{
	"id": "5d8e361f-4809-4541-8871-b602ebad91df",
	"created_at": "2026-04-06T00:14:12.533039Z",
	"updated_at": "2026-04-10T03:33:18.808442Z",
	"deleted_at": null,
	"sha1_hash": "4ff510ce6bddc3d9fde2a45e631bb4cdc7494efa",
	"title": "Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3571356,
	"plain_text": "Not Safe for Work: Tracking and Investigating Stealerium and\r\nPhantom Infostealers | Proofpoint US\r\nBy Rob Kinner, Kyle Cucci, and The Proofpoint Threat Research Team\r\nPublished: 2025-08-28 · Archived: 2026-04-05 14:41:19 UTC\r\nKey findings \r\nProofpoint researchers observed an increase in opportunistic cybercriminals using malware based on\r\nStealerium, an open-source malware that is available “for educational purposes.” \r\nMultiple other stealers share significant code overlap with Stealerium, such as Phantom Stealer.\r\nThroughout this blog post, we’ll use the name Stealerium to refer to infostealers that share significant\r\noverlap with the original Stealerium. \r\nThreat actors are increasingly pivoting to information stealers, as targeting identity becomes a priority for\r\ncybercriminals.  \r\nOverview  \r\nThreat actors are increasingly turning to information stealers in malware delivery, and Proofpoint threat\r\nresearchers have observed an increase in the variety of commodity information stealers regularly used by\r\ncybercriminal threat actors. While many threat actors prefer malware-as-a-service offerings like Lumma Stealer or\r\nAmatera Stealer, some actors prefer to use malware that can be purchased one time, or openly available on\r\nplatforms like GitHub. Stealerium is a good example of this. In 2022, it emerged as a freely available open-source\r\nmalware on GitHub, and is still available to download “for educational purposes only.” While open-source\r\nmalware can be helpful for detection engineers and threat hunters to understand the patterns of behavior for which\r\nthey can develop threat detection signatures, it also provides a different kind of education to malicious actors.\r\nThese actors may adopt, modify, and possibly improve the open-source code, resulting in a proliferation of\r\nvariants of the malware that are not so easy to detect or defend against.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 1 of 17\n\nScreenshot of Stealerium’s GitHub page. \r\nAlthough the malware has existed for a while, Proofpoint researchers recently observed an uptick in campaigns\r\ndelivering Stealerium-based malware. A campaign linked to the cybercriminal actor TA2715 in May 2025 led to\r\nrenewed analysis of Stealerium, which had not been widely campaigned in Proofpoint email threat data since early\r\n2023. TA2536, another low sophistication cybercrime actor, also used Stealerium in late May 2025. Both of these\r\nactors recently favored Snake Keylogger (also known as VIP Recovery), so the use of Stealerium was notable.\r\nProofpoint researchers identified additional campaigns through August 2025 that employed a variety of persuasive\r\nlures and delivery mechanisms. While most campaigns are not attributed to tracked threat actors, the initial\r\nTA2715 activity marked the first observed use of Stealerium in Proofpoint threat data in over a year.  \r\nCampaign details \r\nDelivery methods and lures \r\nMessage volumes range from a couple hundred to tens of thousands of messages per campaign. Stealerium\r\ncampaigns included emails with a variety of file types for delivery, including compressed executables, JavaScript,\r\nVBScript, ISO, IMG, and ACE archive files. The observed emails impersonated many different organizations,\r\nincluding charitable foundations, banks, courts, and document services which are common themes in e-crime\r\nlures. Subject lines typically conveyed urgency or financial relevance, including “Payment Due”, “Court\r\nSummons”, and “Donation Invoice.” \r\nFor example, on 5 May 2025, Proofpoint identified a TA2715 campaign impersonating a Canadian charitable\r\norganization with a “request for quote” lure. Messages contained a compressed executable attachment that, when\r\nexecuted, downloaded and installed Stealerium. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 2 of 17\n\nTA2715 campaign impersonating a charitable organization. \r\nResearchers have also observed multiple campaigns leveraging travel, hospitality, and even wedding themed lures.