Infostealers Infect 11.1 Million Devices, Transforming Them Into Credential Theft Machines

Hackers have evolved their tactics, moving away from brute-force methods to more sophisticated approaches that leverage infostealers. These malicious programs are now the primary means through which attackers obtain stolen credentials, allowing them to access targeted systems as if they were legitimate users. This method is not only more efficient but also significantly less detectable than traditional intrusion techniques.

The Scale of the Threat

In 2025, over 11.1 million devices were compromised by infostealers, according to Flashpoint. The sheer volume of data compromised is staggering, with more than 3.3 billion credentials, browser artifacts, session information, and other identity forms circulating in illicit online marketplaces. These stolen credentials do not merely grant access; they often provide unauthorized entry to sensitive data, bypassing traditional security defenses.

Flashpoint has identified more than 30 distinct strains of infostealers, commonly referred to as “stealers.” The dynamic nature of the underground marketplace makes it challenging to quantify the exact number of unique stealers, as new variants frequently emerge while others are modified or taken down by law enforcement.

The Underground Economy of Stealers

Stealers are readily available within the underground ecosystem, often marketed as malware-as-a-service (MaaS) for as little as $60 per month. In 2025, the most prevalent stealers included Lumma, Acreed, Rhadamanthys, Vidar, and StealC. However, the landscape can shift rapidly; by early 2026, Vidar surged in popularity, accounting for over 73% of all infected devices, while Lumma’s share dwindled to just 1.1%.

Once an attacker acquires a stealer, the next step is to infect a target device. Any device connected to the network can serve as a potential entry point, as the data harvested can facilitate access to other network segments. Social engineering tactics are the most common delivery methods, targeting users with desktop or laptop computers. The likelihood of success in these attacks is statistically high.

Operational Mechanics of Stealers

While individual stealers may employ varying techniques and target different types of data, they generally follow a common operational framework. Initially, a stealer may check if it is running in a sandbox environment, which indicates detection by security systems. If so, it can terminate its activities to avoid being flagged.

To evade detection, stealers often utilize string encryption and obfuscation techniques. This allows them to decrypt data in memory, making it visible only for a brief period and complicating signature-based detection efforts.

Once operational, the stealer begins to collect data, focusing primarily on what can be monetized. Credentials are the primary target, encompassing website passwords, enterprise credentials (such as VPN, RDP, and webmail), SaaS logins, cloud platform credentials, and information stored in password managers. Additionally, they may gather autofill data that includes personal information like names, phone numbers, and email addresses.

Stealers also target browser cookies, active session tokens, and session artifacts from cloud and SaaS applications. They are capable of extracting cryptocurrency wallet information, including wallet seeds and private keys, as well as any accessible credit card data.

Moreover, stealers collect system metadata, such as operating system versions and IP addresses. By combining this data with the stolen credentials, they not only compromise identities but also provide contextual information that enhances the attacker’s capabilities.

Data Exfiltration and Monetization

Once the data is collected, it is packaged into files known as stealer logs. These logs may be compressed and encrypted to evade detection by enterprise data loss prevention (DLP) systems before being transmitted to a server controlled by the attacker.

The monetization of these logs can take various forms. Attackers may use the stolen data for personal gain or sell it to criminal organizations. A prevalent tactic among these groups is to utilize stolen identities to gain undetected access to systems, enabling them to deploy ransomware before detection mechanisms can respond. The timeline from the initial infection to ransom demand is often alarmingly short.

The Silent Epidemic

Stealers are characterized by their ease of use and difficulty of detection. Most victims remain unaware of their compromised status until they are breached using their own stolen credentials. The only indication of a breach often comes from threat intelligence reports that reveal the trading of credentials in illicit markets. However, this visibility does not prevent victimization; it merely confirms that an organization has already been compromised.

For further insights into the implications of stolen credentials on modern security, refer to additional resources on the topic. Source: www.securityweek.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.