A phishing operation themed around an “Executive Award” notification is being used to deploy the Stealerium malware through a multi-stage loader chain.
According to reporting from Cyber Press, threat actors are distributing phishing emails that contain an HTML attachment titled Virtual-Gift-Card-Claim.html. The file presents a corporate-branded award claim page that prompts users to enter their credentials, which are then transmitted to a Telegram bot controlled by the attackers. After the credential theft stage, a malicious SVG file is executed and triggers a PowerShell-based ClickFix sequence that retrieves additional payloads from a remote server and installs the Stealerium infostealer.
The HTML attachment is crafted to resemble internal reward notifications, increasing the chance that employees will interact with it. After input fields capture usernames and passwords, the attackers route the information through Telegram’s API, allowing rapid exfiltration without relying on traditional command infrastructure. The embedded SVG file contains obfuscated script code designed to launch PowerShell without displaying visible prompts. The ClickFix technique used in this campaign uses native Windows execution paths so that the PowerShell commands appear consistent with normal system behaviour, reducing the likelihood of immediate detection.
Security analysts noted that the remote server hosting the second-stage components organized its payloads using separate endpoints for commands, scripts, executables, and DLL files. Once the Stealerium DLL is delivered and loaded, it collects browser information, saved passwords, cryptocurrency wallet data, and other stored credentials. Investigators also observed Telegram bots used for both initial credential theft and for exfiltrating the output of the Stealerium module. The threat group configured AES encryption for outbound communication, which makes traffic inspection more challenging for network defenders.
GBHackers say the Stealerium activity “underscores how attackers are increasingly combining multiple techniques to maximize their success, making both credential theft and malware infection objectives of a single operation.” The lure is simple enough to pass as an everyday internal message, yet the chain behind it moves quickly from an HTML form to an SVG script and then to a PowerShell loader that hides inside normal Windows behaviour. Analysts also stressed the operational steps defenders can take, noting that “security teams should block the identified indicators of compromise, including the malicious file hashes and the attacker’s IP infrastructure.” The campaign shows how easily routine corporate themes can be turned into multi-stage compromises when users are pushed toward entering credentials before they have time to question the source.
The combined use of HTML forms, SVG scripting, and PowerShell activity routed through ClickFix results in traffic that blends with legitimate system behaviour.
It provides an accessible and resilient channel for data exfiltration and reduces reliance on custom infrastructure that can be taken offline.
It targets browser data, saved logins, autofill content, cryptocurrency wallets, and session tokens.
Teams can monitor for unexpected PowerShell network activity, inspect HTML attachments that request credentials, and block outbound connections to Telegram APIs when not required.
They imitate internal workflows that employees expect to see, reducing suspicion and increasing the chance that users will submit credentials or open attached files.