\r\nFor example, on 23 June 2025, Proofpoint identified a booking request theme with compressed executables that\r\ndelivered Stealerium. This campaign targeted organizations in the hospitality sector, as well as education and\r\nfinance organizations.  \r\nTravel-themed lure impersonating a travel agency. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 3 of 17\n\nLike many commodity malware campaigns, threat actors delivering Stealerium also regularly use payment or\r\ninvoice lures. In a campaign observed on 24 June 2025, threat actors used a “Xerox Scan” theme with a lure\r\nrelated to payments. The campaign targeted hundreds of organizations globally. These messages contained\r\ncompressed JavaScript files that installed Stealerium and performed network reconnaissance to gather Wi-Fi\r\nprofiles and nearby networks.  \r\nLure posing as a scanned payment document to ultimately deliver a JavaScript payload. \r\nAnd finally, like many threat actors, campaigns delivering Stealerium often use social engineering that leverages\r\nfear, frustration, or excitement to get people to engage with their messages with a sense of urgency. We’ve\r\nobserved adult-themed content in some Stealerium lures, as well as the following example that tells the recipient\r\nthey’re being sued. This campaign was observed on 2 July 2025, with a “court date” of 15 July 2025 to increase\r\nthe urgency of the email. These messages contained IMG (disk image) files with embedded VBScripts. The\r\nVBScript downloaded the payload as a compressed executable which installed Stealerium. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 4 of 17\n\nLegal-themed lure with .vbs and .img attachments that lead to Stealerium. \r\nPayload execution and reconnaissance \r\nUpon execution, Stealerium issues a series of “netsh wlan” commands to enumerate saved Wi-Fi profiles and\r\nnearby wireless networks. Several campaigns also leveraged PowerShell to add Windows Defender exclusions and\r\nused scheduled tasks for persistence and evasion. \r\nExample process tree: \r\nExample process tree. \r\nThe collection of Wi-Fi profiles and broadcasted networks suggests an intent to harvest stored credentials for\r\nlateral movement or to geolocate the infected host. SSID naming patterns and security configurations support\r\nreconnaissance efforts and may enable threat actors to stage access from nearby systems. \r\nIn some variants of Stealerium-based malware, we witnessed Remote Debugging being used, as indicated by the\r\n“--remote-debugging-port\" argument in chrome.exe. Remote Debugging is a browser feature intended for\r\ndevelopers, but it has been exploited by various information stealers to bypass browser security features (such as\r\nChrome App-Bound Encryption) and extract sensitive data such as cookies and credentials. \r\nMalware details \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 5 of 17\n\nOverview \r\nStealerium is a full-featured stealer written in .NET and has the capabilities to exfiltrate a large variety of data\r\nincluding browser cookies and credentials, credit card data (via web form scraping), session tokens from gaming\r\nservices such as Steam, crypto wallet data, and various types of sensitive files.  \r\nAs Stealerium is open source and has been in operation for a while, there are a number of great writeups on the\r\nmalware and its variants, including a blog from SecurityScorecard. In this report, we’ll take a closer look at the\r\ncapabilities that are particularly interesting or have otherwise not been widely documented publicly (to our\r\nknowledge). Some of the capabilities that we’ll touch on in this report are: \r\nStealerium-based malware has a large variety of exfiltration mediums, including some uncommon ones\r\nsuch as Zulip chat and GoFile \r\nStealerium’s usage of dynamic blocklists for anti-analysis \r\nStealerium’s features include support for possible “sextortion” tactics \r\nOverlap with other malware families  \r\nOverlap with other malware families \r\nAs with nearly all open-source malware, the origins and overlap with other malware is murky at best. Stealerium\r\nis available as open source on Github, previously at the address: https://github.com/Stealerium/Stealerium. This\r\noriginal repository has since been removed from Github. However, it was re-uploaded here:\r\nhttps://github.com/witchfindertr/Stealerium. \r\nAs Stealerium is open source, there are other stealers that share code overlap, such as Phantom Stealer. Phantom\r\nStealer is marketed as an “ethical hacking” tool for “educational purposes” and is sold on its site\r\nhxxps://phantomsoftwares[.]site/home/.  \r\nPhantom Stealer pricing model (from Phantom Stealer’s website). \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 6 of 17\n\nIt is not clear to what extent Phantom Stealer relates to Stealerium, but the two families share a very large portion\r\nof code overlap and it's likely that Phantom Stealer reused code from Stealerium. Notably, many malware samples\r\nwe analyzed hint at both Phantom Stealer and Stealerium, with references to both in their code. For example,\r\nbelow is a list of .NET namespaces from a sample of Phantom Stealer but with a reference to “Stealerium” at the\r\nbottom: \r\nPhantom Stealer namespaces that include Stealerium.  \r\nOther samples we analyzed contain no references to “Phantom”, only “Stealerium”, such as the following\r\nexample: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 7 of 17\n\nStealerium namespace references. \r\nStealerium and Phantom Stealer can generally be differentiated by the function responsible for uploading the\r\nexfiltrated data. Stealerium prints “*Stealerium - Report:” to the top of its summary report, and Phantom Stealer\r\nprints “*Phantom stealer” to the top of its summary report: \r\nSterlerium reporting function snippet. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 8 of 17\n\nPhantom Stealer reporting function snippet. \r\nProofpoint has identified other families with Stealerium code overlap which highly likely have “borrowed” code\r\nfrom Stealerium. One such example, as documented by Seqrite, is Warp Stealer. \r\nAs there is significant code overlap between Phantom Stealer,Stealerium, and Warp Stealer. Proofpoint groups all\r\nthese variants under the label Stealerium. We will continue to group these variants together unless one\r\nsignificantly diverges in capabilities or code. \r\nCapabilities \r\nWhen Stealerium first executes, it does the following: \r\n1. Runs some anti-analysis and anti-sandbox checks  \r\n2. Creates a mutex and terminates itself if the mutex cannot be created. This is a common check that malware\r\nuses to ensure it only has one instance running on the victim system at a time. \r\n3. Creates a directory on the system where it temporarily stages the data it will eventually exfiltrate. This\r\ndirectory format varies among samples but is commonly in the format “C:\\Users\\\u003cuser\u003e\\AppData\\Local\\\r\n\u003crandom_hex_string\u003e\\\u003cuser_name\u003e@\u003ccomputer_name\u003e_\u003clocale\u003e”. For example: \r\n C:\\Users\\Admin\\AppData\\Local\\c742f9b4f1ad3336673662d7213a56ca\\Paul@PaulPC_en-US\\\r\n    The random string is derived by gathering system data such as the victim’s username and  computer name, and\r\nMD5-hashing the data (which can be seen in the following code): \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 9 of 17\n\nGathering system information and creating an MD5 hash. \r\n4.  Retrieves and verifies its configuration  \r\n5.  Proceeds to execute its stealer functions \r\nStealerium has the capability to extract a variety of data, seemingly trying to grab as much as it can. This data\r\nincludes: \r\nKeylogging and clipboard data \r\nBanking/credit card data (scraped from web forms) \r\nBrowser cookies, cache, and stored credentials \r\nSession tokens from gaming services (like Steam, Minecraft, BattleNet, and Uplay) \r\nEmail and chat data (Outlook, Signal, Discord, etc.) \r\nSystem data such as installed apps, hardware info, and Windows product keys \r\nVPN services data (NordVPN, OpenVPN, ProtonVPN, etc.) \r\nWi-Fi network information and passwords \r\nCrypto wallet data \r\nFiles deemed interesting (such as various types of images, source code, databases, and documents) \r\nA few things are notable here. First, Stealerium does not seem to discriminate when it comes to data theft.