers to bypass browser security features … extract sensitive data such as cookies and credentials”).
  • [T1496] Resource Hijacking (Data from Local System) – Collection of wide-ranging local data including system info, installed apps, Windows product keys, files of interest (“extract a variety of data … installed apps, hardware info, and Windows product keys … files deemed interesting”).
  • [T1530] Data from Network Shared Drive – Enumeration and potential use of Wi‑Fi SSIDs and security configurations to stage lateral access (“SSID naming patterns and security configurations support reconnaissance efforts and may enable threat actors to stage access from nearby systems”).
  • [T1041] Exfiltration Over C2 Channel – Exfiltration to actor-controlled endpoints via SMTP, Discord webhooks, Telegram API, GoFile, and Zulip API (“Stealerium can send the staged data to a Discord server … use the Telegram API … upload exfiltrated data to GoFile … exfiltrate data to an actor-controlled Zulip account”).
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks (delays, timing checks, blocklists, GPU/MachineGUID/process checks) and self-destruct if checks fail (“Delays its execution … checks the target GPU … checks the target’s machine GUID … ability to ‘self-destruct’”).

Indicators of Compromise

  • [File hash] examples from observed campaigns – d4a33be36cd0905651ce69586542ae9bb5763feddc9d1af98e90ff86a6914c0e (TA2715 campaign, SCR compressed executable), 50927b350c108e730dc4098bbda4d9d8e7c7833f43ab9704f819e631b1d981e3 (legal-themed lure with VBScript and IMG).
  • [File hash] additional samples – 41700c8fe273e088932cc57d15ee86c281fd8d2e771f4e4bf77b0e2c387b8b23 (financial-themed lure spoofing Garanti BBVA with VBScript), b640251f82684d3b454a29e962c0762a38d8ac91574ae4866fe2736f9ddd676e (scanned payment lure with JavaScript), and 2 more hashes.
  • [Domains / URLs] malware or vendor references – Phantom Stealer marketing site hxxps://phantomsoftwares[.]site/home/ (Phantom Stealer distribution/marketing), GitHub repositories for Stealerium re-upload (https://github.com/witchfindertr/Stealerium) used to reference source code and blocklists.
  • [Processes / Commands] post-infection behaviors to detect – netsh wlan commands for Wi‑Fi enumeration (e.g., listing profiles), chrome.exe launched with “–remote-debugging-port” for remote debugging-based data extraction, and PowerShell execution creating Defender exclusions and scheduled tasks for persistence.

Read more: https://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers