Infostealer Malware & Credential Theft Trends in 2025

Infostealers Surge in Cybercrime: Information stealing malware infostealers have become a cornerstone of cybercrime, quietly harvesting passwords, cookies, crypto wallet keys, and other data at massive scale. These stolen credentials enable a range of follow on attacks, from ransomware to fraud.
What Data Is Targeted: Stealer malware focuses on high value data saved browser passwords, autofill data names, addresses, phone numbers, session cookies/tokens, system info, and cryptocurrency wallets. Many variants even grab files e.g. authenticator backups or password lists and take screenshots.
Stolen Logs = Criminal Currency: The packages of stolen data stealer logs are sold on dark web markets and Telegram channels for as little as $1 up to $100+ per log. Initial access brokers comb through logs for corporate logins, selling network access for hundreds or thousands of dollars. Such logs have fueled ransomware over half of recent ransomware victims had infostealer traces beforehand.
Who Is Most at Risk: Remote workers and BYOD users blur personal and work credentials, making them prime targets 46% of infostealer infected devices were personal/BYOD used for work. Small and mid size businesses SMBs are heavily hit detections jumped 104% YoY and SMBs often lack the defenses of larger enterprises. Cryptocurrency enthusiasts are targeted for wallet keys, and any organization reliant on cloud/SaaS accounts faces elevated risk since infostealers now target those credentials.
Defensive Takeaway: Security teams must treat infostealers as a pervasive threat. Prioritize endpoint detection tuned to credential theft behaviors, harden browsers limit or encrypt saved passwords, enforce strong password hygiene and multi factor authentication MFA, and monitor for your users’ credentials appearing in stealer logs. Educate employees about phishing, fake software, and malicious browser extensions common infection methods to prevent infostealers from ever gaining a foothold.

Information stealing malware infostealers or stealers are malicious programs designed to covertly siphon sensitive data from infected systems. Unlike noisy ransomware that announces its presence, infostealers operate stealthily, often remaining undetected while they pilfer credentials, browser cookies, credit card numbers, crypto wallet keys, and more. The stolen data is compiled into archives known as stealer logs, which have become a hot commodity in the underground economy. In 2024, infostealer activity reached unprecedented levels IBM X Force observed an 84% year over year increase in infostealers delivered via phishing emails. Mandiant reported that stolen credentials many sourced from infostealer logs became the second most common initial infection vector in 2024, involved in 16% of incidents second only to exploits. This trend underscores a decisive shift: instead of breaking in through exploits, threat actors are simply logging in with stolen passwords.

Several industry reports highlight why 2025 has seen an infostealer escalation. Verizon’s Data Breach Investigations Report DBIR found that credentials stolen by infostealers played a role in a huge share of breaches; 54% of ransomware victims had their domains appear in infostealer credential dumps. IBM’s Threat Intelligence Index noted credential harvesting was the top attack impact in 29% of incidents. Meanwhile, the sheer volume of data stolen is staggering. One security analysis found 53 million+ compromised credentials and 13 million infected devices tied to infostealer activity in 2024. In short, infostealers provide the fuel a trove of login data and identity artifacts that powers countless cybercrimes, from account takeovers and fraud to ransomware attacks facilitated by easy network access. This article examines how stealer malware works and ranks the top infostealer families of 2025 by their impact on the threat landscape, with a focus on Lumma Stealer, RedLine, Raccoon, and Vidar prolific malware families that epitomize this threat.

How Stealer Malware and Log Markets Work

Infostealer malware typically spreads via social engineering and trojanized software, infecting PCs en masse to gather as many credentials as possible. Once on a victim machine, a stealer will quickly harvest sensitive data common techniques include form grabbing intercepting data users submit in web forms and keylogging to capture passwords as they are typed. Most stealers target web browsers as a primary source, extracting saved passwords, stored credit card details, cookies, browser history, and auto fill records. Many also look for popular application data: email client logins, FTP client credentials, VPN and remote access tool passwords, chat app tokens, gaming service logins, and cryptocurrency wallet files. All of this information is gathered silently in the background, often before endpoint security tools can detect the malicious activity.

After collecting data, the malware compiles the loot into a stealer log typically a ZIP file or folder containing multiple text files and folders. For example, a single infostealer log may include files like All Passwords.txt all captured credentials with associated site names, Cookies\ a folder of stolen browser cookie files, Wallets\ cryptocurrency wallet data, Autofill.txt saved form data like names and addresses, System.txt system info such as OS, IP address, hardware details, and even a desktop screenshot Screen.png. The stealer then exfiltrates this bundle to the attacker either directly to a command and control C2 server or via intermediary channels some stealers send logs over HTTP POST, others use Telegram bots or cloud storage. Notably, infostealers historically did not maintain long term persistence on the host many are smash and grab, meaning they run, dump data, send it off, and self delete. This is beginning to change; a few newer variants install persistence to collect data over time more on that later. In most cases, by the time a victim notices anything amiss if ever, their data is already packaged and shipped to criminals.

Once exfiltrated, stealer logs become currency on the underground market. Cybercriminals aggregate and sell these logs on dark web marketplaces or private channels. For instance, the Russian Market and other illicit forums offer automated shops where buyers can search stolen logs by keywords, company domain, software, etc.. Telegram channels also serve as bazaars for fresh logs. The value of logs lies in the credentials and identity data they contain other threat actors purchase them to facilitate their own attacks. A single log might be sold to multiple buyers or in exclusive sales for premium data. Prices vary widely: an individual machine’s log might sell from $1 up to $100 or more depending on the richness of the accounts logs with banking, crypto, or corporate logins fetching higher prices. Meanwhile, initial access brokers IABs parse logs for valuable enterprise credentials VPN logins, RDP passwords, SaaS accounts and sell network access to those organizations for anywhere from a few hundred to several thousand dollars. In effect, infostealer logs enable a supply chain of crime: one group steals the data, another monetizes it through resale or leveraging the creds directly. This ecosystem has matured such that stolen passwords are now the lifeblood of many attacks Verizon reported 88% of web application breaches involved stolen credentials, and Mandiant emphasizes that access obtained via infostealers is a key enabler for intrusions across the board.

Ranking Methodology

Alt text: Infographic outlining five criteria for ranking infostealer malware in 2025, including prevalence, data theft scope, ease of deployment, evasion, and real-world impact.

Not all infostealer families are equal. This ranking focuses on the most impactful stealer malware of 2025, based on several criteria:

Prevalence & Distribution: How widespread is the malware in the wild? High prevalence stealers are seen in large infection numbers and appear frequently in incident response cases or malware telemetry. For example, RedLine Stealer was one of the most ubiquitous infostealers from 2020–2023 at one point responsible for 51% of infostealer infections, while in 2024–25 a newer threat, Lumma Stealer, surged to take the top spot in many reports. We prioritize families with significant, sustained volume as opposed to one off or very niche stealers.
Data Theft Scope: The breadth and sensitivity of data each malware can steal. All top tier stealers target common credentials, but some go further for instance, grabbing cryptocurrency wallets and authentication tokens, or even scanning files for secret keys. A stealer that only grabs browser passwords is less expansive than one that also lifts files from the desktop or tries to defeat browser password encryption. Each malware’s capabilities are considered.
Ease of Deployment MaaS Model: Many infostealers are sold as Malware as a Service MaaS on forums, meaning anyone can rent or buy them cheaply and use them without needing advanced skills. Malware that’s easy to access with low cost, active support, and user friendly panels tends to proliferate more widely. Ease of use factors, such as having a turnkey admin panel or being bundled in loader services, contribute to ranking because they lower the barrier for attackers.
Persistence & Evasion: Traditionally, infostealers are smash and grab and don’t persist, but newer versions are adding stealth features e.g. fileless execution, polymorphic builds, or registry run persistence and anti detection techniques encrypted strings, obfuscated code, etc.. Malware with more advanced evasion/persistence can pose longer term risk and harder detection challenges, raising its threat level.
Real World Impact and Abuse: We examine how each malware is actually being used. Are there documented cases of it enabling major breaches or ransomware attacks? Are logs from this stealer commonly found in underground markets? For instance, Vidar Stealer was seen in about 17% of infostealer incidents in late 2024 second only to Lumma and was used to steal over 65 million passwords in just six months, indicating significant real world impact. We also consider whether notable threat groups or campaigns have leveraged the malware e.g. observed in initial access leading to ransomware. Frequent appearance in incident reports or threat intel boosts a malware’s ranking.