\r\nWhereas some stealers may target specific data types, focusing on browser form data or email data, for example,\r\nStealerium has the capabilities to steal a larger variety of data types. \r\nSecond, the malware has a feature that focuses on pornography-related data. It’s able to detect adult content-related open browser tabs and takes a desktop screenshot as well as a webcam image capture. This is likely later\r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 10 of 17\n\nused for “sextortion”. While this feature is not novel among cybercrime malware, it is not often observed. The\r\nfollowing code shows how Stealerium first detects pornography-related (“NSFW”) content in open web browsers,\r\nthen takes both a desktop and webcam screenshot: \r\nAdult content themed features. \r\nThe malware queries the victim’s open browser windows to check if any of the following strings appear in the\r\ntitles of open web pages. These strings are configurable by the operator of the malware: \r\nAdult content themed search strings.  \r\nData exfiltration \r\nOnce the previously mentioned data has been enumerated and staged, Stealerium is able to exfiltrate the data in\r\nvarious ways: \r\nSMTP \r\nSMTP seems to be the most common exfiltration method observed in Proofpoint data currently used by\r\nStealerium-based malware. Though notably, this isn’t available in the main version on GitHub. This method uses a\r\nrecipient address (an actor-controlled email address that receives the stolen data) and a sender address. The sender\r\naddresses often used are legitimate companies or people that the threat actor is spoofing. The staged data that the\r\nmalware collects is compressed into an archive file, attached to an email, and sent to the recipient's address. It’s\r\nworth noting that the original Stealerium code may not have contained the SMTP exfiltration functionality, so it's\r\na rather new feature seen in more recent Stealerium-based malware. \r\nDiscord \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 11 of 17\n\nStealerium can send the staged data to a Discord server, via Discord webhooks. Discord webhooks are effectively\r\nlightweight bots and are often used for logging and alerting but can be abused for data theft. \r\nTelegram \r\nUsing the Telegram API and a Telegram API key, Stealerium can exfiltrate data to an actor-controlled Telegram\r\naccount. \r\nGofile \r\nStealerium can also be configured to exfiltrate stolen data to Gofile, a cloud storage solution with a free-tier\r\naccount to upload files. Below is a code excerpt from Stealerium showing the GoFile exfiltration code:  \r\nGofile data exfiltration. \r\nIn a nutshell, this code pulls the Gofile server list from https://api.gofile.io/servers, and gets the name of a server\r\nlocated in the “eu” (European Union) zone. It then uploads exfiltrated data to this file server via the Gofile API.\r\nIt’s worth noting that Gofile has a free tier, so this makes it a good method for abuse and staging of exfiltrated data\r\nor additional payloads: \r\nGofile free tier. \r\nZulip Chat \r\nPerhaps the most notable exfiltration method is via Zulip, which is a chat service marketed for distributed teams.\r\nUsing the Zulip API, Stealerium can exfiltrate data to an actor-controlled account. Below is a screenshot of this\r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 12 of 17\n\ncode: \r\nZulip exfiltration. \r\nProofpoint did not witness the use of Zulip chat service as an exfiltration method in the samples we saw in our\r\nemail threat data, but it’s worth noting that this capability exists. \r\nMalware configuration and encryption \r\nStealerium is highly configurable, with all configuration settings stored in a structure. An example of the\r\nconfiguration structure is shown below: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 13 of 17\n\nStealerium config structure. \r\nThe exfiltration and C2 configurations are stored here, as well as configurations for what types of data the threat\r\nactors wish to steal. These config items also contain data theft targets such as targeted banking service names (as\r\nseen below): \r\nBanking services example. \r\nSome of the malware’s config and strings are encrypted using AES. Stealerium’s config contains an AES key and\r\nsalt, which are used to derive a decryption key that decrypts the malware’s C2 configuration and other data. Below\r\nis an excerpt from Stealerium’s decryption routine: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 14 of 17\n\nStealerium decryption function. \r\nAnti-analysis \r\nStealerium has a multitude of anti-analysis and anti-sandbox tricks up its sleeve, including the following: \r\nDelays its execution (generates a random sleep interval time) to evade automated sandboxes \r\nChecks the target’s username and computer name of the system against a list \r\nChecks the target IP address against a large list