Malware & Threats

Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime

Competition among malware-as-a-service developers has transformed infostealers into refined, accessible tools for cybercriminals worldwide. The post Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime appeared first on SecurityWeek.

Infostealers have become the fulcrum of modern cybercrime. They enter silently, steal in stealth, and vanish.

The evolution of this malware over the last ten years is a feature of the increasing professionalism of the criminal underground and the rise of cybercrime-as-a-service. The logs they provide are the starting point for many of today’s breaches, identity theft, and fraud.

Infostealers

Trevor Hilligoss, SVP of security research at SpyCloud Labs describes the history. His involvement with infostealers began when he worked in the US Army’s criminal investigation division, continued when he joined the FBI, and now persists at SpyCloud.

“Stealers are an example of the commodification of cybercrime delivered through malware-as-a-service (MaaS). Ten years ago, individual cybercriminals were highly sophisticated – but many have now changed emphasis from using the tools they develop to selling them. It’s been so successful it created a massive economy of commodity tool sets,” he explains. “You no longer need to be a skilled developer or hacker to gain access to tools that are incredibly effective when deployed at scale. Anyone can just buy or hire readymade malware from the MaaS marketplace.”

Infostealers are an example of a MaaS product. They increase the number of attackers, since attackers no longer need to be technically sophisticated, and they create competition between the sophisticated developers. Since infostealer developers compete for customers of their service, they continually refine and expand their product offerings.

Lin Levi, KELA — Lin Levi, threat intelligence analyst at KELA

“As the market matures, competition within the MaaS landscape has intensified. A growing number of developers are entering the space, each offering new infostealer variants or improved services in an attempt to differentiate themselves. These offerings may compete on price, stealth capabilities, anti-analysis features, panel usability, or frequency of updates.” comments Lin Levi, threat intelligence analyst at KELA.

“Subscribers to these MaaS offerings gain access to intuitive management panels – often equipped with 24/7 technical support, regular feature updates, and detailed infection dashboards. These user-friendly platforms eliminate the need for malware development expertise, enabling actors to generate payloads, track infections, and extract stolen data at scale. Popular infostealer families such as RedLine, Lumma, and Raccoon are used simultaneously by thousands of operators, each customizing deployment for their own goals–ranging from credential theft to targeted intrusions.”

MaaS professionalism even includes marketing. “Starting in 2022, we observed an increase in infostealer advertisements in some underground forums as well as an increased interest in infostealer logs,” says Genevieve Clark, head of cybercrime analysis at Google Threat Intelligence Group (GTIG).

This is where we are today: expanding use of a continually improving product. “Early infostealers were little more than keyloggers, but by 2025 they have become turnkey identity credential harvesting systems with security mitigation techniques,” explains Jason Soroko, senior fellow at Sectigo.

Infostolen

“They no longer stop at saved credentials. Many now extract hardware IDs, personal documents, browser session cookies, and other fingerprinting data. ULPs (User Login Parsers), often bundled with these logs or as lightweight variants, include URL, username, and password entries – ready for direct use,” comments Andrew Alston, CEO at BreachAware on LinkedIn.

“Prominent infostealers typically extract and exfiltrate browser data–such as stored passwords, session cookies, and browsing history–as well as sensitive information from popular messaging, VPN, and FTP applications, gaming accounts, and cryptocurrency wallets,” adds Clark.

“Some infostealers also have some basic backdoor functionality, such as the ability to run arbitrary code. While these core features are relatively consistent, Infostealer developers regularly update their tools in response to new security mechanisms designed to make it more difficult to harvest and decrypt this data.”

Infostealers can be targeted, but most usually they are used indiscriminately to gather as much information as possible. The actors then bundle the data into files of stolen data called logs. The logs are widely shared and sold across underground markets and criminal communities.

“A major advantage of obtaining accesses from infostealer logs is they can allow threat actors to search for specific types of accounts depending on their goals. The broad distribution of infostealers, coupled with the wide range of information they can collect from victims, provides a plethora of credentials and sensitive information for threat actors to work with,” explains Zach Riddle, principal threat intelligence analyst at GTIG.

This model allows log buyers to search for their preferred quality within the vast quantity available. Some criminals will be seeking credentials for corporate VPNs, which can act as a foothold for further lateral movement within a network. Others will be looking for access tailored for other purposes, such as extortion, or cloud assets for illicit cryptocurrency mining.

For example, teams across Google Cloud have tracked an actor known to GTIG as Triplestrength since 2023. Targets include cloud resources for cryptocurrency mining, and access is gained by leveraging stolen credentials. “Based on analysis of attacker-owned infrastructure,” says Riddle, “GTIG determines the actor relied on Raccoon infostealer logs as the source of at least a portion of the stolen credentials and cookies. The actor had access to credentials for Google Cloud, AWS, and Linode. Furthermore, Mandiant has observed personas connected to the group routinely advertise access to servers, including those provided by Google Cloud, AWS, Azure, Linode, OVHCloud, and Digital Ocean.”

Although some attack groups use infostealers to provide access for their own future activities, infostealers and access brokerage generally go hand-in-hand in the MaaS marketplace.

Operation

This explains the evolution and purpose of infostealers, but it doesn’t explain their success, which is largely down to two primary characteristics: speed and stealth. Infostealers are more easily compared to a silent high street jewelry smash and grab raid than to other forms of theft: smash the window (gain entry), grab the jewels (collect the information), and run away quickly.

