TL;DR: A rise in opportunistic campaigns using Stealerium-based malware has been observed, with delivery through archive files, scripts, and lure themes such as invoices, travel, and legal notices, while the payload steals cookies, credentials, tokens, Wi-Fi data, and other sensitive information, according to Proofpoint research. The real issue is that identity theft now sits inside commodity malware workflows, making NHI exposure and downstream access abuse a routine enterprise risk.
At a glance
What this is: Proofpoint says Stealerium-based infostealers are being used more often in opportunistic campaigns that aim to harvest credentials, cookies, tokens, and other sensitive data.
Why it matters: This matters because stolen non-human and user identities can turn a single phishing or malware event into broader account takeover, lateral movement, and data exfiltration risk across identity programmes.
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.
👉 Read Proofpoint's analysis of Stealerium-based infostealer campaigns and identity theft
Context
Stealerium-based malware is a commodity infostealer family used by opportunistic criminal actors to harvest credentials, cookies, tokens, and other sensitive data after a user opens a malicious attachment or script. In identity terms, the issue is not just malware execution, but the conversion of stolen browser and system artefacts into usable access across human and non-human identity pathways.
For IAM teams, the key problem is that infostealers collapse the boundary between endpoint compromise and identity compromise. A single successful lure can expose session tokens, browser credentials, Wi-Fi data, and platform secrets, which then become launch points for account takeover, lateral movement, and exfiltration in environments that still rely on long-lived credentials.
Key questions
Q: What breaks when infostealers collect browser tokens and saved credentials?
A: What breaks is the assumption that compromise stays on the endpoint. Browser tokens, saved passwords, and cookies are often enough to impersonate users or sessions elsewhere, which means theft becomes reusable access. Teams should assume stolen identity artefacts may move directly into SaaS, cloud, and admin workflows unless they are rapidly revoked or invalidated.
Q: Why do infostealers create such a large IAM risk?
A: They turn endpoint compromise into identity compromise by collecting artefacts that authentication systems already trust. That matters for both human users and non-human identities because stolen tokens, passwords, and browser state can be reused for access, lateral movement, and exfiltration long after the original malware has been removed.
Q: How can security teams tell whether exploit activity has become an identity incident?
A: Look for account creation, privilege changes, anomalous administrative tools, directory reconnaissance, or sudden credential rotation needs on the affected host. If those signals appear, the exploit has likely moved into identity territory. Teams should treat those indicators as a containment trigger, not a secondary investigation detail.
Q: What should organisations do immediately after infostealer exposure is suspected?
A: Revoke or rotate any exposed secrets, invalidate active sessions, and review privileged or third-party access paths first. Then check whether those credentials were used against cloud, SaaS, or admin services, because a stolen token often becomes a broader access path before the original malware is contained.
Technical breakdown
How Stealerium-based infostealers turn endpoint compromise into identity theft
Stealerium is a .NET infostealer that stages stolen data locally before exfiltration. It targets browser cookies, stored credentials, session tokens, crypto wallets, email data, and Wi-Fi information, then uses channels such as SMTP, Discord webhooks, Telegram, GoFile, or HTTP to move data out. Because the malware is configurable, actors can select specific theft targets and exfiltration paths without changing the core loader. That makes the family attractive for opportunistic operators who want broad access with minimal operational overhead.
Practical implication: Treat endpoint detection as identity protection, because stolen browser artefacts often become the first reusable access credential.
Why Wi-Fi enumeration and browser remote debugging matter in stealer campaigns
Proofpoint observed Stealerium issuing netsh wlan commands to enumerate saved Wi-Fi profiles and nearby networks, and in some variants using Chrome remote debugging to bypass browser protections and extract sensitive content. These behaviours are not incidental. Wi-Fi data can reveal nearby access opportunities and network context, while remote debugging can expose cookies and credentials that would otherwise be protected by normal browser controls. Together they show that infostealers increasingly target both session material and the conditions needed for follow-on movement.
