TL;DR: A rise in opportunistic campaigns using Stealerium-based malware has been observed, with delivery through archive files, scripts, and lure themes such as invoices, travel, and legal notices, while the payload steals cookies, credentials, tokens, Wi-Fi data, and other sensitive information, according to Proofpoint research. The real issue is that identity theft now sits inside commodity malware workflows, making NHI exposure and downstream access abuse a routine enterprise risk.
NHIMG editorial — based on content published by Proofpoint: Luring attacks with Stealerium-based infostealers
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: What breaks when infostealers collect browser tokens and saved credentials?
A: What breaks is the assumption that compromise stays on the endpoint.
Q: Why do infostealers create such a large IAM risk?
A: They turn endpoint compromise into identity compromise by collecting artefacts that authentication systems already trust.
Q: How can security teams tell whether exploit activity has become an identity incident?
A: Look for account creation, privilege changes, anomalous administrative tools, directory reconnaissance, or sudden credential rotation needs on the affected host.
Practitioner guidance
- Reduce the lifetime of reusable identity artefacts Shorten session token validity, tighten cookie persistence, and revoke exposed secrets quickly when endpoint compromise is suspected.
- Hunt for stealer-specific execution patterns Add detections for netsh wlan enumeration, suspicious Chrome remote debugging flags, PowerShell Defender exclusions, and short-lived archive or script attachments that spawn network activity.
- Separate endpoint compromise from identity compromise in incident response If a stealer is confirmed, assume session material, browser credentials, and potentially Wi-Fi context are already exposed.
What's in the full article
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- Campaign-by-campaign lure examples, including invoice, travel, legal, and charity themes that delivered the payload.
- Process and behavioural details such as netsh wlan enumeration, scheduled task persistence, and browser remote debugging abuse.
- Exfiltration pathways including SMTP, Discord webhooks, Telegram, GoFile, and Zulip, with code and configuration context.
- Indicator examples and detection references that support rule tuning and threat hunting.
👉 Read Proofpoint's analysis of Stealerium-based infostealer campaigns and identity theft →
Stealerium campaigns and NHI exposure: what security teams need to know?
Explore further
Commodity infostealers have become an NHI governance problem, not just an endpoint malware problem. The article shows a familiar pattern: credentials, cookies, tokens, and Wi-Fi data are extracted after initial execution, then reused as identity material. That means the security issue extends beyond the infected workstation into every downstream service account, application session, and workload that trusts those artefacts. Practitioners should treat stolen browser and system secrets as an identity lifecycle event, not a post-infection cleanup task.
A few things that frame the scale:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- Leaked secrets take an average of 27 days to remediate, even though 75% of organisations say they are confident in their secrets management capabilities, according to The State of Secrets in AppSec.
A question worth separating out:
Q: What should organisations do immediately after infostealer exposure is suspected?
A: Revoke or rotate any exposed secrets, invalidate active sessions, and review privileged or third-party access paths first. Then check whether those credentials were used against cloud, SaaS, or admin services, because a stolen token often becomes a broader access path before the original malware is contained.
👉 Read our full editorial: Stealerium-based infostealers expose the growing NHI attack surface