How Infostealers Come For Your Business Data

Infostealers are like software sensor packages, sniffing out information wherever they can. Danny Bradbury considers how to best protect your data

You’ve read the stories about most passwords being easy to crack. You’ve got yourself a password manager, with a different complex password for every resource you access. Some of your services even offer MFA that you’ve turned on. So you think your credentials are safe. But what about the software that watches your keyboard, or even your screen, looking for valuable data to pilfer?

Infostealer malware is a scourge, and it’s especially dangerous because it has no respect for the most trusted security mechanisms. It flies under the radar, looking for sensitive personal information in places you didn’t anticipate.

“Infostealers silently steal credentials, cookies, and tokens from infected devices” Dray Agha

“Infostealers silently steal credentials, cookies, and tokens from infected devices,” says Dray Agha, UK threat operations manager at cybersecurity company Huntress. This is only one of their data-harvesting techniques, though. Among others, he also lists keylogging to capture credentials in real time, and form-grabbing to intercept data before it’s encrypted.

“Keylogging is particularly dangerous because it records every keystroke, capturing passwords and other sensitive inputs,” warns Kevin Curran, professor of cybersecurity at Ulster University. “Credential dumping is another common method, extracting stored credentials from browsers, password managers, and the system itself.” Memory scraping to sniff out secrets lurking in your RAM is another infostealer trick.

Infostealers can also help their operators get past MFA defences by session stealing. If they dump cookies or OAuth tokens from browsers, they can bypass login entirely, meaning that attackers needn’t worry about bypassing MFA challenges.

The silent epidemic sweeping through cybersecurity

This virulent form of malware is so good at what it does that it’s the primary credential-stealing method today. According to Flashpoint, infostealers were responsible for three-quarters of last year’s credential thefts, slurping up 2.1 billion credentials from a staggering 23 million hosts. eSentire’s Identity-Centric Threats report has charted the category’s rise in the last two years, rising from 11% of all malware incidents in Q1 2023 to 35% in Q1 2025. Business services and software are the two most impacted industries, it says, although manufacturing, legal, and financial aren’t far behind.

Threat intelligence also suggests that infostealers are often a precursor to other kinds of cybercrime. Verizon’s Data Breach Incident Report this year found that 54% of ransomware victims’ stolen credentials showed up in infostealer logs and marketplace postings first, making it likely that infostealers are often a pipeline to feed access credentials to other criminals.

Lumma peaked at 8.65% of disrupted threats in Q4 last year

“Like a skeleton key, this stolen data unlocks multiple future attacks,” Agha points out. eSentire’s report also says that attackers are often unwilling to leave the scene of the crime; they frequently use infostealers alongside other tools like remote access trojans (RATs), so that they can follow up their initial information theft with other activities.

The Snowflake breach in April 2024 was a good example of that criminal pipeline. Attackers gathered credentials for users of the enterprise data storage software Snowflake using a collection of infostealers.

In short, infostealers are more than just another form of malware; they’re a foundational tenet of modern cybercrime. No wonder, then, that they’re such big business. They generate lots of cash for their developers but are very affordable for would-be online thieves.

The veteran Redline package can be had for as little as a $150 flat fee, say researchers, but advanced features such as network sniffing can push prices for premium infostealers higher. The number one package so far this year, ‘Lumma’, is available in tiered pricing plans ranging from as little as $250 through to $1,000. Those who license it distribute it via various means, including fake game cheats and cracked installers.

Because they generate so much revenue, these packages benefit from some serious technical know-how. Lumma, for example, is renowned for its ability to siphon information from targets without raising awareness. Sending it gradually in small packets rather than trying to dump it all at once enables attackers to harvest more of their victims’ data without alerting security systems.

That same package also features other techniques, such as filters that prioritise high-value credentials, eliminating the need for users to sift through stolen data for the good stuff.

Companies are fighting back. In May this year, Microsoft revealed it had worked with courts to take down some 2,300 malicious domains that underpinned the Lumma infrastructure. It sinkholed the domains, stopping large numbers of infected devices from relaying their data. eSentire’s report reveals that Lumma peaked at 8.65% of disrupted threats in Q4 last year after a sharp rise, but regressed in Q1. Microsoft said that it has already seen the malware’s operator attempt to rebuild their infrastructure, but that it will continue to make this as difficult as possible with help from tech partners.

Toxic data with a long half-life

Once infostealers pilfer data, its effects can return years later. “Credentials remain usable for 2-5 years or more,” says Agha, who says that the type of credential is a factor in how long it will last. “Cookies and tokens offer shorter-term access. Stolen databases are ‘perpetual weapons'”.

This longevity is due in part to an increasing tendency not to rotate passwords. The National Cyber Security Centre (NCSC) in the UK now advises organisations not to force periodic password resets. The rationale for that, in part, is that “stolen passwords are exploited immediately”.

Well, apparently not always. The Snowflake attack is illustrative here. Mandiant’s report on the incident found that some of the credentials stemmed from infostealer infections dating back to 2020. At least four in five of the credentials used had been previously exposed, the Google-owned security company said.

As with so many other aspects of cybersecurity, AI is pushing the boundaries for both attackers and defenders. Bad actors can use the technology to develop infostealer malware without specialised technical skills. Staff at cybersecurity company Cato CTRL jailbroke large language models to write proof-of-concept infostealer software (in their case, a malicious Chrome extension).

On the defensive side, AI could use behavioural analytics to look for anomalies in information movements and software activities, spotting malicious data flows.

How to protect yourself

So, what can organisations do to help protect themselves against a virulent threat that seems to subvert so many existing defence techniques?

Even though infostealers are insidious, you shouldn’t abandon general best practices, say experts.

“Instead of saving credentials in web browsers (an approach highly vulnerable to infostealer malware), users should rely on trusted password managers” Kevin Curran

“Using reputable anti-virus and anti-malware solutions with real-time scanning is essential for detecting and blocking threats such as spyware and keyloggers,” says Curran. “And instead of saving credentials in web browsers (an approach highly vulnerable to infostealer malware), users should rely on trusted password managers to generate and store strong, unique passwords securely.”

Similarly, just because some infostealers bypass MFA doesn’t mean that you shouldn’t use it. “Enforce phishing-resistant MFA like FIDO2 keys,” advises Agha.

The protocols underpinning FIDO2 go beyond the simple shared codes that you’ll find in SMS or even many authenticator-based MFA apps. They store credentials as unique keys, bound to specific domains, which makes phishing from fake sites practically impossible. It also keeps private keys on the device so that infostealers can’t sniff them from your keyboard or screen.

Other steps you can take include limiting application permissions and disabling services like Bluetooth and file sharing to limit potential entry points, say experts.

Assume compromise

Beyond that lies a bigger change in mindset: assume compromise. That means monitoring for stolen credentials on the dark web, so that you can tell as quickly as possible whether the online criminal underworld has vacuumed up your information.

Assuming that you’ve already been pwned also means applying zero-trust principles so that infostealers can’t spread to target more devices. If your organisation has many people using their own devices for work, review what you’re making available. Infostealers often target personal tech. The DBIR found that 46% of stolen credentials came from systems that were non-managed and had both personal and business credentials.

Infostealers place us in a new reality of perpetual credential warfare. Attackers already know this, and so do many cybersecurity experts. The challenge for most organisations will be adapting their cybersecurity stance to reflect a strange and threatening new world.