Stealerium Unmasked: Inside a Multi-Lure, Multi-Stage Stealer Campaign

In this investigation, we tracked a malware spam campaign that ultimately delivers Stealerium, a modular .NET infostealer with a broad feature set: credential theft, keylogging, file grabbing, webcam capture, clipboard hijacking, and Telegram‑assisted operator notifications and exfiltration.

The campaign’s most important characteristic, however, is not novelty in any single technique, but operational reuse. Across multiple lure themes and various front‑end delivery chains, the actors repeatedly converged on the same execution core and the same Stealerium payload.

What changes over time is the front door. Early variants followed a direct path: a password‑protected ZIP archive leads to a malicious SVG that instructs the victim to run a PowerShell one‑liner (ClickFix), which stages an HTA and script‑based loaders. Later variants add a credential‑harvesting detour (a phishing HTML page) and fallback logic that can switch between HTA, EXE, DLL, and PowerShell‑only retrieval paths while still ending at the same Stealerium build. This evolution reveals an intent to maximize value per interaction by collecting credentials and improving execution reliability without rebuilding the backend.

Campaign Evolution

The campaign progressed in two major phases. The first was a relief fund-themed lure and a succeeding corporate reward lure. While the final Stealerium payload remained consistent, later campaigns introduced credential harvesting and fallback mechanisms.

Initial Campaign: Relief Fund-Themed Lure

Figure 1. Infection chain observed in the initial relief fund -themed campaign.

The initial wave impersonated a government relief fund notification. The email used an authoritative tone and branding elements to create urgency and legitimacy, then provided a password‑protected ZIP file. Supplying the ZIP password in the email was not just convenient; it increased the chance a user would open the file and reduced the odds of automated inspection of the archive’s contents.

Figure 2. Relief fund-themed phishing email impersonating the U.S. Department of State, using Federal seals and legal language to induce urgency.

Inside the ZIP file is a malicious SVG that convincingly imitates a Chrome update or crash prompt. The SVG does not exploit the browser. Instead, it tells the user to manually copy a PowerShell command and run it through the Windows Run dialog or a command prompt. This matches the ClickFix pattern where execution is user initiated and occurs outside the browser sandbox. That single step can bypass many controls that mainly target clickable links, macro-enabled documents, or direct payload downloads.

The PowerShell one‑liner downloads an HTA file into %TEMP% and launches it with mshta.exe. From there, the campaign shifts into a native‑tooling chain:

Figure 3. Malicious SVG rendered in the browser, displaying a fake Chrome update and embedding a ClickFix PowerShell command; reused across campaigns.

The PowerShell one‑liner downloads an HTA file into %TEMP% and launches it with mshta.exe. From there, the campaign shifts into a native‑tooling chain:

• HTA stage shows a decoy “installing updates” interface while scripts run in the background.

Figure 4. HTA interface disguised as an installer pane during staging.

• An embedded VBScript reduces visibility, such as window resizing, performs lightweight anti analysis checks, decodes additional script content, and writes the next PowerShell loader to disk, commonly as update.ps1.

• The PowerShell loader performs deeper environmental checks, retrieves the final payload, and executes Stealerium primarily through in-memory, reflective .NET loading.

Figure 5. An embedded VBScript performing quick anti-analysis and debugger checks before staging the PowerShell loader.

• The PowerShell loader performs deeper environmental checks, retrieves the final payload, and executes Stealerium primarily through in-memory, reflective .NET loading.

Figure 6. The PowerShell script checks the environment before execution.

In this phase, all stages were retrieved from a single command-and-control (C2) host, 31[.]57[.]147[.]77:6464. This consistency later becomes a useful pivot: lure themes change, but delivery infrastructure and the payload remain stable.

Succeeding Campaign: Executive Award-Themed Lure

Figure 7. Infection chain observed in the executive award-themed campaign.

As the campaign developed, the lure shifted from government relief to corporate reward themes aimed at senior personnel, such as executive recognition and gift card claims. A key change is that the password-protected ZIP file does not always drop the SVG directly. Instead, it can deliver an intermediate phishing HTML page that harvests credentials and then routes the victim back into the same SVG ClickFix execution path.

Figure 8. Executive reward-themed gift card lure demonstrating campaign evolution from government to corporate social engineering.

