Threat Actors Using Stealerium Malware to Attack Educational Organizations

Educational institutions have become prime targets in the escalating battle against commodity information stealers.

First emerging in 2022 as an open-source project on GitHub, Stealerium was initially released “for educational purposes” but rapidly attracted illicit interest.

Adversaries adapted and enhanced the code to create variants—such as Phantom Stealer and Warp Stealer—resulting in a family of infostealers sharing substantial code overlap.

These tools are readily available to low-sophistication actors seeking one-time purchases or free downloads, bypassing the complexity and cost of malware-as-a-service offerings.

Early campaigns leveraged standard phishing lures—impersonating banks, courthouses, and charitable foundations—but recent activity within the education sector has broadened the attack surface.

Emails with urgent subject lines like “Course Registration Deadline” and “Student Account Suspension Notice” delivered compressed executables, JavaScript, and disk images containing Stealerium payloads.

Proofpoint analysts noted a surge in messages targeting universities and K-12 networks between May and July 2025, with volumes ranging from hundreds to tens of thousands of emails per campaign.

Once executed, Stealerium variants immediately establish persistence and reconnaissance capabilities. PowerShell scripts are frequently used to add Windows Defender exclusions, while scheduled tasks ensure the malware survives reboots.

In addition, the malware executes a series of netsh wlan commands to enumerate saved Wi-Fi profiles and scan for nearby wireless networks, suggesting an intent to harvest credentials for lateral movement or geolocation of compromised hosts.

Stealerium’s impact on educational organizations is profound. Beyond credential theft, it exfiltrates browser cookies, credit-card data, gaming session tokens, and even webcam snapshots of “NSFW” content—likely to facilitate sextortion schemes.

Exfiltration channels include SMTP mail attachments, Discord webhooks, Telegram API requests, GoFile uploads, and the lesser-known Zulip chat service.

Educational IT teams have reported unusual outbound traffic to these platforms and alerts from emerging threat rules designed to detect Stealerium check-ins and data exfiltration events.

Infection Mechanism and Persistence

Stealerium’s infection mechanism is deceptively straightforward yet technically robust.

Upon execution of a compressed executable or script, the malware spawns a PowerShell loader that retrieves and installs the .NET-based stealer payload into a randomized path under the user’s AppData directory (e.g., C:UsersAppDataLocal@_).

Following this, the loader invokes the main stealer binary, which begins by creating a mutex to prevent multiple instances and performing anti-analysis checks—verifying the username, GPU model, machine GUID, and even downloading dynamic blocklists from a public GitHub repository to evade sandbox environments.

The stealer then registers a scheduled task named using a GUID derived from system information, ensuring execution at user logon or at random intervals to evade detection.

Concurrently, a PowerShell script disables real-time monitoring in Windows Defender by adding exclusion rules, effectively blinding endpoint protection.

Finally, Stealerium launches a headless Chrome process with the --remote-debugging-port argument to extract cookies, credentials, and tokens directly from browser memory—an advanced technique that bypasses standard encryption and application sandboxing.

// Example of remote debugging invocation in Stealerium variants
ProcessStartInfo psi = new ProcessStartInfo()
{
    FileName = "chrome.exe",
    Arguments = "--headless --disable-gpu --remote-debugging-port=9222 https://example.com",
    CreateNoWindow = true,
    UseShellExecute = false
};
Process chrome = Process.Start(psi);

This multi-stage approach—combining randomized staging, scheduled persistence, anti-analysis checks, and advanced data extraction—makes Stealerium a potent threat against educational networks.

Organizations must monitor for unusual PowerShell defender exclusions, anomalous scheduled tasks, and network connections to Discord, Telegram, GoFile, and Zulip endpoints to effectively detect and mitigate these attacks.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.