Researchers have warned that billions of credentials exposed to cyber criminals were sourced from infostealer logs last year – and it's created a ticking time bomb for enterprises as hackers begin cracking systems.
KELA Cyber Threat Intelligence’s State of Cybercrime 2024 report singled out infostealers as a persistent threat that usually serve as “precursors to advanced attacks, including ransomware and espionage”.
The firm said it observed more than 4.3 million machines around the world that had been infected with infostealer malware, such as Lumma stealer or RedLine, in 2024.
It estimated that this would account for more than 330 million credentials compromised using infostealers, which it said was slightly higher than the figures from 2023.
KELA warned that these credentials could be leveraged in future attacks that could balloon into “massive extortion campaigns”, citing the string of attacks leveraging compromised Snowflake credentials throughout 2024 that impacted at least 165 different companies.
In addition to the 330 million credentials KELA identified, the report said it also observed 3.9 billion credentials shared in the form of credential lists. These credential lists, commonly referred to as url:login:pass (ULP) files by threat actors, are compilations of data obtained during attacks.
These could be credentials harvested from a diverse range of sources, such as third-party breaches or phishing, but the report claimed that most ULP files are sourced from infostealer logs.
Lumma remains the most popular infostealer malware strain according to KELA, and was responsible for 40.48% of the infected machines in its data lake.
Other top offenders were StealC (20.29%, and Redline (16.43%), which KELA noted had been disrupted in October 2024 as part of Operation Magnus.
India, Brazil, and Indonesia were the top three most affected nations accounting for 20.12% of bots infected by infostealer malware in 2024.
KELA also highlighted the sensitive services most commonly targeted using these compromised credentials with the most frequently attacked being business cloud solutions (22.02%), CMS (21.19%), email (13.85%), and user authentication systems (11.5%).
How to protect yourself against infostealer threats
According to Huntress’ 2025 Cyber Threat Report, infostealers accounted for nearly a quarter (24%) of all cyber incidents in 2024, making it the most common threat category of the year.
Speaking to ITPro, Jaron Bradley, director of Jamf Threat Labs at Jamf, said infostealers campaigns are on the rise with evidence suggesting they are a particularly effective tactic used by threat actors.
“There has been a significant increase in Infostealer campaigns, and they have proven highly effective, even on macOS. These stealers are designed to target specific locations on the user's hard drive, seeking critical files such as usernames, passwords, browser session data, cryptocurrency wallets, documents, and more.”
Bradley added that the initial stages of infostealer campaigns require actions from the victim, so by improving overall security awareness businesses can mitigate some of the threat they pose to their organization.
“Users should be cautious about opening software sent by strangers, particularly if it comes with unusual instructions, such as right-clicking or adjusting settings,” he explained.
“For these infostealers to fully succeed, they also require the victim's login password, which is typically obtained by simply prompting the user with a popup window. Users should always question why an application would need their login credentials before willingly providing them.”
As well as investing in improving company-wide security awareness, KELA suggested a number of additional counter measures businesses can take to protect themselves.
These include deploying enhanced endpoint detection and response (EDR) solutions that use behavior-based analysis rather than solely signature-based methods to detect and isolate infostealer activity in real time.
Improved email security is also essential in preventing phishing attempts, which are the primary delivery method for infostealers, the report added.
Finally, network segmentation is another important defense layer used to limit lateral movement once the attacker is inside your perimeter and stop them from accessing critical systems and sensitive data.
MORE FROM ITPRO