The intermediate page imitates a webmail login portal and is designed to look personalized. It prefills the victim’s email address, applies branding that matches the victim organization’s domain, and may try to load the organization’s homepage as a background image using third-party screenshot services. Each password attempt is sent to an operator-controlled Telegram bot along with basic host context such as IP address, time, user agent, and referrer. The page typically shows repeated incorrect password messages to normalize multiple attempts and keep the user engaged, then pivots to an account verification prompt that pushes the victim into the next stage.

Figure 9. A fake login portal harvesting credentials to a Telegram bot.

Figure 10. This prompt is used to transition victims from credential harvesting to downloading the malicious SVG.

The download action relies on HTML smuggling. The SVG is embedded in the HTML as a Base64 blob, rebuilt locally by the browser, and saved without a direct network request for an SVG file.

This reduces network visibility while still steering the victim down the same user-assisted ClickFix execution path.

Figure 11. The same ClickFix-based SVG technique is reused in the latest iteration of this campaign that uses a different lure; in this variant, the PowerShell commands are delivered in encoded form.

In a later phase, the ClickFix PowerShell became more flexible. Based on our observations, instead of a single fixed command, the initial instruction can pull a secondary command set from a getcmd endpoint. That second-stage script uses nested try-catch fallback logic so if one execution method fails due to mshta being blocked, script restrictions, or temporary network issues, the loader switches to an alternate method.

Figure 12. The getcmd code selects the next loader path and initiates fallback execution.

Observed fallback paths converge on the same Stealerium payload:

• /gethta: downloads an HTA to %TEMP% and executes it with mshta.exe, matching the initial campaign pattern.

• /getexe: downloads a standalone executable build to disk and runs it.

• /getdll: downloads a Stealerium DLL and invokes its entry point in memory using .NET reflection.

• /getps: downloads a compressed DLL, decompresses it in memory with GZipStream, loads it reflectively, and invokes Stealerium.Stub.Program.Main.

Figure 13. PowerShell script retrieving a compressed Stealerium DLL.

• /getbatch: Batch or inline PowerShell path acts as a last resort wrapper that triggers the same compressed DLL routine.

The key observation is that payload diversity stays low while delivery resilience stays high. The actor is building many ways to run the same payload rather than deploying many different payloads [DO5] .

Common Execution Core

Across both phases, three design choices remain consistent.

1. Email to password-protected ZIP as a reliable entry point

Campaigns start with phishing emails that borrow trust from compromised third-party domains and use authoritative business style messaging. The goal is the consistent delivery of a password-protected ZIP, which evades automated inspection and forces manual user interaction because the password is part of the lure.

2. User-driven execution via ClickFix

The SVG acts as a social engineering delivery vehicle for a PowerShell launcher. Pushing execution onto the user removes the need for exploits and sidesteps many controls that focus on links, macros, or browser sandbox activity.

3. Native Windows tooling plus fileless loading

Native tools such as mshta.exe, VBScript, and PowerShell bridge the victim from an opened file to in-memory .NET assembly execution. Decoy UI elements, such as fake update progress interfaces, buy time while scripts stage the next steps.

This separation of a flexible lure from a stable execution core is an operational advantage. The actor can change themes and targeting quickly while keeping infrastructure, loaders, and payload largely unchanged.

Inside the Stealerium Infostealer

Stealerium is an open source, modular framework. In practice, operators can recompile and tune builds quickly, so, superficial strings and minor behaviors may change, while the same module families and execution flow remain consistent.

In the analyzed build, runtime behavior follows a standard lifecycle: initialization, evasion, collection, exfiltration and persistence.

Figure 14. Decompiled Stealerium stub and entrypoint.

1. Environment checks and stability gating

The malware performs basic checks to avoid sandboxes or unstable hosts and can terminate early when conditions appear unfavorable.

2. Evasion and interference

Stealerium uses pragmatic evasion such as AMSI (Antimalware Scan Interface) bypass and ETW (Event Tracing for Windows) suppression to reduce script and in-memory telemetry. It also includes opportunistic KillAV logic to terminate known security processes where self-protection is weak. These are not reliable against well-configured EDR, but they can increase dwell time in less mature environments.