Practical implication: Monitor for netsh wlan, remote debugging flags, and unusual browser child processes as identity compromise indicators rather than generic malware noise.
Why open-source malware accelerates credential abuse at scale
Open-source malware changes the economics of identity theft. Once stealer code is public, lower-skill actors can adopt, fork, and slightly modify it, creating variant sprawl that reduces the value of simple signatures. Proofpoint’s write-up also shows code overlap across Stealerium, Phantom Stealer, and Warp Stealer, which reinforces a broader point: the threat is no longer a single malware family, but a reusable pattern of credential theft and exfiltration. That pattern is especially dangerous where secrets and session tokens are treated as durable rather than disposable.
Practical implication: Build detection and governance around behaviour and data movement, not just specific malware names or hashes.
Threat narrative
Attacker objective: The attacker wants reusable identity material, especially cookies, credentials, tokens, and system context, that can support takeover, fraud, and lateral movement.
- Entry occurs when a recipient opens a lure such as a compressed executable, JavaScript, VBScript, ISO, IMG, or ACE attachment delivered through invoice, legal, travel, or donation themes.
- Escalation occurs after execution, when the stealer collects browser artefacts, Wi-Fi data, system information, and sometimes uses remote debugging or Defender exclusions to widen access to stored identity material.
- Impact occurs when the stolen data is compressed and exfiltrated through SMTP, Discord, Telegram, GoFile, or similar channels, enabling account takeover and later movement into internal services.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Commodity infostealers have become an NHI governance problem, not just an endpoint malware problem. The article shows a familiar pattern: credentials, cookies, tokens, and Wi-Fi data are extracted after initial execution, then reused as identity material. That means the security issue extends beyond the infected workstation into every downstream service account, application session, and workload that trusts those artefacts. Practitioners should treat stolen browser and system secrets as an identity lifecycle event, not a post-infection cleanup task.
Stealerium illustrates a credential-to-access conversion model that security programmes still underestimate. The malware is designed to turn a single lure into multiple usable identity artefacts, including stored credentials and session tokens. That is exactly where traditional perimeter thinking fails, because the access path is created after compromise by reusing valid identity material. The implication is that identity controls must account for how easily one compromised endpoint can become many valid identities across cloud, SaaS, and internal systems.
Open-source stealer reuse creates a secrets trust debt that accumulates faster than static detections can absorb. Proofpoint’s description of overlap across Stealerium, Phantom Stealer, and related families shows that defenders are not facing one actor or one hash set. They are facing a mutable code base that can be repackaged by many operators with different delivery lures and exfiltration paths. The practical conclusion is that secrets and session tokens need shorter trust horizons, tighter revocation discipline, and stronger anomaly-based monitoring.
Identity blast radius is now defined by what the endpoint can reveal, not only by what the user can click. The malware’s ability to gather Wi-Fi profiles, browser state, and application tokens means the endpoint itself becomes a high-value identity source. In NHI terms, a compromised device can expose machine and user credentials that outlive the initial infection window. Practitioners should assume that endpoint compromise can silently expand identity reach across the environment unless access artefacts are constrained and rapidly invalidated.
From our research:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- Leaked secrets take an average of 27 days to remediate, even though 75% of organisations say they are confident in their secrets management capabilities, according to The State of Secrets in AppSec.
- For the broader NHI breach pattern, see 52 NHI Breaches Analysis for root-cause patterns that show how exposed credentials turn into lateral movement.
What this signals
Identity exposure is now a speed problem as much as a control problem. When attacker dwell time shrinks to minutes, the old assumption that security teams can detect, triage, and rotate later no longer holds. That is why the gap between exposed secrets and revoked access matters more than the original phishing or malware event, especially for cloud and SaaS identities.
Browser artefacts are becoming part of the identity perimeter. Stealer campaigns increasingly harvest the session material that makes authentication look successful after compromise, so programme owners need to treat session revocation, token lifetime, and device-level detection as linked controls. The operational question is not whether malware ran, but whether the stolen identity material remains valid anywhere else.