Using these criteria, we focus on four major infostealer families dominating the landscape in 2025: Lumma Stealer, RedLine, Raccoon, and Vidar. These were chosen due to their high prevalence as noted by multiple security sources and their central role in the underground credential theft economy. Notably, emerging stealers like RisePro, Stealc, and Atomic are also in circulation, some are even referenced as up and coming in vendor reports but unless they demonstrated significant adoption or innovation, they are mentioned only briefly. The following sections break down each top family in a consistent format to understand why they matter, how they work, and how defenders can respond.

Top Stealer Malware Families in 2025

Lumma Stealer

Type: Infostealer MaaS platform
Primary Targets: Web browsers credentials, cookies, browsing history, cryptocurrency wallets, system information, and other personal data.
Common Delivery Methods: Phishing emails with malicious attachments or links, fake software installers and updates e.g. cracked software downloaded from forums, bogus Codec or Chrome updates, malvertising malicious ads leading to Lumma payloads, and other social engineering lures.

Why It Matters: Lumma Stealer emerged in 2022 and by 2024 rose to prominence as one of the most widely abused infostealers. It operates as a Malware as a Service, criminals can subscribe for as low as ~$250 per month basic up to $20,000 for premium licenses which dramatically lowers the skill and cost required to launch campaigns. This MaaS model, combined with Lumma’s effectiveness, led to rapid adoption across multiple regions and sectors . By mid 2024, Lumma overtook older stealers in prevalence; IBM’s data showed LummaStealer as the most common infostealer in 2024, surpassing even RedLine. Threat actors gravitated to Lumma due to its adaptability and the advanced tactics seen in distribution. Campaigns distributing Lumma have employed everything from spear phishing with CrowdStrike lookalike installers impersonating security software updates to mass spam combined with vishing voice calls to convince victims to run the malware. In short, Lumma Stealer matters because it became a go to tool for cybercriminals in 2024–2025, fueling a huge volume of credential theft and appearing in countless log sales.

How It Works: Once executed on a Windows system, Lumma Stealer runs stealthily in the background, harvesting a wide range of information without obvious signs to the user. It first targets common sources of credentials: extracting saved usernames/passwords from browsers, pulling cookies and session tokens, and gathering auto fill data that might include addresses, phone numbers, and other PII. The malware also collects system details machine name, OS version, IP address, hardware identifiers which help attackers fingerprint the victim. Lumma is known to search for cryptocurrency wallet files for popular wallets like MetaMask or Exodus and can even target certain 2FA browser extensions to grab authentication data. All stolen data is aggregated and exfiltrated to the attacker’s server via encrypted channels, often a designated Lumma C2 panel. Initially, LummaStealer did not maintain persistence on the system meaning if the computer rebooted, it wouldn’t survive. However, recent variants introduced a persistence mechanism via registry Run keys to auto start the malware on reboot. This evolution shows the developers investing in longer term access. Lumma is also packed and obfuscated using techniques e.g. CypherIt packer, as noted by CrowdStrike to evade antivirus detection.

What Gets Stolen: LummaStealer’s data theft scope is broad. It snatches credentials and cookies from all major browsers Chrome, Edge, Firefox, Opera, etc., which often include website logins, stored session tokens, and even saved credit card info. It grabs browser histories and bookmarks useful for profiling the victim. It gathers system information like hostname, OS, installed software, and IP/location. It specifically hunts for cryptocurrency wallet files and seed phrases one report noted Lumma logs include files or indicators for wallets like MetaMask and Phantom a Solana wallet. Any installed crypto wallet applications are a target. Lumma also may steal messaging app data Telegram session files, Discord tokens and VPN client credentials if present similar to RedLine’s capabilities. In some campaigns, it was observed grabbing authentication cookies used for MFA bypass for instance, stealing session cookies that could let an attacker impersonate the user without needing a password. In summary, Lumma aims to vacuum up everything an attacker could monetize: passwords, financial info, digital currency, and platform tokens.

Observed Abuse: LummaStealer has been linked to both financially motivated cybercrime and espionage campaigns. On the cybercrime side, it plays a huge role in the credential theft economy Lumma logs are frequently sold on underground markets the malware’s own LummaC2 service has an invite only marketplace for logs and used for follow on fraud and network intrusions. For example, ransomware affiliates have likely sourced initial access via Lumma logs containing VPN or RDP credentials. One high profile incident in June 2024 involved Lumma being distributed via a fake CrowdStrike Falcon update, indicating that even savvy users IT personnel were targeted. On the espionage side, Cybereason reported that APT linked actors possibly with Russian or Chinese backing leveraged Lumma in targeted attacks against logistics and transportation companies in North America. In those cases, spear phishing emails delivered Lumma to conduct data theft on corporate networks potentially to gather emails, intellectual property, or as a foothold for further espionage. Additionally, Lumma has been a tool for cryptocurrency theft: campaigns aimed at individual crypto holders have used Lumma to steal wallet keys and 2FA tokens, leading to direct theft of crypto assets . The malware’s versatility useful for both financial crime and spying and wide availability mean it has shown up in a variety of threat investigations globally.

Defensive Notes: Defending against Lumma Stealer is challenging because of its rapid evolution and multi faceted delivery. New phishing lures and fake installer tactics are constantly observed from fake CAPTCHA sites to trojanized software on YouTube and GitHub links. Enterprises should implement layered defenses: block execution of unknown binaries, application allowlisting, and restrict scripting engines like PowerShell, which Lumma sometimes uses for payload delivery and even persistence setup . Network defenders can monitor for telltale signs: Lumma often uses newly registered domains NRDs for its C2 infrastructure, so connections to suspicious new domains or to known Lumma C2 addresses some campaigns use Telegram API as well should be flagged. On endpoints, focus on behaviors: the act of a process dumping browser credential stores or accessing browser SQLite files, or a user space process reading Firefox/Chrome profile data, could indicate an infostealer EDR tools can detect these suspicious actions. Since Lumma’s lack of initial persistence might allow it to slip by if not caught during execution, speedy detection is key. Also, because Lumma is often delivered via fake software cracks and updates, user education and web filtering play a role: blocking access to known crack sites and warning users against downloading software from untrusted sources can reduce infections. In short, a combination of technical controls, endpoint, network, DNS filtering and user awareness is required to counter Lumma’s threat.

RedLine Stealer

Type: Infostealer MaaS
Primary Targets: Broad credential and data theft across browsers and applications. RedLine steals browser passwords, cookies, and autofill data; credit card details saved in browsers; cryptocurrency wallet files; credentials for FTP/VPN/RDP and messaging apps; as well as system information like OS, IP, and hardware details. It also targets platform specific data e.g. saved login info for Steam gaming or Discord chats to maximize value.
Common Delivery Methods: RedLine historically has been spread via malicious email attachments, exploit kits, and trojanized software downloads. Many infections stem from social engineering lures: criminals have bundled RedLine with free software games, pirated productivity tools or posed it as popular apps ESET noted campaigns masquerading as ChatGPT installers and game cheats. Malvertising malicious ads linking to RedLine droppers, fake crack sites, and forum posts sharing infected software are other delivery vectors.

Why It Matters: First identified in 2020, RedLine Stealer became one of the most pervasive info stealers in the early 2020s. Its popularity was due to a perfect storm of features: it was sold cheaply and openly on Russian underground forums available to virtually any criminal, easy to use with a web based control panel, and effective at grabbing a wide array of valuable data. According to Kaspersky telemetry, RedLine accounted for over half 51% of all infostealer infections from 2020 through 2023 an astonishing share that attests to how many threat actors were leveraging it. This stealer essentially fueled the initial boom of the stolen log marketplace; throughout 2021–2022, RedLine logs became synonymous with big troves of credentials being sold in bulk. Even as newer competitors emerged, RedLine remained widely used though its dominance dipped by 2024, with IBM ranking it the fifth most used stealer as Lumma and others rose. Another reason RedLine matters is its involvement in real world incidents: many corporate breaches have been traced back to stolen RedLine credentials. Ransomware crews and access brokers have openly favored RedLine logs for finding VPN/RDP credentials to penetrate organizations. In essence, RedLine was a workhorse of cybercrime for several years, and even after law enforcement actions described below, its legacy and variants continue to threaten organizations.

