The theft of digital identity and online blackmail are certainly not new phenomena, but in recent months the researchers of Proofpoint They have reported a significant growth of campaigns that exploit an open source malware, known as Steriorium. This software, born with the justification of having been designed “only for educational purposes”, has become an insidious weapon in the hands of cybercriminals. Its peculiarity? It is not limited to subtracting passwords and credentials from infected devices, but integrates a function that automates sextortion practices, the scam for extortion based on explicit content. To make it short, the malware is spread through large -scale phishing campaigns and, once infected the victim’s computer, it notes if the browser are open with sexually explicit contents. If so, perform screenshots and activate the victim’s webcam to collect potentially embarrassing material with which to extort requests for money. Let’s see in more detail how SteroRium acts and how to defend yourself.
What is and how Staelerium acts, the virus that blackmailing users
The Steriorium code is written in .NET and is public on the Github platform, which means that anyone can download it, modify and reuse it. Some actors have developed variants such as Phantom Sterator or Warp Sterer, all with large overlapping of code. This makes it difficult to accurately attribute an attack on a specific group and, at the same time, facilitates the proliferation of different versions, often enriched with new functions to escape defense systems. Since May 2025, the Cybersecurity company Proofpoint It has observed groups such as TA2715 and TA2536 spreading Steroralium again after a period of inactivity, a sign that this tool maintains a significant attractive for computer crime.
From a technical point of view, once installed on the victim’s computer, the malware performs a series of controls that collect sensitive information: stored wi-fi profiles, browse cookies, bank data, access credentials to game platforms or mail services, cryptocurrency wallets and files considered “interesting” such as documents, images or databases. In some variants, Chrome browser manipulation techniques were also detected through the so -called remote debug debut, a function designed for developers but exploited by criminals to get around the safety protections and access the sessions data.
The most disturbing part concerns the management of images and videos. When it detects open cards in the browser linked to terms such as “porn” (pornographic), “sex” (sex) or “NSFW” (Not Safe for Work), SteroRium acquires a screenshot of the screen and simultaneously activates the webcam. This material can then be used to threaten victims, triggering very dangerous psychological blackmail dynamics, which leverage the sense of shame.
Regarding the modus operandi with which Steriorium acts, the researchers of ProofpointIn fact, they explained:
The malware has a function that focuses on the data relating to pornography. It is able to detect the open browser cards related to adult content and to acquire a desktop screenshot and an image from the webcam. This data is probably used for the “Sextortion”. Although this function is not new among the malware used for computer crimes, it is not observed often.
The exfiltration of the data-i.e. the transfer of information stolen towards the criminal terminal that has made the attack-can take place in different ways: by e-mail (SMTP), messaging server (such as Discord or Telegram), storage platforms such as gofile, and even corporate chats such as Zulip. This range of options makes it more difficult for defense systems to intercept suspicious traffic, above all because many of these platforms are used daily also for legitimate purposes.
As for the distribution of the malware, the attachments used to infect the victims vittins: compressed archives containing executives, javascript or vbscript files, disk images (.iso or .img) and other formats that induce the user to open them. E-mails often pretend to come from government bodies, banks, charity foundations, travel agencies, etc., and exploit the so-called social engineering: a set of psychological techniques that aim to convince users to make a risky action, such as opening a file or clicking on a link.
How to defend yourself from Sterorium
Given the danger of Steriorium, it is important to adopt defense strategies that can reduce the risk of infection. We list three.
- Pay attention to the attachments Before to download them: be wary above all by those received by unknown offset and those coming from messages that focus on urgency and fear (e.g. “urgent payment”, “convocation in court”, etc.).
- Update the operating system and antivirus software: since software such as Steriorium are able to evade the safety systems (since being open source they are continuously updated), do this may not always be enough, but it is a basic practice in order to at least reduce the chances of running into an attack. Also perform regular antivirus scans to verify the possible presence of the malware on your PC.
- Cover the computer webcam: since it is not possible to be 100% immune from the action of similar IT threats, this advice is also basic. More and more laptops and webcams integrate special protections designed to encourage user privacy. If they are present on your PCs, make good use of it. If you do not have such protections available, you can always resort to more craftsmen but still effective: exactly, we refer to the classic piece of adhesive tape to be used as a cap for the webcam (and while you are also there for the microphone).
