Back in 2018, ZENDATA reported on the rise of sextortion scams. At the time, cybercriminals were sending mass emails claiming to have hacked into victims’ computers, taken screenshots and webcam images, and threatening to release them unless a ransom was paid. The vast majority of these campaigns were pure scams as there was no malware, no screenshots, only fearmongering and social engineering capitalizing on users’ fear of public shaming. However, sextortion malware has since evolved, introducing real threats to victims…
Sextortion Goes Real: Enter Stealerium
Fast-forward to today, and the landscape has changed dramatically. A new family of malware, known as Stealerium, has turned these once-empty threats into a chilling reality. Originally released as an open-source infostealer on GitHub in 2022, it is now actively weaponized by cybercriminal groups across the globe. The malware is typically delivered through carefully crafted phishing emails that appear to be legitimate invoices, travel confirmations, or legal notices, tricking recipients into opening malicious attachments or links. Once installed, Stealerium behaves like a classic infostealer, harvesting browser credentials, session cookies, Wi-Fi profiles, VPN configurations, and even cryptocurrency wallets, giving attackers a broad arsenal of sensitive data to exploit. This demonstrates how sextortion malware has become a significant concern.
But Stealerium goes a step further by scanning browser tabs for keywords such as “sex” or “porn.” When such terms are detected, the malware simultaneously takes a screenshot of the active browser window and activates the victim’s webcam to capture them in real time. Both images are then automatically transmitted to the attacker through channels like Telegram, Discord, SMTP, or GoFile. This evolution transforms sextortion from a purely psychological scam into a technically enabled threat, providing criminals with immediate and highly exploitable blackmail material. More sophisticated sextortion malware like this has shifted the landscape from scams to real extortion threats.
Technical Analysis: How Stealerium Works
Security researchers highlight several technical hallmarks of Stealerium’s operation:
- Modular Architecture: Built as a flexible, open-source project, Stealerium has spawned multiple variants (e.g., Phantom Stealer, Warp Stealer) that attackers adapt for their campaigns.
- Exfiltration Vectors: Unlike classic malware that relies on a single command-and-control server, Stealerium leverages commodity platforms such as Telegram bots or Discord webhooks for stealthy, resilient data exfiltration.
- Automated Sextortion Logic: The keyword-triggered combination of screen capture and webcam activation is largely unprecedented in infostealers, marking a troubling shift toward low-effort, high-impact extortion tactics involving sextortion malware.
- Victim Scope: Campaigns since May 2025 have been observed targeting multiple industries, including hospitality, education, and finance, but individuals at home are equally at risk if they open the wrong attachment.
This combination of credential theft + sextortion makes Stealerium particularly dangerous: even if the attacker fails to monetize credentials, they can still exploit the victim through reputational coercion with the use of sextortion malware.
How ZENDATA Protects: Defense in Depth Against Stealerium
At ZENDATA, our SOC operations are designed precisely to counter these evolving threats. Defense against Stealerium requires a multi-layered security posture, which we deliver through our ZEN360 Defense-in-Depth model:
- Email Security Gateway (ESG/SEG): Filters malicious attachments and phishing campaigns before they reach the inbox, blocking the primary infection vector.
- Endpoint Detection & Response (EDR): Detects and contains suspicious processes such as unauthorized webcam access, PowerShell abuse, or unusual file exfiltration.
- SIEM Correlation: Our SIEM correlates phishing attempts, process executions, and outbound traffic anomalies to rapidly detect Stealerium-like behavior.
- Next-Gen Firewalls: Block and monitor outbound connections to known malicious infrastructure or unauthorized platforms such as Discord webhooks used for exfiltration.
- Threat Intelligence Integration: Our embedded CTI team continuously tracks emerging Stealerium variants and updates detection rules, ensuring that even open-source malware derivatives don’t slip past defenses.
Find the research here
