Threat Advisories:
The Gentlemen Ransomware: A Rising Global Cyber Threat MostereRAT: A Deep Dive into an EPL-Backed Phishing Operation Stealerium Changing the Rules of Cyber Espionage s1ngularity Nx Supply Chain Attack: AI-Driven Credential Theft & Mass Exposure GPUGate: Weaponizing Ads and GitHub to Outsmart Sandboxes Cephalus Ransomware a Wake-Up Call for Stronger Endpoint Defense Sitecore Zero-Day Powers Reconnaissance Malware TP-Link Router End-of-Service Models Exploited in Botnet Operation GhostRedirector Targets Windows Servers Globally for SEO Fraud CVE-2025-55177: WhatsApp Zero-Click Flaw Used in Targeted Campaigns Experimental AI Ransomware PromptLock Sparks Security Concerns NightSpire Ransomware Expands Reach with Aggressive Extortion Deadlines Operation HanKook Phantom: APT37’s Stealthy Espionage Campaign Storm-0501’s Shift to Cloud-Native Ransomware Salt Typhoon Cyber Attacks Hit 200 Organizations in the United States CVE-2025-7775: Actively Exploited Critical Flaw in Citrix NetScaler ZipLine Campaign Spins Web Around U.S. Supply Chain Manufacturers with MixShell August 2025 Linux Patch Roundup New SHAMOS Stealer Exploits One-Line Commands on macOS QuirkyLoader: A Silent Enabler of Modern Malware Families
🎧 Hive Force Labs: Critical Threats Affecting You This Week - 5 Minute Audio Intelligence Report
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Stealerium Changing the Rules of Cyber Espionage

Amber | Attack Report
Download PDF

Stealerium: The Open-Source Infostealer Reshaping Cyber Espionage

Summary

First appearing in 2022 as an open-source .NET-based information stealer, Stealerium has evolved into one of the most dangerous cyber-espionage tools active today. Its resurgence in 2025 is marked by fear-driven and financial-themed campaigns targeting non-profits, hospitality, travel, education, finance, legal, and banking sectors worldwide.

Stealerium’s versatility, extensive data theft capabilities, and multiple exfiltration channels make it a favored tool for both low-skilled actors and advanced cybercriminals. It has been observed in phishing campaigns using charity impersonation, financial lures, and court summons-themed emails. Its growing ecosystem, which includes Phantom Stealer and Warp Stealer, underscores its role in the commoditization of malware.

Attack Details

  • Origins: Released on GitHub as “for educational purposes,” quickly adopted and weaponized by malicious actors.

  • Campaigns:

    • May 2025 – TA2715 impersonated a Canadian charity using compressed executables to drop Stealerium.

    • June 2025 – TA2536 launched a financial-themed lure spoofing Garanti BBVA, distributing Stealerium via payment-themed emails.

    • June 2025 – Hospitality/travel booking campaigns used compressed files to infect victims.

    • July 2025 – “Court Summons” phishing delivered IMG files with VBScripts to execute Stealerium payloads.

  • Capabilities:

    • Wi-Fi Enumeration: Executes netsh wlan commands to collect stored profiles for possible lateral movement.

    • Persistence: Creates PowerShell exclusions and scheduled tasks.

    • Browser Exploitation: Enables Chrome remote debugging to steal cookies and credentials.

    • Data Theft: Harvests browser credentials, banking info, crypto wallets, email/chat data, VPN creds, gaming tokens, confidential files, screenshots, and webcam footage—potentially used for blackmail.

    • Exfiltration: Uses SMTP, Discord webhooks, Telegram, Gofile, and Zulip for data exfiltration.

    • Anti-Analysis: Employs random execution delays, blocklists of usernames/IPs/GPUs, and self-deletion if sandboxed.

  • Related Malware: Shares significant code overlap with Phantom Stealer and Warp Stealer, strengthening its position as a modular malware family.

Recommendations

  • Strengthen Email Security: Use advanced filtering to block compressed executables, VBScript, and JavaScript payloads.

  • Enforce MFA and Strong Passwords: Protect email, browser, and VPN accounts with MFA and regular password hygiene.

  • Monitor Network Traffic: Detect suspicious use of netsh wlan and outbound connections to SMTP, Discord, Telegram, or unusual domains.

  • Disable Remote Debugging: Turn off unnecessary browser features to prevent cookie and credential theft.

  • Deploy EDR/XDR: Leverage behavioral detection to identify PowerShell exclusions, scheduled task creation, and anti-analysis tactics.

Indicators of Compromise (IoCs)

SHA256 Hashes

  • d4a33be36cd0905651ce69586542ae9bb5763feddc9d1af98e90ff86a6914c0e

  • 41700c8fe273e088932cc57d15ee86c281fd8d2e771f4e4bf77b0e2c387b8b23

  • b640251f82684d3b454a29e962c0762a38d8ac91574ae4866fe2736f9ddd676e

  • a00fda931ab1a591a73d1a24c1b270aee0f31d6e415dfa9ae2d0f126326df4bb

  • e590552eea3ad225cfb6a33fd9a71f12f1861c8332a6f3a8e2050fffce93f45e

  • 50927b350c108e730dc4098bbda4d9d8e7c7833f43ab9704f819e631b1d981e3

MITRE ATT&CK TTPs

  • Initial Access: T1566 (Phishing), T1566.001 (Spearphishing Attachment)

  • Execution: T1059 (Command & Scripting Interpreter), T1059.001 (PowerShell), T1059.005 (Visual Basic), T1059.007 (JavaScript), T1204 (User Execution)

  • Persistence: T1053 (Scheduled Task/Job)

  • Defense Evasion: T1562 (Impair Defenses), T1562.001 (Disable or Modify Tools), T1480 (Execution Guardrails), T1027 (Obfuscation), T1497 (Sandbox Evasion)

  • Credential Access: T1555 (Credentials from Password Stores), T1555.003 (Credentials from Web Browsers), T1056.001 (Keylogging), T1056.003 (Web Portal Capture)

  • Discovery: T1082 (System Information Discovery), T1087 (Account Discovery), T1046 (Network Service Discovery)

  • Lateral Movement: T1021 (Remote Services)

  • Collection: T1115 (Clipboard Data), T1113 (Screen Capture), T1005 (Data from Local System), T1213 (Data from Information Repositories), T1114 (Email Collection)

  • Exfiltration: T1567 (Exfiltration Over Web Service), T1048 (Exfiltration Over Alternative Protocol)

  • Command & Control: T1102 (Web Service), T1573 (Encrypted Channel)

  • Impact: T1490 (Inhibit System Recovery), T1565 (Data Manipulation)

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox