Threat Actors Using Stealerium Malware to Attack Educational Organizations

Cybersecurity

Educational institutions are increasingly targeted by information-stealing malware. Stealerium, initially released in 2022 as an open-source project, quickly attracted attention for illicit use. Variants such as Phantom Stealer and Warp Stealer have emerged, sharing significant code similarities.

These tools are accessible to attackers with minimal technical expertise, facilitating unauthorized data access. Initial campaigns impersonated entities such as banks and courthouses, but recent efforts have expanded to target the education sector. Phishing emails with urgent subject lines deliver Stealerium payloads through compressed executables, JavaScript, and disk images.

A surge in email campaigns targeting universities and K-12 networks was noted between May and July 2025, with volumes reaching tens of thousands per campaign. Once executed, Stealerium variants establish persistence using PowerShell scripts and scheduled tasks while targeting Wi-Fi profiles for credential harvesting.

Infection Mechanism and Persistence

Stealerium employs a robust infection mechanism. The malware spawns a PowerShell loader that installs the .NET-based payload in a randomized AppData path. It creates a mutex to prevent multiple instances and conducts anti-analysis checks. A scheduled task ensures persistence, and PowerShell scripts disable Windows Defender monitoring.

Advanced data extraction techniques are used, such as launching a headless Chrome process to extract browser data. Organizations should monitor PowerShell exclusions, unusual scheduled tasks, and network connections to platforms like Discord and Telegram to mitigate these threats effectively.