How It Works: RedLine operates on a MaaS affiliate model. Buyers affiliates purchase a subscription monthly or lifetime and receive access to a web based control panel that allows them to generate customized malware binaries and receive stolen data. The RedLine malware binary, once delivered to victims via email attachment or download, executes and begins its info stealing routines. It will typically scan for installed browsers and applications and extract stored credentials, cookies, and other data using built in routines for each app for browsers, it accesses SQLite databases or credential stores; for apps like Discord/Telegram, it might grab session files. RedLine also can deploy simple keyloggers and form grabbers to capture input that isn’t already saved. The stolen data is then packaged, often compressed, and sent back to the affiliate’s control server which, in the RedLine model, is often self hosted by each buyer using the panel they got. ESET’s analysis of RedLine’s backend revealed it had a somewhat sophisticated infrastructure: earlier versions used GitHub repositories as dead drop resolvers to retrieve the addresses of control servers, and newer versions shifted to using a REST API model for C2 communications. RedLine does not usually persist after execution it aims to steal and transmit data quickly before it’s caught. It also has had multiple generations with various obfuscation techniques; researchers found hundreds of unique RedLine panel IP addresses and many distinct samples, indicating how widespread and diversified its use was.

What Gets Stolen: RedLine is a comprehensive stealer. It targets nearly all common credential sources on Windows. This includes: Browser data saved logins usernames/passwords from Chrome, Firefox, Edge, Opera, etc., cookies which can hijack logged in sessions, browsing history, and saved autofill info names, addresses, phone, which are useful for identity theft. Cryptocurrency it locates files or wallet data for crypto wallet apps e.g. wallets like Exodus, Jaxx, Ethereum wallet files and can steal private keys if they're stored insecurely. Application credentials RedLine scans for credentials in FTP clients FileZilla, etc., VPN clients, email clients Outlook, Thunderbird, and messaging apps Telegram, Pidgin. It was even known to steal gaming credentials e.g., Steam accounts and information from VPN and remote desktop tools, as noted by ESET. It grabs system information including the computer name, user name, OS, installed software list, and sometimes running processes data that helps log sellers advertise the log e.g., contains Steam, Discord, NordVPN data. A noteworthy aspect: RedLine also attempts to steal saved credit card info from browsers and perhaps software license keys from certain apps, essentially anything that could be monetized. All this stolen info is compiled into the stealer log package which the attacker can download from their panel. Because RedLine’s theft scope is so broad, a single RedLine infection can yield dozens of account credentials and personal data points from one computer.

Observed Abuse: RedLine’s footprint in real attacks is extensive. Prior to late 2024, it was arguably the most abused infostealer by cybercriminals, showing up in countless malware campaigns. For example, in 2023 a wave of phishing emails promised a free AI tool ChatGPT download the installers were bundled with RedLine, leading to many victims unwittingly sending their passwords to the attackers. RedLine has also been delivered through exploit kits in drive by download attacks, and via malicious advertisements that trick users into downloading fake software. On the underground markets, RedLine logs were a staple the infamous Genesis Market before its takedown and later Russian Market, 2easy, etc., were flooded with logs from RedLine Stealer during its peak years 2021–2022. This glut of stolen data directly enabled a surge in secondary attacks: reports note that initial access brokers used RedLine data for ransomware; one Register article highlighted a 60% jump in infostealer related activity feeding ransomware in 2023. In essence, many ransomware victims first had an employee’s VPN password stolen by RedLine, sold on a forum, and then purchased by a ransomware affiliate. Recognizing RedLine’s impact, international law enforcement launched Operation Magnus in late 2024, which targeted RedLine’s infrastructure. In October 2024, Dutch police, FBI, Europol and others took down RedLine’s backend servers and even arrested two individuals in Belgium associated with running it. This operation dismantled three primary RedLine servers and seized domains, temporarily disrupting the malware’s proliferation. ESET’s investigation in tandem with law enforcement also revealed that RedLine and a clone called META Stealer likely shared the same creator, suggesting one group was running multiple MaaS services. After the takedown, RedLine activity dipped, but it did not vanish entirely some affiliates may still be using older builds or variants, and other competitors rushed in to fill the void. Nevertheless, RedLine’s infostealer empire as ESET called it was responsible for a vast number of stolen credentials and subsequent breaches over the past few years.

Defensive Notes: Many organizations learned of a compromise only when third party services like HaveIBeenPwned or SpyCloud reported their users’ credentials in a RedLine log dump. To defend against RedLine, a multi pronged approach is needed. Endpoint security should be configured to detect RedLine’s behavior for example, the malware often injects into legitimate processes or uses known patterns to access browser databases. Monitoring for processes rapidly reading multiple credential stores or spawning system information commands can raise red flags. Given RedLine’s penchant for disguises Office document attachments dropping it, or fake software installers, email and content filtering is crucial: block or sandbox attachments like .exe, .scr, or macro enabled docs coming via email. Web filters can interdict access to known crack sites or newly registered domains hosting malware. Since RedLine steals valid credentials, implementing MFA on all remote access can blunt the damage even if an RDP password is stolen, an attacker might be stopped by a second factor though beware of cookie theft bypassing MFA. After the Operation Magnus takedown, defenders briefly had relief, but one should not be complacent RedLine variants or copycats like META Stealer may still circulate, and the data already stolen will remain in criminal hands. It’s wise to proactively search threat intel sources for your organization’s domain or email accounts appearing in stealer logs. If found, those accounts should be treated as compromised passwords changed, sessions revoked, further investigation for any sign of unauthorized access. Lastly, on user endpoints, disable saving passwords in browsers or encourage use of secure password managers this can reduce the free loot available if an infostealer like RedLine runs. RedLine taught the security community a costly lesson: a seemingly minor malware on a home user’s PC can lead to a major corporate breach if that user’s credentials are not protected.

Raccoon Stealer

Type: Infostealer MaaS
Primary Targets: Credentials and session data from web browsers passwords, cookies, autofill info, cryptocurrency wallet data, and system details including IP address and geolocation. Like others, Raccoon also lifts credentials from FTP clients, email apps, and messaging platforms if possible.
Common Delivery Methods: Raccoon Stealer is typically distributed via phishing emails and malicious downloads similar to its peers. Campaigns have used attachments or links posing as PDF invoices, document macros dropping the malware, and cracked software installers laden with the Raccoon payload . It has also been seen in exploit kit driven drive by downloads in the past. Operators of Raccoon have advertised it on underground forums since 2019, so many threat actors acquire it through those channels and spread it using whatever infection vectors they control spam botnets, malvertising, etc..

Why It Matters: Raccoon Stealer has been a mainstay infostealer in the criminal toolkit, known for its low cost and high usage. It first emerged in 2019 as an inexpensive MaaS reportedly priced around $200 per month or $75 per week for subscribers. This affordability made it attractive to a wide swath of cybercriminals. Raccoon built a reputation for reliability and was quite prevalent in 2020–2021. In early 2022, the Raccoon operation went dark briefly the group claimed a lead developer died in the Ukraine conflict, but by mid 2022 a revived Raccoon Stealer v2 appeared, indicating development had resumed. This Raccoon 2.0 came with improvements rewritten in C, better performance and the actor behind it stayed active on forums, continually updating the malware. The return of Raccoon was notable security firms like Sekoia and Zscaler analyzed Raccoon v2 in 2022, highlighting its robust data stealing abilities passwords, cookies, crypto and changes like dropping the use of Telegram for C2. By 2023–2024, Raccoon was again widely used in the wild. While maybe not as dominant as Lumma or RedLine in sheer numbers, it held a strong presence and was often mentioned as a top 5 infostealer in circulation. Its importance also lies in representing the professionalization of infostealers Raccoon’s developers provided regular feature updates and customer support to criminals, effectively operating as a business. In summary, Raccoon matters because it’s one of the longstanding, stable infostealer families that continues to enable mass credential theft, and its resurgence demonstrated the resilience of the MaaS cybercrime model even after disruptions.

How It Works: Raccoon Stealer runs on Windows and follows a typical infostealer flow: when executed, it will deploy routines to scrape data from browsers and common apps. The malware has built in code to target dozens of applications. It hunts for browser databases grabbing login data, cookies, etc., searches for files associated with crypto wallets wallet.dat files, mnemonic phrases, and collects system info. A noteworthy aspect of Raccoon v2 the 2022+ version is that it was rewritten in C earlier was C++ and uses a multithreaded approach to speed up data collection. By stealing from multiple sources in parallel threads, it can exfiltrate everything quickly, reducing the window that defensive tools have to catch it in action. Raccoon v2 also simplified its C2 communication: the older version infamously used Telegram’s API to fetch a list of active C2 servers embedding Telegram channels as an updater mechanism, whereas v2 moved to a more direct method with hardcoded server IPs to retrieve C2 addresses. The stolen data is packaged often zipped and sent to the C2 server under the operator’s control. Raccoon, like others, historically does not establish persistence it aims to grab data during that session. However, it employs anti analysis techniques especially in the packed form to evade sandboxes and researchers: CloudSEK noted Raccoon samples using advanced packers to detect virtual machines and debuggers. This includes things like checking CPU timing RDTSC instruction to detect VMs and hiding its threads from debuggers. Such techniques make it harder for automated defenses to flag Raccoon immediately.

What Gets Stolen: Raccoon Stealer’s haul is very similar to RedLine’s in scope. It will steal login credentials and cookies from all popular browsers, including passwords and stored form data. It will gather any saved cryptocurrency wallet credentials or keys for instance, it targets files for wallets like Ethereum, Litecoin, Bitcoin Core, as well as browser extension wallets. It records some system information IP, locale, OS which may be included in the log for context. One unique twist: Raccoon, at least in older variants, would also dump a list of processes and possibly look for specific app files. The Cloudflare analysis of Lumma indicates many stealers produce similar outputs like Processes.txt, etc., so Raccoon likely does as well. Malpedia documentation confirms Raccoon collects passwords, cookies, autofill data, cryptowallet details, and system info like IP and geolocation. Essentially, if a piece of software has a saved password or session token on the system, Raccoon aims to get it. It may not explicitly keylog like Agent Tesla or Formbook families do, but with so much info stored in browsers nowadays, it doesn’t need to the saved data is enough. After stealing, Raccoon packages the data typically per victim. The group behind Raccoon also implemented some business rules common in Russian MaaS malware, such as not targeting CIS countries to steer clear of Russian domestic targets, which means Raccoon logs predominantly contain victims outside that region.

Observed Abuse: The trajectory of Raccoon’s use is interesting. Before its brief hiatus in early 2022, it was involved in numerous credential theft campaigns globally. After its comeback as Raccoon v2, it quickly picked up steam: by late 2022, some researchers dubbed a massive Raccoon campaign Recordbreaker for the sheer number of stolen records it produced. While exact numbers are hard to pin down, one report in 2022 suggested Raccoon infections led to millions of credentials stolen in just a few months, indicating its heavy use. Raccoon logs have been sold on the same markets as others; however, in 2023 a site called Raccoon Logs or similar emerged possibly run by the malware authors selling access to logs via a subscription, which suggests the operators themselves tried profiting directly from the data in addition to selling the malware. There were also instances of Raccoon being used in targeted attacks: for example, Raccoon was used to steal data from cryptocurrency services and high net worth individuals’ wallets, given its focus on crypto credentials. Raccoon has appeared in various threat reports for instance, it was mentioned alongside Lumma and RedLine as being disguised in fake invoice phishing waves in early 2024. That demonstrates how common it was in broad phishing campaigns. Furthermore, law enforcement in the US indicted a Raccoon Stealer administrator in 2022, which briefly disrupted it, but the fact that it’s still thriving in 2025 shows how resilient these operations can be with new personnel or rebranding after arrests. Overall, Raccoon logs continue to be a staple commodity for account takeover particularly consumer accounts, since many Raccoon victims are individuals and occasionally provide a foothold into companies when an employee’s personal device is compromised.

Defensive Notes: Defending against Raccoon is akin to defending against any modern infostealer it requires catching either the initial intrusion or the data exfiltration. Since Raccoon is often delivered via phishing or web downloads, email security and browser protections SmartScreen, Safe Browsing should be kept updated to block known malicious links. On endpoints, one can hunt for indicators of Raccoon activity such as the creation of suspicious ZIP files in temp directories, or processes accessing the AppData/Local/ paths where browser profiles reside. Network wise, Raccoon v2’s C2 traffic may use non standard ports or direct IP connections after it fetches config, which can stand out if monitored. Given Raccoon’s anti VM tricks, running malware analysis sandboxes in full CPU emulation mode or detecting RDTSC usage might help identify it. Another key defensive step is to limit the impact of stolen data: ensure employees don’t reuse passwords and implement password managers with strong master passwords so even if a password vault file is taken, it’s not trivial to crack. The usual advice to not store plain passwords in browsers applies encourage clearing saved credentials or using browser’s built in password manager only with an adequately strong OS account password on Windows, credentials are encrypted with the user’s login password, so having strong Windows account creds can help. Additionally, monitor underground sources for Raccoon logs containing your domain services exist that track millions of logs, and they can alert an organization if, say, an employee’s corporate email and password were in a Raccoon dump. Early notification can enable rapid incident response e.g. forced password resets, checking for any use of those creds by attackers. Finally, stay updated on threat intel: the Raccoon group frequently updates their malware, meaning IoCs like C2 domains/IPs change often. Subscription to threat feeds that include infostealer indicators can ensure your network blocklists and detection signatures keep pace.

Vidar Stealer

Type: Infostealer MaaS
Primary Targets: Vidar Stealer targets many of the same data sources as others: browser stored credentials and cookies, crypto wallet info, and system details. It is known to support theft from a range of cryptocurrency wallets and also aims to take files that might contain passwords browser password files, text files with credentials, etc..
Common Delivery Methods: Historically, Vidar has been spread via malvertising and drive by downloads it was associated with exploit kits and fake software updates around 2018–2019 as well as phishing emails. By 2024, it’s commonly delivered through phishing attachments or links and sometimes via second stage loaders in multi stage attacks. For example, threat actors might use a first stage loader like SmokeLoader or PrivateLoader that then pulls Vidar Stealer onto the system.

Why It Matters: Vidar is a veteran in the infostealer space active since 2018, it was originally a fork of the older Arkei stealer and quickly became one of the most popular infostealers in circulation. Over the years, Vidar maintained a reputation for reliability and was involved in numerous campaigns including being distributed by some exploit kits. By 2024, Vidar’s continued presence earned it a spot among the top infostealers, often mentioned alongside RedLine and Raccoon. In fact, data from KrakenLabs/Specops shows that in late 2024, Vidar was the second most common infostealer, seen in 17% of cases with over 65 million passwords stolen in H2 2024 alone. It rivaled Lumma Stealer and demonstrated significant impact. Vidar matters not only due to its prevalence but also its adaptability: in 2025, the malware underwent a major update labelled Vidar Stealer 2.0 that completely overhauled its code for greater efficiency and stealth. This evolution shows that its developers likely operating a MaaS service are intent on keeping Vidar competitive in the infostealer market. Notably, after Lumma Stealer’s operations were reportedly disrupted by law enforcement in early 2025 causing Lumma activity to dip, many cybercriminals pivoted back to Vidar as their tool of choice. With a one time purchase cost as low as $300 for lifetime use, Vidar is an attractive alternative for criminals seeking a stable infostealer platform. In summary, Vidar’s sustained popularity, huge data theft tallies, and ongoing upgrades firmly establish it as one of 2025’s top threats.