Figure 15. AV product process enumeration and termination attempt during execution.

3. Runtime behavior configuration

This Stealerium build is configured with all core infostealer modules enabled, including keylogging, file grabbing, clipboard hijacking, and webcam capture, while the ransomware component is present in the codebase and is designed to be operator‑triggered via a C2 command, enabling on‑demand file encryption and ransom note creation when the operator chooses to activate it.

Figure 16. Stealerium runtime behavior config.

While the broader configuration governs core runtime settings and operational defaults, several of the most security-relevant values are stored as encrypted strings and only become readable after runtime decryption.

Notable strings:

• C2 key: StealeriumC2SecretKey123

• Encrypted redirect URL: hxxps://login[.]verify[.]monksmeets[.]com/tpjFIejZ

Unlike many redirect strings that serve as passive fallback links, this URL is integrated into a dedicated interactive social-engineering routine. When invoked, the malware presents a Windows Forms dialog titled “Microsoft Office - Verification Required” with a short verification prompt and Verify/Cancel buttons. Selecting Verify launches the configured URL via Process.Start(..., UseShellExecute = true) , handing off to the victim’s default browser.

Taken together, the encrypted redirect URL serves as an indicator and operational pivot, enabling a built-in credential re-verification lure that allows the campaign to shift from passive theft to active phishing without additional tooling.

4. Collection modules

Enabled modules in this campaign support three outcomes: account takeover, theft of high-value files and secrets, and direct financial diversion.

• Credential and session theft from browsers and selected applications, including passwords, cookies and session tokens, and autofill or payment artifacts.

• File grabbing from user accessible locations, targeting office documents, archives, wallet or vault artifacts, and source or project files.

• Keylogging and clipboard monitoring, including crypto address clipping that replaces copied wallet addresses with actor-controlled addresses.

• Optional screenshot or webcam capture for identity and context.

• Optional propagation via shares or removable media to expand from one host into wider internal exposure where controls are weak.

5. Exfiltration and C2

Stealerium uses a hybrid model that separates command-and-control (C2) coordination from operator notifications and bulk data delivery.

Dropper-embedded C2 URLs handle initial control logic, payload staging, and campaign coordination. In this build, the primary C2 endpoint is: hxxps://c2-rpxl[.]onrenderp[.]com .

Telegram is used for execution status, victim summaries, alerts, and link delivery, while cloud file hosts carry larger artifacts that are impractical to send via chat APIs. The codebase explicitly supports GoFile via a dedicated uploader to push ZIP archives (stolen files, logs, screenshots, media), then relays the resulting download URLs back to the operator over Telegram.

This separation reduces infrastructure requirements, bypasses size limits, and blends exfiltration into legitimate hosting traffic, improving resilience against takedowns and single-point failures.

6. Persistence

Observed persistence is logon triggered and often at the user level.

• Registry Run Key

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Value: Stealerium

Data: <InstallFile>

• In addition to registry persistence, the malware copies itself into the user Startup folder. This ensures execution during interactive user logon without requiring administrative privileges.

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<payload-name>.exe

• If running with administrative privileges, the malware also attempts to create a scheduled task for persistence:

schtasks /create /tn "StealeriumTask" /tr "<InstallFile>" /sc onlogon /rl highest /f

Conclusion

This Stealerium campaign highlights the ongoing use of multi-stage, user-driven infection chains that blend social engineering with native Windows tooling. Across observed campaigns, operators consistently paired password-protected archives and evolving lure themes with SVG-based ClickFix execution, HTA and PowerShell loaders, and reflective in-memory payload delivery to reliably deploy the same Stealerium backend.

This separation of front-end lures from a stable execution core enables rapid retargeting without changing the underlying delivery chain. The addition of credential harvesting, HTML smuggling, resilient fallback loaders, and an operator-triggered ransomware module shows a design built to support data theft, follow-on phishing, and potential extortion.

Organizations should maintain strong visibility into multi-stage phishing workflows that rely on manual user interaction rather than exploits. Monitoring for abuse of script interpreters, HTA execution, and reflective loading behaviors, combined with continued awareness of evolving social engineering lures, can help defenders disrupt campaigns that prioritize operational reuse and staged execution over malware novelty.

Indicators of Compromise (IoCs)