Not Safe For Work: Tracking And Investigating Stealerium And Phantom Infostealers
Proofpoint, Wednesday, September 3rd, 2025
Threat actors are increasingly turning to information stealers in malware delivery, and Proofpoint threat researchers have observed an increase in the variety of commodity information stealers regularly used by cybercriminal threat actors.
Key findings
- Proofpoint researchers observed an increase in opportunistic cybercriminals using malware based on Stealerium, an open-source malware that is available 'for educational purposes.'
- Multiple other stealers share significant code overlap with Stealerium, such as Phantom Stealer. Throughout this blog post, we'll use the name Stealerium to refer to infostealers that share significant overlap with the original Stealerium.
- Threat actors are increasingly pivoting to information stealers, as targeting identity becomes a priority for cybercriminals.
While many threat actors prefer malware-as-a-service offerings like Lumma Stealer or Amatera Stealer, some actors prefer to use malware that can be purchased one time, or openly available on platforms like GitHub. Stealerium is a good example of this