Netcrook Logo
👤 WHITEHAWK
🗓️ 08 Sep 2025  

Open-Source Infostealers Gone Wild: Stealerium and Phantom Unleash a Global Data Heist

Once billed as “educational tools,” Stealerium and Phantom have become cybercriminal favorites - fueling a new wave of identity theft and corporate breaches worldwide.

Fast Facts

  • Stealerium and Phantom are open-source malware tools, freely available online.
  • Originally released for “educational purposes,” they are now widely abused by criminals to steal personal and corporate data.
  • These infostealers target everything from passwords and credit cards to webcam images and crypto wallets.
  • Recent campaigns have leveraged convincing phishing emails to trick victims into installing the malware.
  • Proofpoint researchers warn of a sharp uptick in attacks using Stealerium code since May 2025.

From Classroom to Crime Scene: The Rise of Open-Source Infostealers

Imagine a chemistry set designed for students - left unguarded in a public square, it quickly becomes a tool for mischief or worse. That’s the story unfolding in cybercrime with Stealerium and Phantom: malware tools that began as “educational” code, now weaponized by opportunistic hackers across the globe.

Stealerium debuted in 2022 on GitHub, the world’s largest code-sharing platform. Its creators claimed it was for learning and defense research. But as with so many open-source tools, the line between education and exploitation quickly blurred. Phantom Stealer, a closely related variant, soon followed - borrowing much of Stealerium’s code, according to Proofpoint’s analysts. Today, both are readily available for download, tweakable by anyone with basic programming skills.

How Stealerium and Phantom Steal More Than Secrets

These infostealers act like digital vacuum cleaners, sucking up a staggering array of data. Once on a victim’s computer, they hunt for browser passwords, credit card details, cryptocurrency wallets, sensitive files, and even session tokens for gaming and VPN services. Not content with mere data, Stealerium can also snap screenshots, spy through webcams, and monitor the clipboard - features ripe for blackmail, or “sextortion.”

Recent attack waves have deployed Stealerium and Phantom using phishing emails with alarming realism - posing as banks, charities, or courts, and luring victims to open booby-trapped attachments. The scale ranges from targeted scams to mass campaigns reaching tens of thousands.

A Global Playground for Cybercriminals

The open-source nature of these infostealers means anyone can download, modify, and improve them. This crowdsourced evolution makes detection a moving target: every tweak can spawn a new variant, harder for traditional antivirus tools to catch. Unlike “malware-as-a-service” platforms that charge fees, Stealerium and Phantom are the cybercrime world’s equivalent of free, disposable weapons - fueling a democratization of hacking that worries experts.

Proofpoint’s latest research highlights a surge in Stealerium-based attacks in spring 2025, after a lull. Notably, even less sophisticated criminals are jumping on board, leveraging these tools for quick and dirty heists. The trend mirrors previous open-source threats like LokiBot and Raccoon Stealer, but the sheer versatility and accessibility of Stealerium and Phantom set a new bar for danger.

Defending Against the Invisible Thief

Security experts urge organizations to watch for telltale signs: unusual use of Windows commands, suspicious PowerShell activity, and outbound data transfers to strange internet addresses. Blocking unauthorized data flows and tightening email security are essential first steps. But as long as open-source infostealers remain just a download away, the arms race between defenders and attackers is set to intensify.

The story of Stealerium and Phantom is a cautionary tale for our digital age: tools built for learning can quickly become weapons in the wrong hands. As the line between “white hat” and “black hat” blurs, vigilance and education are our last lines of defense.

WIKICROOK

  • Infostealer: An infostealer is malware designed to steal sensitive data - like passwords, credit cards, or documents - from infected computers without the user's knowledge.
  • Open: 'Open' means software or code is publicly available, allowing anyone to access, modify, or use it - including for malicious purposes.
  • Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
  • Exfiltration: Exfiltration is the unauthorized transfer of sensitive data from a victim’s network to an external system controlled by attackers.
  • Sextortion: Sextortion is online blackmail where criminals threaten to release private or embarrassing images or videos unless a ransom is paid.
WHITEHAWK WHITEHAWK
Cyber Intelligence Strategist
← Back to news