The one big difference is that successful Infostealers do this without leaving any evidence that a crime has been committed. They get access to the jewels without having to smash the window and they’re hidden from view– it’s a stealthy smash and grab often all over within a few minutes.

The stealth aspect is vital. If the victim knows it is a victim, it will change its passwords, rendering any stolen access credentials of little value to the criminals. The attack process is silent entry, stealthy operation, undetected exfiltration, and removal of all traces.

Phishing remains a primary source of gaining initial access. But this isn’t simply designed to steal credentials for one purpose – such as banking details. Infostealers want it all. An increasing tactic, for example, is to use fake CAPTCHAs and social engineering to deliver the infostealer. A typical such attack may simply direct the victim to a fake website (maybe a cloned site of a well-known domain).

The fake page will display a fake CAPTCHA. The target will not be surprised, because many websites use CAPTCHAs as part of their own security defense against bots. However, when the target clicks the expected ‘I am not a robot’ button, the fake page loads a LOLBIN command into the target’s clipboard. It could, for example, be an obfuscated and malicious PowerShell command.

The target will be unsurprised by subsequent requests from the CAPTCHA to prove ‘humanness’. This is where the attacker’s social engineering skill comes in. The target must be persuaded to open the Run dialog box, to press CTRL-V, and press ENTER. If successful, this results in the infostealer being loaded straight into memory without ever touching physical storage, and therefore remaining invisible to standard malware detection.

The process is often successful since the user expects certain actions to be required by the CAPTCHA but will likely be tired of the frequency of such demands and be impatient to conform and get on. Lumma and Vidar are both known to have been delivered by fake CAPTCHA campaigns.

Once in memory, the infostealer scours the victim’s system for data it wishes to steal. This data is often zipped or archived and compressed into a single file. The file will be encrypted to avoid detection by any network defenses and then sent to the attacker.

Increasingly, legitimate chat services, such as Telegram and Discord are used for the destination. Alternatively, cloud storage services like Dropbox, Google Drive, or OneDrive may be used to receive the data into attacker controlled accounts.

Trevor Hilligoss, SVP of security research at SpyCloud Labs

The malware works from memory, while exfiltration goes unnoticed, invisible to security tools that might inspect content, and sent to trusted destinations. Once received, the attacker collects and collates the data into ‘logs’ that are then sold on in the criminal marketplaces.

“Accounts and services found in these logs, such as credentials for corporate virtual private networks (VPNs) and other enterprise services, can act as a foothold for further lateral movement within a network,” explains Riddle. “Alternatively, actors may search infostealer logs for accesses tailored to other operations, including systems containing sensitive information for data theft extortion operations or cloud assets for illicit cryptocurrency mining activity.”

All that remains for the infostealer is to clear evidence of its presence from the victims’ systems. “It will have some kind of module that will execute on completion,” explains Hilligoss. “It will delete its binary, and it will delete any files staged to be exfiltrated.” Technically, those deleted files could still be forensically detected – for a short while at least – if anybody looks for them – but with a successful infostealer operation nobody is looking.

“Once executed they harvest browser-stored passwords, cloud session cookies, single sign-on tokens, crypto wallet keys, MFA recovery codes, and selected document files,” says Soroko, “then compress and encrypt everything before transmitting it to command servers or directly to Telegram bots in under a minute, often deleting themselves afterward or handing control to a ransomware stub.”

The infostealer logs available on the criminal marketplace are usually acquired by financially motivated criminals but can also be used by nation state actors. “Infostealing is mostly a financially motivated crime activity, although due to the relative accessibility of the leaked credentials, and potential overlaps of their targets, nation state actors are using credentials from the dark web as well, and why wouldn’t they? It provides cover for initial access,” comments Balazs Greksza, director of threat response at Ontinue.

Summary

The size and speed of infostealers – they are likely to come and go within minutes – belies the potential effect of their actions. For example, an individual employee may be working at home on his personal device and yet still have access to the employer’s corporate network courtesy of password synchronization by browser.

“In April 2024, a financially motivated threat actor, UNC5537, used stolen credentials to access the Snowflake customer instances of multiple organizations,” says Riddle. “These credentials were primarily obtained from infostealer malware campaigns that infected the work or personal computers of the employees and contractors that accessed Snowflake customer instances. This allowed the threat actor to gain access to the affected customer accounts and led to the theft of a significant volume of customer data from their respective Snowflake customer instances. Subsequently, the threat actor attempted to extort many of the victims directly and sought to sell the stolen customer data on cybercriminal forums.”

The Snowflake breach was one of the major cyber incidents of 2024. In June 2024, Mandiant reported that some 165 organizations were subsequently affected. “Mandiant has seen increased attention on infostealers and their role in enabling often short-lived, yet deeply impactful intrusions. Notably, Mandiant determined stolen credentials were used for initial access in 16% of incidents they responded to in 2024, an increase from 10% in 2023,” continues Riddle.

“The recently renewed focus on infostealers by malicious actors – and consequently cybersecurity organizations – could signal drastic shifts in the ways cyber criminals abuse and monetize data obtained from infostealers. We anticipate that actors of varying motivations and levels of sophistication will continue to demonstrate a significant interest in leveraging stolen credentials as an initial intrusion vector. Given the wide availability and long-standing presence of infostealers in underground communities and illicit operations, organizations must be aware of the direct and indirect risks posed by infostealers.”

Latest News

Publisher