of blocklisted IP addresses \r\nChecks the target GPU against a list of blocklisted GPU adapter names \r\nChecks the target’s machine GUID against a blocklist \r\nContains anti-emulation capabilities (executes timing instructions and checks the delta) \r\nChecks for blocklisted processes and services running \r\nChecks if the malware executable started from its intended path \r\nAbility to “self-destruct” (delete its files and terminate its processes) if any of these checks fail \r\nNone of these techniques is new or particularly advanced, but it is notable how many different techniques\r\nStealerium can use. \r\nOne particularly interesting capability Stealerium has is that it can dynamically download new blocklists from\r\npublic repositories. In at least a few samples we analyzed, the different anti-analysis blocklists were downloaded\r\nfrom a single GitHub repository:: \r\nBlocklists example. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 15 of 17\n\nThese lists appear to be public blocklists maintained by a security researcher on GitHub. \r\nConclusion \r\nAs Stealerium is open-source and freely available and has the capabilities to exfiltrate a large amount of sensitive\r\ndata via a multitude of mediums, Stealerium (and its variations) is a stealer worth keeping an eye on. \r\nRecent campaigns observed between May and July 2025 demonstrate that Stealerium continues to be used in\r\nopportunistic operations. TA2715 was linked to renewed Stealerium use which triggered broader threat hunting\r\nand revealed additional campaigns, associated with multiple different threat clusters. \r\nOrganizations should monitor for activity involving “netsh wlan”, suspicious use of PowerShell defender\r\nexclusions, and headless Chrome execution which are consistent with post-infection behaviors. Additionally,\r\norganizations should monitor for large amounts of data leaving the network, particularly to services and URLs that\r\nare not permitted for use in the organization, or prevent outbound traffic to these services altogether.  \r\nEmerging Threats rules \r\n2037800 - ET MALWARE Win32/Stealerium Stealer Checkin via Discord \r\n2063893 - ET MALWARE Stealerium CnC Exfil via Discord (POST)  \r\n2047905 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET)  \r\n2864110 - ETPRO MALWARE Stealerium/Phantom Stealer Exfil via HTTP (POST)  \r\n2864111 - ETPRO MALWARE Stealerium/Phantom Stealer Exfil via TCP  \r\n2864112 - ETPRO MALWARE Stealerium/Phantom Stealer Exfil via SMTP  \r\nExample indicators of compromise \r\nIndicator  Description \r\nFirst\r\nSeen \r\nd4a33be36cd0905651ce69586542ae9bb5763feddc9d1af98e90ff86a6914c0e \r\n TA2715\r\ncampaign using\r\ncompressed\r\nexecutable (SCR\r\nfile) \r\n 5\r\nMay\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 16 of 17\n\n41700c8fe273e088932cc57d15ee86c281fd8d2e771f4e4bf77b0e2c387b8b23 \r\nFinancial-themed\r\nlure spoofing\r\nGaranti BBVA\r\nwith VBScript \r\n 10\r\nJune\r\n2025 \r\nb640251f82684d3b454a29e962c0762a38d8ac91574ae4866fe2736f9ddd676e \r\nScanned payment\r\nlure with\r\nJavaScript\r\npayload \r\n 11\r\nJune\r\n2025 \r\na00fda931ab1a591a73d1a24c1b270aee0f31d6e415dfa9ae2d0f126326df4bb \r\nTravel-themed\r\nlure with\r\ncompressed\r\nexecutable \r\n 23\r\nJune\r\n2025 \r\ne590552eea3ad225cfb6a33fd9a71f12f1861c8332a6f3a8e2050fffce93f45e \r\nPurchase inquiry\r\nlure with\r\ncompressed\r\nexecutable.\r\nProcess tree\r\nshows use of\r\nPowerShell and\r\nScheduled Tasks \r\n 23\r\nJune\r\n2025 \r\n50927b350c108e730dc4098bbda4d9d8e7c7833f43ab9704f819e631b1d981e3 \r\nLegal-themed lure\r\nwith VBScript and\r\nIMG \r\n 2\r\nJuly\r\n2025 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nhttps://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers"
	],
	"report_names": [
		"not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d2dad33f-6218-477c-9388-3d5228d7562f",
			"created_at": "2023-02-15T02:01:49.573579Z",
			"updated_at": "2026-04-10T02:00:03.352638Z",
			"deleted_at": null,
			"main_name": "TA2536",
			"aliases": [],
			"source_name": "MISPGALAXY:TA2536",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434452,
	"ts_updated_at": 1775791998,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4ff510ce6bddc3d9fde2a45e631bb4cdc7494efa.pdf",
		"text": "https://archive.orkl.eu/4ff510ce6bddc3d9fde2a45e631bb4cdc7494efa.txt",
		"img": "https://archive.orkl.eu/4ff510ce6bddc3d9fde2a45e631bb4cdc7494efa.jpg"
	}
}