Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
Malware

Doenerium

Doenerium is an information stealer malware family. Microsoft Threat Intelligence linked it to a large December 2024 malvertising campaign that originated from illegal streaming and pirated-content sites, where redirectors embedded in video frames funneled users through multiple hops to GitHub-hosted payloads delivering stealers including Doenerium and Lumma. Microsoft reported the campaign affected nearly 1 million devices, including both consumer and enterprise systems, and that infections could begin from simple interaction with play or unmute buttons without an explicit download prompt or credential entry. Microsoft Defender Experts also reported overlap between payloads in this campaign and the Doenerium malware family based on binary properties and dropped components such as DLLs and HTML, and noted that Doenerium-like payloads used command-and-control infrastructure historically associated with Lumma Stealer. Separate reporting cited Doenerium as an example of an infostealer built and distributed using Electron. High-confidence context in the source material identifies Doenerium primarily as an infostealer associated with GitHub-hosted delivery, malvertising redirect chains, and illegal streaming-site infection vectors.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.008MalvertisingEvidence1

Microsoft Threat Intelligence traced a December 2024 maladvertising campaign that reached nearly 1 million devices back to illegal streaming sites, where redirectors embedded in video frames funneled users through several hops to information stealers such as Lumma and Doenerium hosted on GitHub.

Initial Access

1 technique
T1189Drive-by CompromiseEvidence1

Infections like these often need nothing more than a simple click on a play or unmute button to start the redirect chain, with no download prompt and no need to enter any credentials.

Credential Access

1 technique
T1539Steal Web Session CookieEvidence1

HSI has warned that the streams can expose viewers to malware and connections capable of stealing financial data.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
toms hardwareNews
Jun 28, 2026
400 domains used for illegal 2026 World Cup streams seized by US Justice Department - operation is five times the scale of the previous crackdown | Tom's Hardware

An information stealer delivered via redirect chains from illegal streaming sites in a maladvertising campaign affecting consumer and enterprise devices.

Read more
sophos threat researchNews
Jan 1, 2026
The strange tale of ischhfd83: When cybercriminals eat their own – Sophos News | SOPHOS

Referenced as an example of Electron-based infostealer malware seen in recent years.

Read more
sophos threat researchNews
Jan 1, 2026
The strange tale of ischhfd83: When cybercriminals eat their own – Sophos News | SOPHOS

Referenced as an example of Electron-based infostealer malware.

Read more
sekoia blogNews
Feb 6, 2024
Adversary C2 infrastructures tracked in 2023 - Sekoia.io Blog

Information stealer distributed via fake video game download websites.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.