Stealerium Malware: The Open-Source Infostealer Targeting Passwords, Tokens, and Crypto
Table of Contents
The rise of open-source malware represents a troubling shift in the threat landscape. When malicious code is freely available on GitHub, it dramatically lowers the barrier for would-be cybercriminals â they no longer need development skills, just the ability to compile and distribute. Stealerium is one of the most visible examples: a fully featured infostealer whose source code was publicly available on GitHub until the repository was taken down.
What Is Stealerium?¶
Stealerium is an open-source credential-stealing malware written in C# (.NET). First identified by security researchers in 2022, it was available on GitHub as a "demonstration" or "educational" project â a thin legal disclaimer that fooled no one. The codebase provided everything needed to harvest credentials, tokens, and files from Windows systems and deliver them to a Discord webhook or Telegram bot.
Because the source was open, Stealerium spawned dozens of derivatives and modifications. Security researchers began tracking variants under names like Stealerium-mod, Stealerium-reborn, and various rebranded versions.
What Stealerium Steals¶
The breadth of Stealerium's data collection is what made it particularly dangerous:
Browser Credentials and Data¶
- Saved passwords from Chrome, Firefox, Edge, Opera, Brave, and other Chromium/Firefox-based browsers
- Saved credit card numbers and autofill data
- Browser cookies (enabling session hijacking without passwords)
- Browsing history
Discord Tokens¶
One of Stealerium's most targeted data types is Discord tokens â the authentication tokens stored locally by the Discord desktop app. Stolen tokens allow immediate account takeover without the need for passwords or 2FA.
Discord accounts with Nitro subscriptions, server admin roles, or connections to valuable communities fetch significant prices on cybercrime markets.
Cryptocurrency Wallets¶
- Browser extension wallets (MetaMask, Phantom, Coinbase Wallet)
- Desktop wallet files (Exodus, Electrum, Atomic Wallet)
- Seed phrase detection in clipboard content
System Information¶
- Screenshot of the desktop at time of execution
- System specifications (OS, CPU, GPU, RAM)
- Installed applications list
- IP address and geolocation
- Windows product key
Gaming Clients¶
- Steam session tokens
- Minecraft session data
- Roblox cookies
Other Applications¶
- VPN credentials and configuration files
- FTP client credentials (FileZilla)
- Email client credentials
How Stealerium Delivers Its Payload¶
Collected data is assembled into a ZIP archive and exfiltrated via:
- Discord Webhooks: The most common method. The attacker creates a Discord server, creates a webhook URL, and hardcodes it into the compiled executable. Stolen data arrives as Discord messages with file attachments.
- Telegram Bot API: Alternative delivery using a Telegram bot token and chat ID.
Both delivery methods are problematic to block because they use legitimate platforms (discord.com, api.telegram.org) that most firewalls and web filters allow.
How Stealerium Is Distributed¶
Like most infostealers, Stealerium reaches victims through:
- Fake software downloads: Game cheats, cracked software, mods distributed via Discord servers, YouTube descriptions, or forums
- Malspam: Email attachments disguised as invoices or shipping notifications
- Malvertising: Sponsored search results directing to fake software download pages
- Discord DMs: Direct messages within gaming communities offering "free" tools
Why Open-Source Malware Matters¶
The GitHub availability of Stealerium's source code has several implications:
- Mass proliferation: Anyone can compile it without understanding the code
- Rapid modification: Attackers trivially change strings, add capabilities, or repack to evade signature detection
- No infrastructure required: Discord and Telegram handle data exfiltration â no server to set up or maintain
- Attribution difficulty: Dozens of similar variants make tracking specific campaigns harder
Defense Against Stealerium and Similar Infostealers¶
For Individuals¶
- Use a password manager with a master password â stolen browser-stored passwords are a primary Stealerium target
- Enable hardware security keys (FIDO2) where possible; cookie theft can still bypass standard 2FA but not hardware keys
- Use a dedicated browser profile for crypto activities, separate from general browsing
- Never install game cheats, "free" premium tools, or cracked software
For Organizations¶
- Block or monitor Discord webhook outbound traffic â legitimate business applications rarely use Discord webhooks
- Deploy EDR/XDR with behavioral detection for credential file access patterns
- Enable Credential Guard on Windows to protect LSASS-stored credentials
- Implement data loss prevention (DLP) monitoring for bulk file access and archiving behavior
FAQ¶
Is Stealerium still being distributed?
The original GitHub repository was removed, but derivatives continue to circulate on dark web forums and repackaged as new tools. The techniques remain relevant across many active infostealers.
Can antivirus detect Stealerium?
The original compiled builds are now widely detected. Modified or repacked versions may initially evade detection â behavioral EDR tools are more reliable.
If Discord tokens are stolen, can I recover my account?
Yes â regenerating your Discord token (by changing your password) invalidates stolen tokens. Enable 2FA on your Discord account immediately after a suspected compromise.
Does Stealerium only target Windows?
Yes â it's a .NET application targeting Windows environments.
This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.