Educational institutions have become prime targets in the escalating battle against commodity information stealers.

First emerging in 2022 as an open-source project on GitHub, Stealerium was initially released “for educational purposes” but rapidly attracted illicit interest.

Adversaries adapted and enhanced the code to create variants—such as Phantom Stealer and Warp Stealer—resulting in a family of infostealers sharing substantial code overlap.

These tools are readily available to low-sophistication actors seeking one-time purchases or free downloads, bypassing the complexity and cost of malware-as-a-service offerings.

Early campaigns leveraged standard phishing lures—impersonating banks, courthouses, and charitable foundations—but recent activity within the education sector has broadened the attack surface.

Emails with urgent subject lines like “Course Registration Deadline” and “Student Account Suspension Notice” delivered compressed executables, JavaScript, and disk images containing Stealerium payloads.

Proofpoint analysts noted a surge in messages targeting universities and K-12 networks between May and July 2025, with volumes ranging from hundreds to tens of thousands of emails per campaign.

Once executed, Stealerium variants immediately establish persistence and reconnaissance capabilities. PowerShell scripts are frequently used to add Windows Defender exclusions, while scheduled tasks ensure the malware survives reboots.

In addition, the malware executes a series of netsh wlan commands to enumerate saved Wi-Fi profiles and scan for nearby wireless networks, suggesting an intent to harvest credentials for lateral movement or geolocation of compromised hosts.

Stealerium’s impact on educational organizations is profound. Beyond credential theft, it exfiltrates browser cookies, credit-card data, gaming session tokens, and even webcam snapshots of “NSFW” content—likely to facilitate sextortion schemes.

Exfiltration channels include SMTP mail attachments, Discord webhooks, Telegram API requests, GoFile uploads, and the lesser-known Zulip chat service.

Educational IT teams have reported unusual outbound traffic to these platforms and alerts from emerging threat rules designed to detect Stealerium check-ins and data exfiltration events.

Infection Mechanism and Persistence

Stealerium’s infection mechanism is deceptively straightforward yet technically robust.

Upon execution of a compressed executable or script, the malware spawns a PowerShell loader that retrieves and installs the .NET-based stealer payload into a randomized path under the user’s AppData directory (e.g., C:\Users\<user>\AppData\Local\<random_hex>\<username>@<hostname>_<locale>\).

Following this, the loader invokes the main stealer binary, which begins by creating a mutex to prevent multiple instances and performing anti-analysis checks—verifying the username, GPU model, machine GUID, and even downloading dynamic blocklists from a public GitHub repository to evade sandbox environments.

The stealer then registers a scheduled task named using a GUID derived from system information, ensuring execution at user logon or at random intervals to evade detection.

Concurrently, a PowerShell script disables real-time monitoring in Windows Defender by adding exclusion rules, effectively blinding endpoint protection.

Finally, Stealerium launches a headless Chrome process with the --remote-debugging-port argument to extract cookies, credentials, and tokens directly from browser memory—an advanced technique that bypasses standard encryption and application sandboxing.

// Example of remote debugging invocation in Stealerium variants
ProcessStartInfo psi = new ProcessStartInfo()
{
    FileName = "chrome.exe",
    Arguments = "--headless --disable-gpu --remote-debugging-port=9222 https://example.com",
    CreateNoWindow = true,
    UseShellExecute = false
};
Process chrome = Process.Start(psi);

This multi-stage approach—combining randomized staging, scheduled persistence, anti-analysis checks, and advanced data extraction—makes Stealerium a potent threat against educational networks.

Organizations must monitor for unusual PowerShell defender exclusions, anomalous scheduled tasks, and network connections to Discord, Telegram, GoFile, and Zulip endpoints to effectively detect and mitigate these attacks.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Threat Actors Using Stealerium Malware to Attack Educational Organizations appeared first on Cyber Security News.

A sprawling network of illicit Internet Protocol Television (IPTV) services has been discovered, operating across more than 1,100 domains and in excess of 10,000 IP addresses.

This sprawling infrastructure, which has remained active for several years, delivers unauthorized streams of premium content—including major sports leagues, subscription services, and on-demand platforms—without licensing agreements.

Silent Push analysts noted that this network’s use of both high-volume IP address pools and rapidly rotating domains represents a significant escalation in piracy tactics, making traditional takedown processes nearly futile.

At its core, the network relies on customized IPTV panels built around modified open-source software such as Stalker Portal and Xtream UI.

These panels facilitate automated user authentication and stream distribution, allowing operators to provision hundreds of thousands of simultaneous sessions.

Rather than depending on a single front-end domain, the operators employ a large pool of proxy domains—each resolving to multiple shared IP addresses—to obfuscate the true origin of the streams.

Silent Push researchers identified two companies, XuiOne and Tiyansoft, and an individual, Nabi Neamati of Herat, Afghanistan, as principal beneficiaries of this infrastructure.

The attack vectors begin with server-side exploitation and credential harvesting. Malicious actors compromise under-protected web hosts or exploit outdated control panels to install custom modules that inject backdoors into legitimate streaming control software.

In many cases, operators gain initial access by exploiting default credentials on cPanel, Plesk, and Stalker Portal installations.

Once access is secured, a deployment script—often obfuscated via Base64 encoding—pushes modified PHP files and cron jobs to automate the registration of new domains and the rotation of stream endpoints.

Silent Push analysts identified one such script that uses the following code snippet to register new virtual hosts:

$domain = trim(shell_exec('wp option get siteurl'));
$ipList = ['158.220.114.199','46.202.197.208'];
foreach ($ipList as $ip) {
    shell_exec("echo '$domain IN A $ip' >> /etc/bind/db.piracy");
}
shell_exec('rndc reload');

Despite repeated takedown requests, the network’s agility in rotating both domains and IP addresses allows it to remain operational.

New domains appear almost daily, with each resolving to clusters of dynamic IP addresses provisioned via bullet-proof hosting providers.

This resilient structure poses a formidable challenge to rights holders and law enforcement agencies attempting to disrupt the service.

Infection Mechanism Through Control Panel Exploits

A particularly insidious aspect of this IPTV piracy network is its infection mechanism, which centers on compromised control panels.

Operators survey the internet for misconfigured or outdated installations of Stalker Portal and Xtream UI, using automated scanners to detect vulnerable endpoints on ports 80, 8080, and 2095.

Upon identifying a target, they deploy a multi-stage payload that begins with a low-profile reconnaissance module.

This module enumerates existing user accounts, collects hashed credentials, and exfiltrates configuration files containing API keys.

A second stage installs a persistent backdoor by modifying the config.php file within the panel’s directory:-

if (!defined('IPTV_INIT')) {
    define('IPTV_INIT', true);
    require_once __DIR__ . '/backdoor.php';
}

The backdoor script, backdoor.php, establishes a reverse shell to a command-and-control server whenever an administrator logs in, effectively granting the attackers full control over the panel.

This persistent foothold enables continuous updates to the hosting infrastructure, seamless domain registration, and dynamic IP assignment—ensuring that new entry points replace any that have been taken down.

As a result, the network can sustain large-scale piracy operations with minimal interruption.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Massive IPTV Hosted Across More Than 1,000 Domains and Over 10,000 IP Addresses appeared first on Cyber Security News.