With only 44% of developers following secrets management best practices, the surrounding hygiene gap is still large enough for commodity stealers to turn a single leak into broad access. That makes secrets governance, browser session control, and rapid containment part of the same programme, not separate teams' problems.
For practitioners
- Reduce the lifetime of reusable identity artefacts Shorten session token validity, tighten cookie persistence, and revoke exposed secrets quickly when endpoint compromise is suspected. Prioritise high-value SaaS, cloud, and admin sessions where stolen browser artefacts can directly translate into access.
- Hunt for stealer-specific execution patterns Add detections for netsh wlan enumeration, suspicious Chrome remote debugging flags, PowerShell Defender exclusions, and short-lived archive or script attachments that spawn network activity. Correlate those events with identity and browser logins to confirm whether the endpoint exposed usable credentials.
- Separate endpoint compromise from identity compromise in incident response If a stealer is confirmed, assume session material, browser credentials, and potentially Wi-Fi context are already exposed. Force password resets only where needed, revoke active sessions, rotate impacted secrets, and verify that downstream service accounts and API tokens were not reused from the compromised device.
- Tighten controls on script and archive delivery paths Restrict or sandbox compressed executables, IMG, ISO, and script attachments at the mail gateway and on endpoints. That reduces the number of lure formats that can deliver stealer payloads before identity artefacts are harvested.
Key takeaways
- Stealerium-based campaigns show how quickly commodity malware can become an identity incident by harvesting credentials, cookies, and tokens from infected endpoints.
- The threat is amplified by open-source reuse, varied lure formats, and multiple exfiltration paths that make detection by signature alone unreliable.
- Security teams need shorter token lifetimes, faster revocation, and detections tied to identity artefacts, not just malware execution.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Stealerium abuse centers on exposed credentials and session material, which OWASP-NHI addresses. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0010 , Exfiltration | The article describes theft, reuse, and exfiltration stages that align with ATT&CK tactics. |
| NIST CSF 2.0 | PR.AC-1 | Credential theft and session abuse map to access control and identity governance. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management is directly relevant to stolen credentials and tokens. |
| NIST Zero Trust (SP 800-207) | Zero trust assumptions fail when stolen session material remains valid after endpoint compromise. |
Use ATT&CK mappings to connect stealer detections with credential access, movement, and exfiltration workflows.
Key terms
- Infostealer: An infostealer is malware built to collect credentials, session material, tokens, and other authentication data from infected systems. In NHI programmes, the risk is not only theft but reuse, because harvested workload secrets can unlock cloud access long after the initial infection.
- OAuth Token: A short-lived access credential issued by an OAuth 2.0 authorisation server granting an NHI scoped access to specific resources for a defined period. Preferred over static API keys because their short lifetime limits the exploitation window if intercepted.
- Secrets Fragmentation: Secrets fragmentation occurs when credentials are spread across multiple tools, environments, or ownership boundaries. It weakens central control because no single team can reliably see every secret, enforce consistent rotation, or prove that all exposures have been removed.
- Identity Blast Radius: The amount of damage a compromised identity can cause across systems, data, and infrastructure. In NHI environments, it is shaped by permissions, network reach, and administrative capability rather than by the credential alone. Reducing blast radius is a containment strategy that limits lateral movement and data exposure.
What's in the full article
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- Campaign-by-campaign lure examples, including invoice, travel, legal, and charity themes that delivered the payload.
- Process and behavioural details such as netsh wlan enumeration, scheduled task persistence, and browser remote debugging abuse.
- Exfiltration pathways including SMTP, Discord webhooks, Telegram, GoFile, and Zulip, with code and configuration context.
- Indicator examples and detection references that support rule tuning and threat hunting.
👉 Proofpoint's full post covers lure themes, payload behaviour, and exfiltration paths in detail.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org