Stealerium Infostealer: Malware that Captures Webcam Photos and Steals Personal Information
Researchers at Proofpoint, a security company headquartered in Sunnyvale, California, have reported the results of their investigation into Stealerium, an information-stealing malware that has been increasing since May of this year. Stealerium is an open-source malware published on GitHub that infiltrates victims' PCs via fraudulent emails and captures passwords, card information, and even PC screen and webcam footage in response to keywords such as 'pornography.'
The Evolution and Spread of Stealerium
Stealerium first appeared on GitHub around 2022 as freely available open-source malware and was available for download under the restriction of 'educational purposes only.' Proofpoint researchers have observed an increase in Stealerium-based malware distribution campaigns since around May 2025. The campaigns disguise themselves as emails from various organizations, including charities, banks, courts, and document services, and Stealerium is downloaded by clicking on attachments such as 'payment deadlines,' 'court subpoenas,' and 'donation requests.'
Specifically, these messages contained a compressed JavaScript file that installs Stealerium and performs network reconnaissance to collect Wi-Fi profiles and nearby networks. Once downloaded onto a target PC, Stealerium has the ability to steal a wide variety of data, including browser cookies and authentication information, credit card data, session tokens from gaming services such as Steam, cryptocurrency wallet data, and various types of confidential files.
Technical Features and Targeted Data
Stealerium has two major features. First, it does not target a specific data type, but indiscriminately steals a wide variety of data. Another feature of Stealerium is its ability to specifically react to pornography-related data: by checking for the presence of customizable strings such as 'porn' or 'sex,' Stealerium detects browser tabs related to adult content and takes desktop screenshots and webcam image captures.
To summarize the types of data targeted by this malware, consider the following table:
| Data Category | Specific Information Collected |
|---|---|
| Authentication | Browser cookies, authentication information, session tokens (e.g., Steam) |
| Financial | Credit card data, cryptocurrency wallet data |
| System & Network | Wi-Fi profiles, nearby networks, various confidential files |
| Visual Media | Desktop screenshots, webcam image captures |
Webcam Monitoring and Extortion Risks
In the case of Stealerium, the attacker takes screenshots of websites containing keywords such as pornography and also takes photos of the target with the webcam. The attacker then threatens to publish the victim's face while browsing pornographic sites. While malware that hacks webcams is common, 'malware that detects pornography and automatically takes photos is almost unheard of,' says Proofpoint researcher Kyle Kutsch.
A similar case occurred around 2018, when a sudden increase in the number of users receiving threatening emails claiming, 'Your PC has been hacked and your viewing of pornography has been secretly recorded on your webcam.' However, the attack, which security researchers named 'sextortion,' was designed to make users believe their PC had been hacked by sending them an email containing their own email password, rather than actually hacking their webcam. In contrast, Stealerium represents a more direct threat by actually capturing media footage of the user.