Stealerium Malware Automates Sextortion with Real-Time Webcam Spying

Sextortion, the harrowing cybercrime where hackers coerce victims using stolen intimate images, has long relied on manual effort—but a new variant of the Stealerium infostealer malware has industrialized this violation. Discovered by Proofpoint researchers in widespread cybercriminal campaigns, Stealerium now automates the process by monitoring victims' browser activity for pornography-related keywords, snapping simultaneous screenshots and webcam photos, and funneling the compromising material to attackers for blackmail. This represents a stark escalation in malware capabilities, turning personal devices into tools of humiliation.

How the Automated Sextortion Mechanism Works

Stealerium, an open-source infostealer available on GitHub, typically harvests sensitive data like banking credentials, passwords, and cryptocurrency keys. Its latest iteration adds a predatory twist: it scans browser URLs for NSFW terms (e.g., "sex" or "porn"), triggering a dual-capture sequence. When a match is detected, the malware takes a screenshot of the active tab and uses the victim's webcam to photograph them in real time. These images are then transmitted to hackers via Telegram, Discord, or email, creating instant leverage for sextortion.

"It's gross. I hate it," says Selena Larson, a senior threat intelligence analyst at Proofpoint. "When it comes to infostealers, they typically are looking for whatever they can grab. This adds another layer of privacy invasion and sensitive information that you definitely wouldn't want in the hands of a hacker."

Proofpoint traced this feature to multiple campaigns since May 2024, where tens of thousands of emails lured victims—including those in hospitality, education, and finance sectors—with fake invoices or payment links. Once installed, Stealerium's modular design allows attackers to customize keyword lists, making the sextortion highly targeted.

The Open-Source Enabler and Criminal Adoption

Disturbingly, Stealerium is publicly accessible on GitHub under a profile claiming "educational purposes only." The developer, "witchfindertr," explicitly distances themselves from accountability with a blunt disclaimer: "How you use this program is your responsibility... I will not be held accountable for any illegal activities. Nor do i give a shit how u use it." This laissez-faire approach has enabled low-tier cybercriminal groups to weaponize the tool, shifting away from high-risk ransomware operations toward stealthier, individual-focused extortion.

Kyle Cucci, a Proofpoint researcher, emphasizes the rarity of such automation: "Automated webcam pics of users browsing porn is pretty much unheard of." The only precedent dates to a 2019 campaign targeting French speakers, making Stealerium a significant innovation in privacy exploitation.

Why Developers and Security Teams Should Take Notice

This malware exemplifies a broader trend: cybercriminals are pivoting to low-visibility attacks that exploit human vulnerabilities rather than system flaws. As Larson notes, "For a hacker, it's not like you're taking down a multi-million dollar company that is going to make waves... They're trying to monetize people one at a time." The psychological shame associated with sextortion often deters reporting, allowing attackers to operate undetected.

For tech professionals, this underscores urgent priorities: implement robust endpoint monitoring for unusual webcam activity, educate users on phishing red flags, and scrutinize open-source tools for potential abuse. As infostealers evolve beyond data theft into personal violation, the defense playbook must expand to protect not just systems, but dignity.

Source: Wired