Stealerium Malware Adds Automated Sextortion via Webcam
Key Points
- Stealerium is an open‑source infostealer hosted on GitHub.
- It steals typical data such as passwords, banking details and crypto keys.
- A new module automatically captures webcam photos and browser screenshots when a victim visits pornographic sites.
- The malware is distributed via phishing emails with malicious attachments or links.
- Targeted sectors include hospitality, education and finance.
- The developer, known as witchfindertr, claims the tool is for “educational purposes only.”
- Proofpoint observed the sextortion feature being used in active campaigns.
- The feature enables potential blackmail of individual victims.
Security researchers at Proofpoint have identified a new variant of the open‑source infostealer known as Stealerium that automatically captures webcam photos and browser screenshots when a victim visits pornographic sites. The malware, distributed freely on GitHub by a developer calling themselves witchfindertr, steals typical data such as passwords and crypto keys while also adding a humiliating sextortion feature. Proofpoint observed the tool being used in phishing campaigns targeting hospitality, education and finance sectors. The discovery highlights a shift toward low‑profile, individual‑targeted extortion by cybercriminals.
BackgroundProofpoint first encountered Stealerium in large volumes of phishing email traffic, where malicious attachments or links were used to lure victims into installing the program. The campaigns targeted users in hospitality, education and finance, though the researchers noted that individual users outside corporate environments were also likely affected.Malware Capabilities
Stealerium retains the standard infostealer functions: it collects usernames, passwords, banking credentials and cryptocurrency wallet keys, then exfiltrates the data via services such as Telegram, Discord or SMTP. The distinctive addition is an automated sextortion module. The malware monitors the victim’s web browser for URLs containing pornography‑related terms. When a match is found, it simultaneously captures a screenshot of the browser tab and a photo from the victim’s webcam, forwarding both images to the attacker. This enables criminals to potentially blackmail victims with evidence of them viewing adult content.
Distribution and Attribution
The tool is distributed as a free, open‑source package on GitHub, making it readily accessible to low‑skill threat actors. The developer’s GitHub profile claims a location in London and explicitly disclaims responsibility for any illegal use. Proofpoint’s researchers noted that the sextortion feature appears customisable, allowing attackers to define the list of trigger keywords.
Impact and Industry Response
While Proofpoint has not identified specific victims of the sextortion function, the presence of the feature suggests it has likely been employed in ongoing campaigns. The addition of automated webcam capture marks a departure from traditional, manually‑executed sextortion scams and reflects a broader trend of cybercriminals focusing on individual extortion rather than large‑scale ransomware attacks. Security firms advise users to be cautious of unsolicited email attachments or links and to maintain up‑to‑date anti‑malware defenses.