How infostealers have changed the cybersecurity landscape
Many of the recent wave of high-profile cyberattacks can be traced back to the theft of a single set of credentials which have allowed the attacker to access and move within a corporate network.
A new report from Flashpoint looks at the rise of large-scale information-stealing malware campaigns and how ‘infostealer’ malware has been a key enabler, responsible for the theft of over 1.8 billion corporate and personal email accounts, passwords, cookies, and other sensitive data.
The challenge for security teams is that defending against infostealers needs more than just knowing a breach occurred. It requires visibility into the illicit marketplaces where these stolen logs are bought, sold, and weaponized.
Ian Gray, Flashpoint VP of intelligence, says, "Data theft tools known as infostealers have facilitated massive-scale compromises of user credentials and session tokens. The output files from these infections, called infostealer logs, have transformed such attacks into a pathway for gaining corporate network access and launching subsequent operations. A single log file can capture enough host and session information to enable attackers to move laterally through systems and achieve complete network compromise. Given the 800 percent surge in infostealer infections during 2025, defensive strategies must shift toward proactive monitoring of stolen session cookies and corporate device metadata -- eliminating the risk before attackers can orchestrate a full network breach."
The most prolific infostealers include Lumma Stealer (also known as LummaC2), which is available on a Malware-as-as-Service (MaaS) model, with fully automated monthly purchasing subscriptions ranging from $250 to $20,000 USD, making it accessible to a wide range of threat actors.
StealC is rapidly emerging as most likely to replace Lumma in terms of market share. Written in C, StealC first appeared in February 2024, and has gained traction thanks to its file grabber and browser information-stealing capabilities.
Vidar, dating from the end f 2018, can exfiltrate text files in multiple formats, browser cookies and history, browser records -- including data from TOR -- as well as auto-fill value information including banking and credit card details. Vidar can also search for cryptocurrency wallet information, take screenshots, and record private messages from various software.
You can get The Proactive Defender’s Guide to Infostealers, which includes strategies for effective defense, from the Flashpoint site.
Image credit: djbagaha/depositphotos.com