Malware discovered that takes webcam photos while watching porn

Researchers at Proofpoint, a security company headquartered in Sunnyvale, California, have reported the results of their investigation into Stealerium , an information-stealing malware that has been increasing since May of this year. Stealerium is an open-source malware published on GitHub that infiltrates victims' PCs via fraudulent emails and captures passwords, card information, and even PC screen and webcam footage in response to keywords such as 'pornography.'

Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers | Proofpoint US

https://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers

New infostealer malware snaps webcam photos when you watch porn | TechSpot
https://www.techspot.com/news/109344-new-infostealer-malware-snaps-webcam-photos-when-you.html

Stealerium first appeared on GitHub around 2022 as freely available open-source malware and was available for download under the restriction of 'educational purposes only.' At the time of writing, the repository has been disabled due to a violation of GitHub's terms of service.

Proofpoint researchers have observed an increase in Stealerium-based malware distribution campaigns since around May 2025. The campaigns disguise themselves as emails from various organizations, including charities, banks, courts, and document services, and Stealerium is downloaded by clicking on attachments such as 'payment deadlines,' 'court subpoenas,' and 'donation requests.'

Below is one example of a fraudulent email identified by Proofpoint, disguised as a sales email from a travel agency. These messages contained a compressed JavaScript file that installs Stealerium and performs network reconnaissance to collect Wi-Fi profiles and nearby networks.

Once downloaded onto a target PC, Stealerium has the ability to steal a wide variety of data, including browser cookies and authentication information, credit card data, session tokens from gaming services such as Steam, cryptocurrency wallet data, and various types of confidential files. Stealerium has two major features. First, it does not target a specific data type, but indiscriminately steals a wide variety of data.

Another feature of Stealerium is its ability to specifically react to pornography-related data: by checking for the presence of customizable strings such as 'porn' or 'sex,' Stealerium detects browser tabs related to adult content and takes desktop screenshots and webcam image captures.

A similar case occurred around 2018, when a sudden increase in the number of users receiving threatening emails claiming, 'Your PC has been hacked and your viewing of pornography has been secretly recorded on your webcam.' However, the attack, which security researchers named 'sextortion,' was designed to make users believe their PC had been hacked by sending them an email containing their own email password, rather than actually hacking their webcam.

Cyber attacks are rapidly increasing, threatening to take videos of people secretly watching porn and demanding ransoms - GIGAZINE

by Charles Deluvio

In the case of Stealerium, the attacker takes screenshots of websites containing keywords such as pornography and also takes photos of the target with the webcam. The attacker then threatens to publish the victim's face while browsing pornographic sites. While malware that hacks webcams is common, 'malware that detects pornography and automatically takes photos is almost unheard of,' says Proofpoint researcher Kyle Kutsch.