How It Works: The new Vidar Stealer 2.0, announced in October 2025, is a full rewrite in C older versions were in C++. It introduced a multithreading architecture: upon execution, Vidar determines the CPU core count and available memory of the victim machine, and then spawns multiple threads to steal from different sources concurrently. This means it can pilfer credentials, cookies, and files in parallel, greatly speeding up the theft process and shortening the time before exfiltration which in turn minimizes the window for detection and response. Vidar 2.0 also features a polymorphic builder that generates unique binaries for each build, giving each sample a distinct signature to evade antivirus detection. Additionally, the malware employs control flow flattening and other code obfuscation techniques to hinder reverse engineering. One particularly noteworthy advancement is how Vidar 2.0 tackles the encryption of browser password stores: modern Chromium based browsers encrypt saved passwords with an OS bound key and features like Chrome’s Enhanced Safe Storage protect them. Vidar now launches the browser in debug mode and injects code to extract decryption keys directly from memory, bypassing the browser’s normal encryption protections. This allows it to retrieve nearly all stored credentials even from up to date browsers a significant improvement in capability criminals behind a newer stealer called StealC claim many stealers only recovered ~43% of passwords due to not handling certain encryption, and new methods like Vidar’s aim for near total extraction. After data collection, Vidar exfiltrates to its C2. It likely compresses the loot and sends it, potentially using HTTP/S or a low level protocol. It’s sold as a MaaS, so different affiliates may have their own C2 servers. Like most stealers, Vidar doesn’t typically persist it tries to complete its mission quickly and exit. However, if deployed via a loader, sometimes the loader might reinfect or ensure persistence at a different layer.

What Gets Stolen: Vidar Stealer targets a comprehensive set of credentials and personal data. This includes all the web browser credentials and cookies, similar to others. It places a particular emphasis on cryptocurrency related data: any locally stored wallets files from wallet software directories, as well as text files that might contain seed phrases or private keys, are grabbed. The Cloudflare analysis of infostealers notes logs often have a Wallets folder, and Vidar certainly fills that when possible. Vidar also steals authenticator data if accessible for instance, it might try to snatch files from Authy or other 2FA apps on desktop, though 2FA apps are less common on PCs. It collects system info and might take a desktop screenshot to help the attacker gauge the environment if they see a corporate desktop background, that log becomes more valuable. Additionally, Vidar historically could download additional malware or files older versions of Vidar had a feature where the C2 could command it to download and execute a secondary payload, functioning as a loader. This means a Vidar infection could escalate if the attackers choose e.g., they might deploy ransomware as a second stage after stealing data. The presence of that capability underscores the threat: not only does Vidar steal data, but it could directly facilitate an attack if credentials found are immediately useful. With the 2025 update, the core data stolen remains largely the same, but the completeness of the theft is enhanced as mentioned, they aimed to extract 99%+ of credentials by bypassing protections. In essence, if you have it saved or cached on your PC, Vidar will try to get it from your browser passwords to your crypto keys to possibly your Discord tokens and VPN logins.

Observed Abuse: Vidar has been observed in numerous cyber incidents over the years. In earlier times 2019, it infamously was distributed via the Fallout and GrandSoft exploit kits, piggybacking on drive by downloads on compromised websites. In those cases, unwitting users visiting a site could get silently infected with Vidar if their software was unpatched. More recently, Vidar appears in many malspam campaigns. For example, in the second half of 2024, as Lumma Stealer saw big usage, Vidar was not far behind one report from late 2024 noted Vidar being used to steal 65 million passwords in just a few months, which implies a massive number of infections likely via large botnets of spam or other mechanisms. By 2025, after some law enforcement targeting of Lumma, Vidar saw an uptick: Trend Micro observed threat actors shifting from Lumma to Vidar and another stealer called StealC as Lumma’s operation was disrupted. This suggests many criminal affiliates simply switched to using Vidar, boosting its prevalence further. The quote from Trend Micro analysts in late 2025 was that as Lumma declines, security teams should anticipate increased Vidar 2.0 prevalence in campaigns through Q4 2025. Real world consequences of Vidar can be severe: credentials stolen by Vidar have led to everything from drained cryptocurrency accounts if a private wallet key is taken to compromised corporate email accounts used in business email compromise if an Office365 session token or password was taken. And since Vidar can act as a loader, some ransomware incidents likely began with Vidar infection followed by hands on keyboard attackers deploying encryption malware. We also see Vidar logs for sale on marketplaces, though specific Vidar shop might not exist like Lumma’s instead, their logs are just part of the general infostealer log dumps. One interesting case: in 2022, the RagnarLocker ransomware gang was observed deploying Vidar on some networks to gather credentials and facilitate their intrusion a crossover between crimeware and targeted ransomware operations. This highlights that even organized ransomware groups see value in infostealer malware as a tool for lateral movement or supplemental data theft.

Defensive Notes: The latest developments in Vidar multithreading, encryption bypass make it a formidable threat, but defenders can adapt accordingly. Endpoints should be updated with detection signatures for Vidar 2.0 the changes in how it behaves e.g., launching browsers in debug mode might themselves be detectable anomalies. For instance, a standard user machine normally wouldn’t launch Chrome with remote debugging flags; seeing that could indicate an infostealer trying to hook the browser. Monitoring for unusual child processes of browsers or the presence of known Vidar mutexes/indicators is useful. Network wise, blocking outbound traffic to known Vidar C2 infrastructure is a key threat since intel feeds from vendors like Trend Micro or Recorded Future can provide domains/IPs associated with current Vidar campaigns. Because Vidar often comes via email, strong email filtering and attachment sandboxing can catch it: an attachment that, when detonated, spawns a process that starts scraping credential stores should ring alarm bells. User education remains important: discourage users from downloading software from non official sources, which is a common way Vidar propagates. On the policy side, enforcing MFA on critical accounts and monitoring login attempts can limit damage stolen passwords alone should not grant access to sensitive systems if MFA stands in the way though stolen cookies could, so consider device/session monitoring too. Given Vidar’s focus on speed, one defensive angle is to detect data exfiltration channels for example, if Vidar sends logs via HTTP, anomaly detection might catch a client PC suddenly posting large base64 blobs to an odd domain. Incorporating threat hunting queries for infostealer patterns like looking for use of mshta.exe or PowerShell spawning unexpectedly, which was seen in some Vidar infections can help find early signs of compromise. Finally, ensure that incident response plans include steps for infostealer driven incidents: if an endpoint is found infected, assume all its credentials are compromised and initiate credential resets and scans for any lateral movement. With the knowledge that infostealers often precede bigger breaches, remember that 54% of ransomware victims had infostealer logs with their credentials, treating a detected infostealer infection as a serious incident can prevent escalation to a full blown breach.

Common Infection Vectors Across Stealer Malware

Despite the variety of infostealer families, they often rely on a core set of infection vectors to enter systems. Recognizing these common delivery mechanisms can help organizations harden their defenses:

