Particle.news
Download on the App Store
4 ARTICLES
·
2w ago

Proofpoint Warns of Stealerium Resurgence in Large-Scale Phishing Campaigns

Proofpoint reports mass phishing since May using Stealerium variants that exfiltrate stolen credentials via free chat or cloud services.

Image
Cyberkriminelle entwickeln ständig neue Methoden für Datendiebstahl (Symbolbild)

Overview

  • Proofpoint has observed renewed activity since May 2025 tied first to TA2715 and then TA2536, with campaign waves ranging from hundreds to tens of thousands of emails using urgent financial or legal lures and formats such as compressed EXEs, JavaScript, VBScript, ISO or IMG images and ACE archives.
  • The .NET-based infostealer gathers WLAN profiles and system details, steals browser cookies and passwords by abusing Chrome remote debugging, manipulates Windows Defender settings and establishes persistence via scheduled tasks.
  • Exfiltration occurs through SMTP and popular platforms including Discord webhooks, the Telegram API and the file-hosting service Gofile, with Zulip supported in some configurations.
  • Researchers highlight extensive anti-analysis measures, including start delays, environment checks and dynamically fetched blocklists from public GitHub repositories that hinder forensic visibility.
  • Some media report variants that capture screenshots and webcam images for sextortion, while Proofpoint’s published analysis primarily documents credential theft and data exfiltration.