The Skinny
- Infostealer Growth: Infostealers are a leading malware threat, with predictions of increased prominence through 2026, despite recent law enforcement successes against major players like Lumma.
- Credential Compromise: Many large data breaches stem from compromised credentials, highlighting the need for robust protection against infostealers, which are increasingly targeted by sophisticated cybercriminals and nation-states.
- Proactive Measures: Implement basic cybersecurity practices, such as using unique passwords, enabling multi-factor authentication (MFA), and avoiding credential storage in browsers, to mitigate the risk of infostealer infections.
Over the last several years, infostealers have become one of the most pervasive malware threats facing individuals and organizations. Infostealers were one of the most common themes across industry “2025 Cyber Threat Outlook” reports and are widely predicted to grow in prominence through 2025 and 2026. Additionally, the infostealer market has proven resilient, rebounding time and time again from major law enforcement takedowns, including the Redline infostealer takedown in late 2024.
Recently, the international law enforcement community again scored a significant win with the takedown of the Lumma infostealer infrastructure, disrupting the operations of one of the largest infostealers currently operating. While this is a victory worth celebrating, the effect on the infostealer market will not likely extend beyond the near-term. Officials should expect the void to be quickly filled by enterprising cybercriminals looking to capitalize on the available market space. For example, Acreed, an infostealer that first drew attention earlier this year, is already expanding its share of available credentials for sale.
Tracking Data to Meet the Threats
To understand the central role infostealers play in the cyber threat environment, it is sufficient to examine many of the major cybersecurity-related media reports from 2024, particularly related to data breaches. Many of the largest breaches last year share a direct throughline to compromised legitimate credentials stolen via an infostealer as the initial access vector.
That means millions of records that may include sensitive personal financial and/or health data, for instance, can be linked back to one simple exposed credential. And it’s not just cybercriminals that are taking advantage of these exposed credentials. Nation-states are getting access to sensitive targets by simply buying available credentials, just like Russia did in September of 2024 to gain access to Dutch police networks.
The group associated with that particular breach, dubbed Laundry Bear, has focused specifically on purchasing available credentials from infostealer logs, underscoring the fact that these infostealer infections are drawing the attention of the most sophisticated threat actor groups. Why waste resources developing customer access tools or develop exploits for vulnerabilities when a cyberespionage group can just buy a key to the front door for $10?
To understand the central role infostealers play in the cyber threat environment, it is sufficient to examine many of the major cybersecurity-related media reports from 2024, particularly related to data breaches.
This sort of return on investment for malicious actors, combined with relatively low risks of law enforcement arrest (particularly for threat actors operating in Russia) and a high demand for legitimate credentials driving an active underground marketplace, ensures the continued flow of both personnel and monetary resources into the development and advancement of infostealers.
This resource investment is evident in the constant advancement of infostealers as they seek to circumvent countermeasures put in place by defenders. Infostealers are designed to be light, stealthy programs that are difficult to detect. According to SpyCloud, at least 54% of devices infected with infostealers in the first half of 2024 had antivirus or endpoint detection and response (EDR) solutions installed. And it’s not just EDR solutions that infostealers are working around.
Tug of War
In July, Google announced new security measures within Chrome specifically designed to add an extra layer of protection for browser cookies, a common target of infostealers as they can allow threat actors to authenticate into accounts without credentials or multi-factor authentication (MFA). While the extra protection was an excellent idea in theory, it was only a matter of weeks before infostealer families started introducing effective workarounds, putting these session tokens at risk again. The quick development of these workarounds to technically sophisticated countermeasures demonstrates the capabilities and investment these groups are making into this type of malware and its importance in the cyber threat ecosystem.
Another potentially significant advancement in infostealers was highlighted in an interview conducted by OSINT10x and further discussed by Hudson Rock: the malware developer behind the Hellcat ransomware is now offering a new server-side infostealer. Until now, infostealers have been client-side, meaning the entire malware is downloaded onto and executed on a victim’s machine. In the case of a server-side infostealer, the victim’s machine simply downloads a few lines of code that sets up a TOR server on the victim’s machine, which the threat actor can use to scrape for desired information via GET requests.
This all allows the threat actor to operate with a much lower profile on the victim‘s machine. While this tactic hasn’t been widely adopted yet, it has the potential to spread rapidly and be used against individuals and small to midsize businesses in particular that may not be configured to block TOR connections. Together, these developments portend a continued push towards lighter, quieter, and more capable infostealers as velocity becomes key. Getting in, executing on the victim’s machine, and exfiltrating the data as quickly and quietly as possible will be the name of the game in 2025.
Infostealers Show Their Hand
Given the prominence of infostealers in the 2025 cyber threat environment, you may be asking what you can do. To start, please make sure that you are taking care of the basics, like monitoring exposed credentials, using and updating an antivirus program, using unique passwords for every account, using MFA, and monitoring for anomalous behavior on your important accounts.
Now that we know infostealers’ focus on pulling cookies and credentials out of browsers, don’t store your credentials within your browser as well. For the more technically inclined, blocking unauthorized TOR connections will help protect against the new server-side malware approach mentioned above. Infostealers are primed to be a critical threat for the next year and in the foreseeable future. The more done to protect organizations, the better.
About the Author
Mike Kosak
Senior Principal Intelligence Analyst at LastPass
Mike Kosak, Senior Principal Intelligence Analyst at LastPass, has been an intelligence analyst for over 20 years, working in both the public and private sectors. He has served in several senior analyst and management roles within the cyber threat intelligence field, focusing on operationalizing intelligence.