Phishing Emails Malicious Attachments & Links: Phishing remains the #1 delivery method for infostealers. Attackers craft emails that entice users to open an attachment e.g., a fake invoice, resume, or shipping document laced with malware or click a link to a malicious download. These attachments might be Office documents with macros, PDFs with embedded exploits, or simply an executable disguised as a document. A common trick is disguising the payload as a PDF or DOC by using double file extensions e.g., invoice.pdf.exe. The emails often use urgent or familiar themes billing, job applications, software updates. Once the user opens the file and enables content or runs the EXE, the infostealer installs. Given the high success rate of phishing, threat actors heavily leverage this vector IBM observed a 180% uptick in phishing emails delivering infostealers in early 2025 vs 2023. Security teams should assume that any employee mailbox could receive an infostealer in this manner.
Cracked Software and Free Downloads: Many infostealer victims infect themselves by downloading pirated software, game cheats, or key generators from shady websites or torrents. Cybercriminals plant malware inside these cracks knowing a segment of users will disable antivirus to run them. Lumma Stealer, for example, has been bundled with cracked software downloads advertised on forums and YouTube videos. Raccoon Stealer was similarly spread via fake software tools on file sharing sites. The lure of getting licensed software or premium game items for free leads users to execute these trojanized programs. This is a major infection avenue especially for home users and unmanaged devices which then puts corporate data at risk if those devices are used for work. Organizations should warn users against downloading unauthorized software and possibly technically enforce application control to block untrusted software.
Fake Software Updates: Another vector is spoofing legitimate update notifications. Attackers create websites or pop ups that impersonate system messages like Your browser is out of date, update now or Critical Windows Update required. If the user agrees, they download what appears to be a legit update installer but is actually an infostealer dropper. A recent campaign using fake browser update pages with CAPTCHA prompts to distribute Lumma Stealer users encountered a page saying Please solve CAPTCHA to continue and then were prompted to download a browser update, which was malware. Similarly, bogus Flash Player or antivirus update alerts have been used even though Flash is obsolete, some users still fall for update Flash now dialogs. This vector overlaps with malvertising malicious ads or redirects that lead to these fake update pages. Defending against this includes using ad blocking, DNS filtering to block known scam domains, and educating users that software updates should come only from official vendor mechanisms e.g., built in updaters or vendor websites, not random pop ups.
Browser Extensions and Plugins: While less common than other methods, there have been cases of infostealers delivered as or via malicious browser extensions. For example, an attacker might trick users into installing a browser add on that promises some utility but actually functions as an infostealer stealing cookies and form data via extension permissions. One such case in the past was malicious Chrome extensions that stole Facebook session cookies for takeover of profiles, known as the Ducktail malware targeting Facebook Business accounts. Infostealer code can potentially be injected into extensions to pilfer data from web sessions. Another approach is compromising legitimate extensions through supply chain attacks and adding infostealing functionality though rarer, it’s a viable vector. Given this, enterprises should be cautious with browser extension policies: only allow trusted extensions and consider centrally managing extension installations.
Trojanized Installers and Drive by Downloads: Attackers often create trojanized installers for popular software. For instance, a threat actor may repackage a popular utility say, VLC player or 7 Zip such that it still installs the real software but also drops an infostealer in the background. Users get the software they wanted so they don’t suspect anything but also get infected. These repackaged installers are then SEO poisoned or advertised on search results e.g., a user searching Download XYZ for free might end up on a fake site with a booby trapped installer. In fact, IBM X Force noted SEO poisoning and malicious ads as major infostealer distribution techniques. Threat actors make fake download pages that rank high on search engines or appear as sponsored results, leading users seeking software to a trap. Additionally, drive by downloads via exploit kits where simply visiting a compromised website with vulnerable software results in silent infection used to be a significant vector for infostealers like Vidar and Raccoon. Though exploit kits are less prevalent today, malvertising based drive bys still occur. Using a modern, auto updating browser and disabling plugins like Flash/Java or using an isolated browser session via remote browser isolation for risky activities can mitigate drive by risk.

In summary, infostealers largely rely on social engineering tricking the user to run something they shouldn’t. Whether it’s a phish email, a tempting free download, or a spoofed update alert, the initial execution is the critical point. To combat this, organizations should employ a combination of secure email gateways, web filtering to block known malicious sites and ads, application control to prevent unauthorized executables from running, and user education. By reducing the chances of a user running an unknown program, you significantly reduce infostealer incursions. Importantly, because home and personal devices are often targeted e.g. an employee’s home PC might get a stealer via a game crack, extending some protections to those environments through DNS filtering, antivirus, or zero trust access that limits what stolen credentials can do is worth considering in a work from home era.

Why Stealer Logs Are So Valuable to Attackers

The aggressive theft by infostealers is ultimately driven by profit and stealer logs have become extremely valuable commodities for attackers for several reasons:

Cheap, Bulk Access to Credentials: For relatively little cost, criminals can buy thousands of stolen credentials via logs. On underground markets, individual infostealer logs are sold at bargain prices often $1–$10 each for normal logs, and up to $50–$100 for ones containing something special like banking or corporate accounts. There are even subscription services where, for example, $200 might get you unlimited access to fresh logs for a month. This means attackers no longer need to phish every password themselves they can simply shop for stolen log bundles. The sheer volume of data Flashpoint recorded 53 million+ credentials stolen by infostealers in 2024 ensures a steady supply. It’s a buyer’s market, and almost any account you can think of email, social media, VPN, etc. can be found in these logs. For attackers, this is a low effort way to get valid logins that might let them impersonate users.
Credentials to Bypass Security Initial Access & Lateral Movement: Stolen passwords and session cookies are effectively skeleton keys that can unlock further exploits. Many corporate breaches now start not with malware, but with an attacker logging in with stolen credentials. Infostealer logs from home users frequently include corporate logins due to remote work and BYOD Verizon found 30% of infostealer compromised systems were enterprise devices or used for work, often unmanaged personal machines. Attackers purchase these logs to gain initial footholds into companies. For example, an infostealer log might contain a VPN credential for a company’s network; an attacker who buys it can log in through the VPN as an employee, bypassing perimeter defenses entirely. Mandiant explicitly noted that stolen infostealer credentials became the second most common intrusion vector in 2024. Beyond initial entry, within a network, logs can facilitate lateral movement: an attacker who already has a foothold might use an infostealer to grab additional internal passwords or session tokens, helping them move between systems without triggering alarms. If multifactor authentication is not in place, even admin accounts can be compromised via reused or saved passwords from a log.
Fuel for Ransomware Attacks: There is a strong link between infostealers and ransomware. Many ransomware gangs or their affiliates rely on infostealer derived creds to get into victim networks. In 2023, Mandiant saw a 60% increase in infostealer usage linked to ransomware incidents. The sequence often goes: infostealer infection credentials stolen > sold on dark web > ransomware actor buys credentials > uses them to access network > deploys ransomware. Additionally, even after a ransomware attack, stolen logs can provide data for extortion. Some ransomware operators deploy infostealers during the attack to gather login info for key accounts to potentially use in pressure tactics or further exploits. The Verizon DBIR 2025 report revealed that 54% of victims listed on ransomware extortion sites had evidence of infostealer logs containing their domain credentials. This suggests infostealers are a precursor in over half of ransomware cases essentially doing the recon and credential theft that make ransomware so much easier to execute.
Identity Fraud & Account Takeovers: Outside of corporate targets, stealer logs are a goldmine for financial fraud and identity theft. Logs frequently contain personal email logins, social media accounts, e commerce accounts, and sometimes credit card numbers if stored in browser. Criminals use these to takeover accounts for instance, accessing a victim’s email then resetting passwords on banking or cryptocurrency exchanges. There’s a thriving underground trade in gaming accounts, streaming service logins, and online shopping accounts sourced from logs. Even something like a Fortnite or Netflix account can be resold. For the victim, this might mean unauthorized purchases or losing access. For the attacker, each account is monetizable. Infostealer logs essentially provide a full profile of a person’s digital life, enabling full scale identity theft: with a victim’s name, email, saved passwords, and autofill data addresses, phone, perhaps even SSN stored in a form, an attacker can impersonate them to open new accounts or socially engineer further access. Logs that include crypto wallet keys are immediately lucrative thieves can directly transfer out the cryptocurrency. In the case of cookie/session theft, an attacker might bypass even passwords entirely. For example, stealing a session cookie for a logged in banking website could let the attacker access the account without knowing the credentials or needing 2FA. This technique, often called pass the cookie, is extremely valuable. It’s why logs often include browser cookies; in fact, some marketplaces allow searching logs for specific high value cookies e.g., look for JPMorgan session cookie. Overall, stealer logs provide virtually everything needed for follow on fraud.
Access Brokering and Dark Web Services: A specialized use of infostealer logs is by Access Brokers who cherry pick the most valuable entries typically corporate or government accounts and then sell that access privately. Instead of selling one log with 50 accounts for $10 on a market, an access broker might identify that the log contains, say, credentials for a privileged user at a Fortune 500 company. They will then quietly offer that single credential access for a high price on private channels or to ransomware groups. The going rate for a single domain/network access can range from a few hundred dollars for a small firm to tens of thousands for a large enterprise, depending on the size and revenue of the target. Thus, a $1 investment in a log can turn into a $1000 sale if the right buyer is found huge ROI for the criminals. Additionally, other dark web services exploit infostealer data; for example, some criminals use logs to train phishing or scams knowing which banks or services a person uses from their log, they can craft more convincing scams targeting that person. SpyCloud’s 2024 report highlighted that as many as 1 in 5 people have been infected by an infostealer, so the pool of identities to exploit is enormous.

In essence, stealer logs are valuable because they collapse the attack chain. Instead of having to fish for credentials with targeted efforts, threat actors can simply buy a ready made kit of credentials and sessions. It’s fast, cheap, and scalable. They enable attackers to operate with the legitimate keys to the kingdom, often flying under the radar because they’re logging in with valid credentials rather than deploying noisy exploits or malware. This shift is why many security experts say we’ve moved from an era of break in to log in for threat actors. Why hack a door when the keys are readily for sale? Defenders must accordingly adjust, placing greater emphasis on credential abuse detection and zero trust assumptions, because infostealers have flooded the landscape with stolen auth artifacts.

Who Is Most at Risk

Infostealers cast a wide net, but certain groups and environments are especially at risk due to the data they handle or the security challenges they face:

Remote Workers & BYOD Users: The rise of remote work means more employees using personal or unmanaged devices for work purposes, or mixing personal and work accounts on the same machine. Infostealers on home PCs can snag both personal login info and corporate credentials VPN passwords, SaaS logins, etc., as evidenced by the DBIR finding that 46% of stolen logs from enterprise related systems were on non managed BYOD devices that had both personal and work accounts present. Remote workers often operate outside the corporate firewall and may not have up to date endpoint protection, making them softer targets. If an employee’s home laptop gets infected via a gaming crack and their saved work VPN password is stolen, the company could be breached. Therefore, organizations with a lot of remote staff or a BYOD policy are at high risk infostealers thrive in these blurred environments. It’s critical such users are educated and that their devices have strong security controls or access is mediated via virtual desktops, etc., to contain potential compromise.
Small and Medium Sized Businesses SMBs: SMBs are often targeted by infostealer campaigns because they typically have less mature security and might not have comprehensive SOC monitoring. Huntress’s analysis noted that infostealers disproportionately impact SMBs, which saw a 104% YoY increase in detections. SMB employees might use personal devices for work lack of dedicated IT issuing hardware, and SMB networks might not have zero trust or strong MFA enforcement, so a single stolen credential can completely compromise them. Attackers also consider SMBs easier prey for resale an access broker might accumulate many SMB network creds and sell them in bulk. Moreover, SMBs often use common software suites Office 365, QuickBooks, etc., whose credentials are valuable. With limited budgets, SMBs may not invest in advanced endpoint protection or security awareness, making them click happy targets. Essentially, SMBs provide a high ROI for criminals: a single infostealer campaign like widespread phishing can net thousands of SMB accounts, and even if each is sold for a modest price, it adds up.
Cryptocurrency Users: Crypto enthusiasts and investors are prime targets for many infostealers. The malware explicitly looks for crypto wallet files, browser extensions for crypto like MetaMask, and even plaintext keys. Individuals who manage their own crypto using desktop wallets or browser wallet extensions are at risk of having those assets stolen if an infostealer infects their machine. We’ve seen Lumma Stealer and others specifically marketed as able to steal from over 20 different crypto wallets. Unlike bank accounts, crypto transactions are irreversible if your private keys get stolen and your funds transferred out, there’s virtually no recourse. This makes crypto users lucrative victims. High value targets include not just hobbyists but also DeFi project developers or exchange employees who might have more extensive access infostealers have been discovered in attacks against crypto exchange staff, aiming to get admin credentials. Additionally, crypto users often participate in online forums and might download wallet related tools or cheats like airdrops or mining software that could be trojanized. They should treat any such download with extreme caution. The advice for this group is to avoid storing plaintext keys on computers, use hardware wallets for large amounts, and maintain strong anti malware on any device used for crypto transactions.
SaaS Heavy and Cloud First Environments: Organizations that rely heavily on SaaS applications email, document collaboration, CRM, DevOps platforms, etc. are inherently more exposed to infostealer risk because credentials to those services are all a thief needs no on prem firewall to bypass. If a company uses Okta or Office 365 for identity, a stolen credential or session cookie can give immediate access to email, SharePoint, Slack, GitHub, you name it. We saw that 35% of cloud incidents in 1H 2024 were due to valid account abuse, often from info stealer harvested creds. That means cloud focused companies startups, tech companies, etc. are juicy targets. They may have lots of employees, each with dozens of SaaS logins a single infostealer infection on one dev’s machine might yield AWS console keys, Slack tokens, and JIRA passwords for an entire project. Attackers can use those to cause data breaches or pivot further. Environments with single sign on SSO but weak conditional access are also at risk an infostealer grabbing an SSO password + a browser cookie might allow bypassing MFA on cloud accounts via cookie replay. Companies in tech, finance, and professional services often fit this SaaS heavy profile and need to be vigilant.
Users with Privileged Access: This is not a demographic per se, but a category: anyone with administrative or privileged credentials domain admins, IT staff, C level execs is an especially high value target for infostealers. Their accounts can unlock far more. For instance, an infostealer on a sysadmin’s home computer that steals their VPN and domain admin creds could be catastrophic. Similarly, developers with code signing certificates or cloud deployment keys are at risk. Even if such users are savvy, they can still fall victim via a supply chain infection or a momentary lapse maybe downloading a utility that was trojanized. For this reason, companies should enforce that admin accounts are only used on hardened, managed devices never on personal or general web browsing machines. High privilege users might also consider using non persistent virtual machines for risky activities, reducing the chance an infostealer can grab their vault of keys.

In summary, the infostealer wave puts virtually everyone at some risk given how one in five individuals was affected in 2023, but remote/BYOD workers, resource constrained SMBs, active crypto holders, and cloud centric orgs have a particularly large bullseye. Recognizing if you fall in these categories should prompt extra defensive measures. For example, if you’re a small business relying on Google Workspace, you might enforce security keys U2F for MFA to mitigate stolen passwords, since you know an infostealer could steal the password but not the physical key. Or if you’re a remote worker, you ensure your personal laptop has company EDR agent and you separate personal browsing from work tasks maybe using a dedicated browser for work accounts. These targeted precautions can significantly reduce risk for those most exposed.

Defensive Takeaways for Security Teams

Infostealers present a multi dimensional threat, but there are concrete steps security teams can take to mitigate the risk and impact. Here are key defensive takeaways:

Strengthen Endpoint Detection & Response EDR Tuning: Make sure your endpoint security solutions are configured to detect suspicious behaviors typical of infostealers. Signature based AV alone is often evaded by fresh variants, so rely on behavior rules. For example, monitor for processes accessing browser credential stores or Windows Credential Manager in atypical ways, and for unusual process spawn chains e.g., an Office document launching PowerShell or explorer.exe spawning an unknown EXE. EDRs should alert on large scale reading of files in directories where credentials are stored browser profiles, %AppData%/Roaming/Bitcoin/, etc.. Implement memory scanning if available to catch patterns of known stealer code in memory. Regularly update EDR detections with IoCs/Yara for prevalent stealers hashes, C2 domains, mutex names. Essentially, assuming an infostealer will bypass initial antivirus, your EDR’s job is to catch it in the act of credential harvesting or exfiltration. Test your EDR against known infostealer techniques many vendors provide simulation tools or you can use open source projects that mimic infostealer behavior.
Practice Browser and Credential Hygiene: Since browsers are prime targets, harden their usage in your environment. Discourage or disable the saving of passwords in browsers for corporate accounts; instead, encourage use of a company approved password manager ideally one with encryption tied to a master password or hardware token. Regularly clearing browser caches and stored data can limit what an infostealer can get. Turn off or limit browser autofill for sensitive information on workstations so that personal addresses, etc., aren’t stored unnecessarily. Educate users to never store passwords in plain text files on their computers. Consider implementing credential guards: for instance, on Windows, enabling Credential Guard to protect OS managed secrets, and using browser policies that encrypt saved passwords with a stronger key or not at all. The goal is to reduce the low hanging fruit that stealers grab. In addition, enforce that all privileged accounts use separate, hardened jump hosts an admin should not be browsing the web on the same machine they use domain admin creds on. By segregating duties and accounts, even if a user account gets infostealed, the blast radius is contained.
Enforce Multi Factor Authentication MFA Everywhere Preferably Phishing Resistant MFA: MFA remains a crucial defense. Enable MFA for all VPNs, email, and critical SaaS applications to ensure a stolen password alone isn’t enough for an attacker. This includes contractors and third parties if they have access. Where possible, implement FIDO2 security keys or authenticator apps that are more phishing resistant. Some infostealers can steal SMS 2FA codes or even some authenticator cookies, but a FIDO2 token is out of band and far harder to bypass. Even if infostealers siphon a session cookie, having conditional access policies e.g., device/IP restrictions can require re authentication. Also be aware of MFA fatigue attacks: an adversary with a stolen password may try lots of login attempts to prompt MFA fatigue; user training and possible MFA throttling can help here. MFA isn’t foolproof attackers have web inject kits and reverse proxies to intercept codes, but it dramatically raises the bar many opportunistic attackers using logs will simply move on to easier targets that lack MFA. It’s worth noting IBM found the majority of initial access in 2024 was using valid accounts, which indicates insufficient MFA in those cases. Close that gap in your org.
Implement Network and Domain Protections: Use your network controls to blunt infostealer operations. DNS filtering and secure web gateways can block access to known malicious domains and newly seen domains, which are often used by infostealer C2 infrastructure. For instance, if a device suddenly tries to send data to a domain that was registered a week ago and has never been seen on your network, that’s suspicious consider blocking or isolating that host. Likewise, block traffic to common data exfil channels like Telegram API endpoints if your org doesn’t legitimately use Telegram. On email gateways, filter out or detonate attachments that could carry infostealers; modern sandboxes can catch an infostealer when it tries to access lots of files or make network connections during detonation. Use link protection to rewrite and scan URLs in emails for phishing attempts. On the domain front Active Directory, enable account lockout policies and impossible travel/login anomaly detection if an attacker does use stolen creds, catching unusual login patterns might reveal it. Also, reduce local admin rights for users, as running as standard user can limit some infostealer functionality they often try to extract some secrets that require admin. Finally, keep systems patched: some infostealers arrive via exploiting vulnerabilities, so timely patching of OS and apps especially browsers helps cut off drive by downloads and exploit kit vectors.
Monitor the Dark Web and Log Markets for Your Data: Given the vast number of credentials floating around, it’s wise to proactively look for your organization’s presence. Subscribe to breach notification services or threat intel feeds that monitor infostealer log dumps services by companies like SpyCloud, Flare, Intel 471, or Hudson Rock. They often can alert you if, for example, an email address with your company domain shows up in a new dump, or if an account that appears to belong to your org is being sold. Verizon’s DBIR highlighted that many corporate credentials were in logs unknowingly, so finding out quickly is key. If you get such an alert, treat it as an incident: reset that user’s passwords, invalidate sessions, and investigate their activity for any signs of misuse since there might have been a gap between theft and your discovery. This monitoring extends to public repositories like HaveIBeenPwned for any credential dumps. While it’s impossible to catch everything, being plugged into these sources can give you early warning to respond before an attacker uses the data.
Institute Strict Credential and Privilege Management: Assume that at some point, some credentials will be stolen. Limit the impact by following least privilege principles. Ensure users don’t reuse passwords across services especially not between personal and work accounts. Use password managers to help them maintain unique, complex passwords. Rotate privileged credentials frequently or use one time credentials for critical access so that even if stolen, they quickly become stale. Implement processes like Just In Time JIT access for admin roles so there’s no standing high privilege account to be stolen, rather admins elevate when needed with MFA. Additionally, consider using device authentication tied to identities for example, require domain joined device with certificate + user credential for VPN, not just password. That way a stolen password alone can’t connect from an unauthorized device. Some organizations are moving toward passwordless auth issuing FIDO2 security keys to employees which, if widely adopted, could nullify the value of a stolen password there is no password to steal, only a key. While not trivial to implement across the board, this is where the industry is heading, to counter mass credential theft.
User Training and Awareness: Technical controls are vital, but user behavior is the first line of defense. Conduct regular, specific security awareness training about infostealer tactics: teach users how to spot phishing emails, to be wary of unexpected attachment prompts, and to avoid downloading software or browser extensions from unverified sources. Inform them that things like free movie streaming plugin or crack for MS Office are common malware traps. Encourage a culture where if something looks a bit off e.g., a slightly wrong URL or an app asking for unusual permissions, they verify with IT. Training should also cover modern scams like malvertising and fake update pop ups e.g., show examples of scareware Your PC is infected, click to clean messages so they can identify and close them rather than click. Simulated phishing exercises can help reinforce training by giving users practice in a safe setting. Ultimately, vigilant users can prevent an infostealer from ever executing.
Incident Response Preparedness: Finally, have a clear IR plan for infostealer incidents. If one is detected on a machine, be ready to assume credential compromise. This means steps like: isolate the host, collect forensic data to see what was stolen and where it was sent, force password resets for the user and any other accounts that user’s machine had access to or stored, invalidate active sessions/tokens e.g., log out of all of that user’s O365 sessions, and check logs for any suspicious logins correlating to that account in case the attacker used the credentials already. Because infostealers often don’t persist, the IR focus is less on wiping malware straightforward via reimage and more on damage containment changing creds, notifying third parties if needed e.g., if a customer password was in a stolen file, and monitoring for any abuse of stolen data. If the stolen data included things like corporate certificates or API keys, those should be revoked/rotated. In addition, investigate how the stealer got in, to close that hole was it via email? Tighten filtering; via a user installing software? Improve admin rights control or GPO to block installs. Quick, comprehensive response can turn an infostealer incident into a nuisance rather than a full breach.

By executing on these defensive measures, security teams can significantly reduce the risk posed by infostealers. It’s about assuming compromise since it’s nearly impossible to stop 100% of malware and making sure that a stolen password or two doesn’t easily implode your network. In the current landscape, where infostealers are rampant, organizations that prioritize identity security, endpoint vigilance, and user education will fare far better against this silent but potent threat.

The threat landscape in 2025 underscores a sobering reality: while ransomware and headline grabbing hacks continue, the quiet theft of credentials via infostealer malware has become the engine driving much of the underground economy. Infostealers like Lumma, RedLine, Raccoon, and Vidar have enabled cybercriminals to steal hundreds of millions of credentials and monetized them through a mature ecosystem of log markets and access brokers. The result is an epidemic of account takeovers and an easy path for attackers to infiltrate organizations by simply reusing stolen logins. As defenders, we must adapt to this threat first perspective recognizing that preventing and detecting infostealer activity is now just as critical as patching servers or filtering ransomware. This means doubling down on identity security strong MFA, credential hygiene, dark web monitoring and endpoint visibility, as well as proactive user awareness.

Encouragingly, a threat informed defense can yield results. Many infostealer techniques, while stealthy, leave trails that diligent monitoring can catch unusual PowerShell executions, strange outbound connections, abnormal data access patterns. By focusing on those weak signals and hardening the practices that infostealers exploit like unmanaged password storage and lax BYOD controls, security teams can shrink the attack surface. The underground may continue to innovate with new stealers and tactics as seen with Vidar 2.0’s emergence but an organization that emphasizes zero trust, never trusting a single credential and rapid incident response can blunt their impact. The days of assuming a user login is safe are over; now, every authentication attempt must be scrutinized for risk.

In conclusion, infostealers will likely remain a favored tool of cybercriminals as long as passwords and cookies hold value. They fuel everything from petty fraud to major breaches. The onus is on defenders to remove that fuel from the fire: protect the credentials, and you cut off the lifeblood of many attacks. As we move forward, adopting passwordless technologies and robust identity verification will be key strategies to make infostealer logs far less valuable. Until then, vigilance and layered defenses are paramount. By understanding the threat of the malware families, their modus operandi, and their role in the cybercrime supply chain we empower ourselves to anticipate the attackers’ moves and stay one step ahead. In the cat and mouse game of cybersecurity, infostealers have had a big run, but armed with knowledge and resilient practices, we can deny them the easy victories and better safeguard our organizations’ most critical asset: our credentials.

About the Author

Mohammed Khalil is a Cybersecurity Architect at DeepStrike, specializing in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP, and OSWE, he has led numerous red team engagements for Fortune 500 companies, focusing on cloud security, application vulnerabilities, and adversary emulation. His work involves dissecting complex attack chains and developing resilient defense strategies for clients in the finance, healthcare, and technology sectors.

Top Infostealer Malware in 2025: The Credential Theft Epidemic