日本語
한국어
Tiếng Việt
简体中文
A disturbing new strain of “infostealer” malware has emerged, escalating the threat of cybercrime by automating a particularly invasive form of sextortion. This sophisticated spyware actively monitors a user’s web browser for adult content, then simultaneously captures screenshots of the activity and candid photos of the victim via their webcam. This represents a significant and unsettling advancement in digital privacy invasion.
Stealerium: A New Level of Digital Espionage
Security researchers at Proofpoint recently published an in-depth analysis of this open-source malware variant, dubbed Stealerium. Since May of this year, Proofpoint has observed Stealerium being deployed in numerous cybercriminal campaigns, making it a growing concern for online security.
Like other infostealers, Stealerium is designed to infiltrate a target’s computer and siphon off a wide array of sensitive data, including crucial banking information, usernames, passwords, and cryptocurrency wallet keys. However, Stealerium introduces a uniquely humiliating feature:
- It meticulously monitors the victim’s browser for web addresses containing specific NSFW keywords.
- Upon detection, it immediately takes screenshots of the active browser tabs.
- Crucially, it simultaneously activates the victim’s webcam, capturing photos of them while they are viewing the illicit content.
- All these images are then clandestinely transmitted to the hacker, providing potent material for blackmail and exploitation.
“When it comes to infostealers, they typically are looking for whatever they can grab,” explains Selena Larson, one of the Proofpoint researchers involved in the analysis. “This adds another layer of privacy invasion and sensitive information that you definitely wouldn’t want in the hands of a particular hacker.” Larson starkly added, “It’s gross. I hate it.”
How the Malware Spreads and Operates
Proofpoint uncovered Stealerium in tens of thousands of emails orchestrated by at least two distinct hacker groups, along with various other email-based cyberattack campaigns. Interestingly, Stealerium is distributed as a free, open-source tool readily available on GitHub. Its developer, known as “witchfindertr” and described as a “malware analyst” based in London, controversially states on the page that the program is for “educational purposes only,” disclaiming any responsibility for its misuse.
Cybercriminals typically lure victims into downloading and installing Stealerium through deceptive tactics, such as fake payment requests or fraudulent invoices delivered via email attachments or malicious web links. While Proofpoint’s monitoring tools primarily track corporate targets, the malware has been observed targeting entities within the hospitality, education, and finance sectors, suggesting a broader reach that likely includes individual users outside these industries.
Once installed, Stealerium employs standard infostealer methods to exfiltrate stolen data, transmitting it to hackers via services like Telegram, Discord, or the SMTP protocol. The automated sextortion feature, however, is what truly sets it apart. It scans browser URLs for a customizable list of pornography-related terms (e.g., “sex,” “porn”) to trigger its synchronous image capture from the webcam and browser. Although Proofpoint has not yet identified specific victims of this sextortion function, its very existence strongly implies its deployment in real-world attacks.
An Unprecedented Automated Threat
While manual sextortion, often involving tricking or coercing victims into sharing explicit content, has long been a disturbing element of cybercrime, the automated nature of Stealerium’s webcam surveillance during private browsing is “pretty much unheard of,” according to Proofpoint researcher Kyle Cucci. He notes that the only comparable instance involved a 2019 malware campaign targeting French-speaking users, discovered by ESET.
This shift towards automated individual sextortion may signify a broader trend among certain cybercriminal factions, particularly lower-tier groups. They appear to be moving away from highly visible, large-scale ransomware campaigns and botnets that tend to attract intensive law enforcement scrutiny. Instead, they are opting for tactics that allow them to monetize individuals one at a time, often targeting those who might be too ashamed or embarrassed to report such deeply personal privacy violations to authorities.
“For a hacker, it’s not like you’re taking down a multimillion-dollar company that is going to make waves and have a lot of follow-on impacts,” Larson explains, contrasting these tactics with the demands of seven-figure ransoms from corporations. “They’re trying to monetize people one at a time. And maybe people who might be ashamed about reporting something like this.”