Stealerium Malware: The Open-Source Infostealer Targeting Passwords, Tokens, and Crypto

Table of Contents

The rise of open-source malware represents a troubling shift in the threat landscape. When malicious code is freely available on GitHub, it dramatically lowers the barrier for would-be cybercriminals — they no longer need development skills, just the ability to compile and distribute. Stealerium is one of the most visible examples: a fully featured infostealer whose source code was publicly available on GitHub until the repository was taken down.

What Is Stealerium?

Stealerium is an open-source credential-stealing malware written in C# (.NET). First identified by security researchers in 2022, it was available on GitHub as a "demonstration" or "educational" project — a thin legal disclaimer that fooled no one. The codebase provided everything needed to harvest credentials, tokens, and files from Windows systems and deliver them to a Discord webhook or Telegram bot.

Because the source was open, Stealerium spawned dozens of derivatives and modifications. Security researchers began tracking variants under names like Stealerium-mod, Stealerium-reborn, and various rebranded versions.

What Stealerium Steals

The breadth of Stealerium's data collection is what made it particularly dangerous:

Browser Credentials and Data

  • Saved passwords from Chrome, Firefox, Edge, Opera, Brave, and other Chromium/Firefox-based browsers
  • Saved credit card numbers and autofill data
  • Browser cookies (enabling session hijacking without passwords)
  • Browsing history

Discord Tokens

One of Stealerium's most targeted data types is Discord tokens — the authentication tokens stored locally by the Discord desktop app. Stolen tokens allow immediate account takeover without the need for passwords or 2FA.

Discord accounts with Nitro subscriptions, server admin roles, or connections to valuable communities fetch significant prices on cybercrime markets.

Cryptocurrency Wallets

  • Browser extension wallets (MetaMask, Phantom, Coinbase Wallet)
  • Desktop wallet files (Exodus, Electrum, Atomic Wallet)
  • Seed phrase detection in clipboard content

System Information

  • Screenshot of the desktop at time of execution
  • System specifications (OS, CPU, GPU, RAM)
  • Installed applications list
  • IP address and geolocation
  • Windows product key

Gaming Clients

  • Steam session tokens
  • Minecraft session data
  • Roblox cookies

Other Applications

  • VPN credentials and configuration files
  • FTP client credentials (FileZilla)
  • Email client credentials

How Stealerium Delivers Its Payload

Collected data is assembled into a ZIP archive and exfiltrated via:

  • Discord Webhooks: The most common method. The attacker creates a Discord server, creates a webhook URL, and hardcodes it into the compiled executable. Stolen data arrives as Discord messages with file attachments.
  • Telegram Bot API: Alternative delivery using a Telegram bot token and chat ID.

Both delivery methods are problematic to block because they use legitimate platforms (discord.com, api.telegram.org) that most firewalls and web filters allow.

How Stealerium Is Distributed

Like most infostealers, Stealerium reaches victims through:

  • Fake software downloads: Game cheats, cracked software, mods distributed via Discord servers, YouTube descriptions, or forums
  • Malspam: Email attachments disguised as invoices or shipping notifications
  • Malvertising: Sponsored search results directing to fake software download pages
  • Discord DMs: Direct messages within gaming communities offering "free" tools

Why Open-Source Malware Matters

The GitHub availability of Stealerium's source code has several implications:

  1. Mass proliferation: Anyone can compile it without understanding the code
  2. Rapid modification: Attackers trivially change strings, add capabilities, or repack to evade signature detection
  3. No infrastructure required: Discord and Telegram handle data exfiltration — no server to set up or maintain
  4. Attribution difficulty: Dozens of similar variants make tracking specific campaigns harder

Defense Against Stealerium and Similar Infostealers

For Individuals

  • Use a password manager with a master password — stolen browser-stored passwords are a primary Stealerium target
  • Enable hardware security keys (FIDO2) where possible; cookie theft can still bypass standard 2FA but not hardware keys
  • Use a dedicated browser profile for crypto activities, separate from general browsing
  • Never install game cheats, "free" premium tools, or cracked software

For Organizations

  • Block or monitor Discord webhook outbound traffic — legitimate business applications rarely use Discord webhooks
  • Deploy EDR/XDR with behavioral detection for credential file access patterns
  • Enable Credential Guard on Windows to protect LSASS-stored credentials
  • Implement data loss prevention (DLP) monitoring for bulk file access and archiving behavior

FAQ

Is Stealerium still being distributed?
The original GitHub repository was removed, but derivatives continue to circulate on dark web forums and repackaged as new tools. The techniques remain relevant across many active infostealers.

Can antivirus detect Stealerium?
The original compiled builds are now widely detected. Modified or repacked versions may initially evade detection — behavioral EDR tools are more reliable.

If Discord tokens are stolen, can I recover my account?
Yes — regenerating your Discord token (by changing your password) invalidates stolen tokens. Enable 2FA on your Discord account immediately after a suspected compromise.

Does Stealerium only target Windows?
Yes — it's a .NET application targeting Windows environments.


This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.

Sc

ScamSandbox Team

Cybersecurity Expert at ScamSandbox

Share: