Day 49 of 100 in the 100 Days of Cyber Challenge
Hudson Rock calls them, “a silent epidemic” that is growing in volume and sophistication.
KELA referred to them as “The Quiet Precursor to Larger Attacks”.
These organizations are talking about infostealers, malware that runs in the background and is often used to set up bigger attacks.
Infostealers are analogous to offensive linemen who often make big plays possible, but don’t get much credit for it. Ransomware and AI malware are more like the quarterbacks, running backs and receivers who grab headlines for touchdowns and big plays.
Verizon’s 2025 Data Breach Investigations Report (DBIR) supports that analogy. By comparing logs with malware market postings, it found that 54 percent of ransomware victims’ domains appeared in credential dumps.
Flashpoint’s Global Threat Intelligence Index: 2025 Midyear Edition report provided alarming statistics for the first half of 2025: 5.8 million infected hosts and 1.8 billion stolen credentials; an 800 percent increase since the beginning of that year! Infostealing malware was relatively inexpensive, ranging from $60-400 US.
Infostealers go through an infection chain that is something like this:
(1) Social engineering through phishing campaigns designed to get the user to click on a malicious link in an email.
(2) System recon: getting information about the system configuration: OS, hardware, installed tools
(3) Stealing stored passwords cookies, and autofill data in browsers; authentication tokens; and crypto wallet keys to name a few.
(4) Compressing the data and sending it to C2 servers
(5) Selling the data in a dark web marketplace
What are the top infostealers? In the spirit of sports analogies, Lumma Stealer is like Secretariat in the 1973 Belmont Stakes. It accounted for 87 percent of infected hosts and devices in the Flashpoint report with a total of 5 million. Here is a ranked list of infostealers for H1 2025:
(1) Lumma Stealer – 5 million
(2) RedLine – 329,000
(3) StealC – 270,000
(4) Vidar – 111,000
(5) Agent Tesla – 30,000
According to security firm Constella, many organizations do not have a way to track how their email systems are used or if policies are being followed. This makes companies easy targets for infostealers.
Corporate email account users have been known to use their addresses on adult content platforms, online gambling sites, and other typically unauthorized sites. This makes it easier for attackers to steal credentials and session tokens, eventually gaining access to the corporate network itself.
Constella also found password reuse to be another serious problem. Once one system’s password is compromised, the rest are compromised too.
Tightening email accounts and usage help but by themselves are not enough. Dark web monitoring is another technique that many organizations need to use. By monitoring activity on these sites, organizations can learn if they are under attack or if organizations they do business with are under attack.
This shifts the strategy from constantly being a defender in response mode to a proactive threat hunter hoping to find threats before they do harm.
Earlier I used a football analogy and continue here. If you want to keep a football team from scoring touchdowns on you, a great place to start is to undermine their offensive line: react quicker to the ball snap to ‘beat them to the punch’ or use techniques that make their blocking ineffective, so you can surround ball carriers before they get too far.
Infostealers need to be undermined before they facilitate damage. Strong IT hygiene, identity management, securing endpoints and data, improving cybersecurity culture, and dark web monitoring will make it more difficult for cybercrooks to go ‘Joe Montana’ on you.
Sources:
Verizon 2025 Data Breach Investigations Report
Hudson Rock Stealing the Future: Infostealers Power Cybercrime in 2025
Vectra Article on Infostealers
Constella: Behavioral Policy Violations and Endpoint Weaknesses Exposed by Infostealers
Crowdstrike: Dark Web Monitoring Explained
KELA: 2025 Midyear Cyber Threat Recap: Evolving Tactics and Emerging Dangers