Skip to main content
Mallory
Back to malware
MalwareUsed by 3 actors

Stealerium

Stealerium is an open-source .NET/C# information stealer that debuted in 2022 and has been described by its developer as a stealer, clipper, and keylogger. Its codebase was published on GitHub as an "educational tool" and later archived, and multiple reports state that other malware families and forks, including Phantom Stealer/PhantomStealer, were derived from or overlap significantly with the Stealerium codebase. Stealerium is used to steal credentials, browser cookies, session data, cryptocurrency wallet information, and other sensitive data from compromised Windows systems. Reported collection capabilities include browser credential theft, keylogging, clipboard hijacking via a crypto clipper, screenshots, and in some variants or configurations webcam capture. Exfiltration has been observed through multiple channels, especially Discord webhooks, and reporting also notes FTP, SMTP, Telegram, and related code paths in Stealerium-family forks. Proofpoint reported that Stealerium can be configured to monitor open browser tabs for NSFW keywords such as "sex" or "porn" and, when triggered, capture a desktop screenshot and a webcam image, enabling sextortion-oriented abuse. Recent reporting also states that newer Stealerium modules were added specifically for sextrortion. Delivery observed in the provided content includes phishing campaigns and ClickFix-style social engineering chains, including a malicious SVG that triggered a PowerShell ClickFix infection flow to install Stealerium. The malware has appeared in multilingual phishing campaigns, including Italian-language campaigns, and has been used as commodity malware alongside tools such as Remcos RAT, StormKitty, and ZZ Stealer. High-confidence aliases and related naming in the content include Stealerium and the similar name "Stealrium."

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Prince of Persia

The expanded toolkit in this phase incorporated commodity tools such as Remcos RAT, Stealerium, StormKitty, and ZZ Stealer...

via trellix blogtrellix.com
TA2536

... delivering an open-source information stealer called Stealerium (or variants of it).

via the hacker newsthehackernews.com
TA2715

... delivering an open-source information stealer called Stealerium (or variants of it).

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence1

"ClickFix is ... traditionally delivered via phishing..."; "An email phishing campaign ... malicious SVG file contained within a password‑protected ZIP archive..."; "A macOS email phishing campaign..."

Execution

2 techniques
T1059.001PowerShellEvidence1

"trick users into executing PowerShell commands that deploy the StealC information stealer"; "instruct the victim to run a PowerShell command ... resulting in ... Stealerium"

T1204User ExecutionEvidence1

"victims infecting their own machines with malware"; "victims often fail to recognize that they are manually executing arbitrary code"

Credential Access

2 techniques
T1539Steal Web Session CookieEvidence1

According to Trellix's data, various malware families, including Agent Tesla, UmbralStealer, Stealerium, and zgRAT, have also used Discord webhooks over the past few years to steal sensitive information like credentials, browser cookies, and cryptocurrency wallets from compromised devices.

T1649Steal or Forge Authentication CertificatesEvidence1

According to Trellix's data, various malware families, including Agent Tesla, UmbralStealer, Stealerium, and zgRAT, have also used Discord webhooks over the past few years to steal sensitive information like credentials, browser cookies, and cryptocurrency wallets from compromised devices.

Collection

1 technique
T1113Screen CaptureEvidence1

"when a user visits a pornographic website, a screenshot is taken and sent back to the threat actor" and "when a user searches for adult content, the system begins capturing and filtering it"

Exfiltration

2 techniques
T1041Exfiltration Over C2 ChannelEvidence1

"malicious Android applications that threat actors use for webcam phishing, weaponizing the app to exfiltrate data through a Telegram bot" and "Stealerium is a well-known infostealer that exfiltrates data in multiple ways, particularly through Discord."

T1567Exfiltration Over Web ServiceEvidence1

Discord's permanent file hosting capabilities have frequently been misused to distribute malware and exfiltrate data gathered from compromised systems using webhooks.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
codebyNews
Jun 9, 2026
Phantom Stealer MaaS - разбор инфостилера Phantom Project

Open-source .NET infostealer project that served as the codebase/foundation for Phantom Stealer. It appears to be a simpler precursor without the larger embedded SQLite and BouncyCastle components described for Phantom Stealer.

Read more
breakglass intelNews
Apr 24, 2026
Two Passwords, Two Compromise Stories - and the PhantomStealer v3.5.0 Config That Answers a Community Ask - Breakglass Intelligence - Breakglass Intelligence

Referenced as the malware family lineage from which PhantomStealer derives. It provides a modular collector-plus-exfiltration architecture inherited by PhantomStealer.

Read more
trellix blogNews
Mar 2, 2026
The Iranian Cyber Capability 2026

Commodity stealer used alongside Infy’s proprietary malware.

Read more
the hacker newsNews
Feb 15, 2026
Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging

Open-source .NET infostealer delivered after a ClickFix flow initiated by phishing with a malicious SVG inside a password-protected ZIP, leading the victim to run a PowerShell command.

Read more
+7 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.