Open source malware, Stealerium, poses a risk to banking informationSecurity breach at hand: Stealerium, an open source malware, endangers bank data
In the digital landscape of 2025, a familiar menace rears its head once again: Stealerium, an open-source infostealer first published on GitHub in 2022. According to cybersecurity firm Proofpoint, ongoing activity between May and July of this year indicates that Stealerium and its variants are still being used in attacks.
The roots of Stealerium can be traced back to early 2023 when the first known attack campaigns based on this malware were observed. Stealerium is a highly configurable piece of malware, capable of exfiltrating sensitive data through various methods. Its configuration includes C2 and exfiltration parameters, as well as lists of services like specific banks.
One of the ways Stealerium evades detection is by exploiting Chrome's remote debugging feature to bypass browser security mechanisms. Some variants also dynamically load current blocklists from public GitHub repositories, making them harder to identify.
Stealerium is written in .NET and has extensive data theft capabilities. It collects Wi-Fi profiles and information about nearby networks after execution. Some samples of Stealerium and its variants contain references to both Phantom Stealer and Warp Stealer, suggesting code recycling.
Warp Stealer, too, shows clear overlaps with Stealerium. Parts of the malware are encrypted using AES, and exfiltration of data occurs via various methods, most commonly SMTP, but also through Discord webhooks, the Telegram API, the file hosting service Gofile, and the chat platform Zulip.
Organizations should be vigilant against suspicious system commands, unusual PowerShell usage for manipulating Defender settings, and "headless" Chrome processes. It is advisable to monitor outgoing data traffic and block connections to unauthorized services like Discord, Telegram, or Gofile.
Proofpoint treats Phantom Stealer, Stealerium, and Warp Stealer as variants of the same threat. Stealerium is now being used, adapted, and developed by cybercriminals, resulting in numerous variants that are harder to detect.
The risk posed by Stealerium and its variants can only be effectively reduced through a combination of technical detection, network monitoring, and employee training. As the digital battlefield continues to evolve, it is crucial for organisations to stay informed and proactive in their cybersecurity measures.
