Infostealer malware: the quiet threat behind most credential breaches

Infostealer malware harvests passwords and session cookies that fuel most breaches. What it steals, why MFA fails, and how to limit damage.
Remote worker on a personal laptop at a home desk

An infostealer is malware that quietly harvests saved passwords, session cookies and other credentials from a device, then sends them to an attacker within seconds. It sits behind a large share of modern breaches because the stolen credentials it produces are what ransomware groups and account-takeover crews buy to get their initial foothold.

Most IT managers know what ransomware does. Fewer can explain the step that comes before it. Infostealers are that step. They are the supply chain feeding the stolen logins and active sessions that turn up in breach after breach across the European mid-market. This post explains what infostealers harvest, how the stolen data moves from one infected laptop to a full network compromise, why multi-factor authentication does not stop the chain on its own, and what actually reduces the damage.

What is infostealer malware?

Infostealer malware is a class of malicious software designed to locate and exfiltrate credentials and identity data stored locally on a device, then terminate. Unlike ransomware, which announces itself, an infostealer runs and exits in seconds to keep its forensic footprint small.

A single run typically harvests:

  • Browser-saved usernames and passwords, pulled from the local credential databases that Chromium browsers keep on disk.
  • Active session cookies and authentication tokens, which keep a user logged in without re-entering a password or passing an MFA check.
  • Cryptocurrency wallet files and browser extensions holding private keys.
  • Autofill and form data, including saved addresses, email addresses and card numbers.

This bundle of stolen data is known in criminal markets as a stealer log. The inclusion of device details such as IP address, hostname and installed software is deliberate. It lets a buyer rebuild a convincing copy of the victim’s environment so that a replayed session cookie looks like the same user simply continuing their day.

How an infostealer turns into a breach

The route from one infected device to a network-wide breach runs through a structured criminal supply chain. Each actor handles one step, which keeps everyone efficient and shortens the time an attacker needs to spend inside a target. Understanding the chain is what lets you place defences where they matter.

It starts with infection. A user runs a malicious file, often on an unmanaged personal device used for work. Common delivery routes include hijacked search adverts that point to fake software download pages, trojanised installers for cracked software, and social-engineering lures such as fake CAPTCHA prompts. The payload copies the local browser databases, packages the contents, and exfiltrates them to the operator’s server, frequently abusing legitimate services to blend in with normal traffic.

From there the data is sold. Most infostealers run on a malware-as-a-service model, so the developers license their tool to affiliates who do the distributing. Fresh logs reach automated underground marketplaces within hours, where buyers filter by domain, country or software. Individual logs change hands for small sums, which is what makes the model scale.

Then comes triage. Initial access brokers run automated checkers across large volumes of raw logs, hunting for credentials tied to corporate VPN portals, RDP servers or single sign-on consoles. When a usable corporate login appears, the broker validates it, grades it by company size and access level, and lists it for sale.

The final step is the breach itself. Ransomware affiliates buy validated access and skip straight past the hard part. Because they hold active session cookies or working VPN credentials, there is no break-in to engineer. They log in through a normal corporate channel and begin lateral movement and data theft. Incident analysis shows this streamlined chain can compress the gap between a validated login and ransomware deployment to under 48 hours.

The connection is not theoretical. According to analysis drawing on the Verizon DBIR, 54% of the ransomware victims studied already had compromised credentials sitting in stealer logs before the attack. Stolen credentials are not a side issue. They are the on-ramp.

Why MFA is not enough

Multi-factor authentication verifies identity at the moment of login. An infostealer steals the session cookie that a successful login produces, after the MFA check has already passed. Replaying that cookie satisfies a requirement that was already met, so no new challenge fires.

This technique is known as session hijacking, or pass-the-cookie. When a user signs in and clears an MFA prompt, the server issues a session cookie as proof that authentication happened. An infostealer copies that cookie. The attacker imports it into their own browser, often using anti-detect tooling to mask device fingerprints, and the server accepts the connection as a legitimate continuation of the session. The password field and the MFA step are skipped entirely.

The scale of this is significant. Microsoft’s research indicates that around 80% of incidents where MFA was bypassed trace back to stolen session token misuse. Our guide on why standalone ZTNA leaves identity exposed covers how this plays out once an attacker is inside, and why a password reset alone does not close the door. Resetting a password does not end active sessions or revoke stolen refresh tokens. Those stay valid until they are explicitly revoked at the identity provider.

Corporate exposure is climbing fast. Flare Systems, analysing 18.7 million infostealer logs gathered in 2025, found that more than one in ten infections (11%) contained active credentials for corporate SSO or identity provider consoles. That share was near 6% in early 2024 and reached almost 14% by the end of 2025. If the trend holds, analysts project one in five infostealer infections will carry corporate identity access by the third quarter of 2026. Within those corporate logs, Microsoft Entra ID is by far the most exposed identity provider, present in 79% of cases.

Named families and the takedowns that followed

The infostealer market is crowded and fast-moving, with developers shipping new evasion tricks to stay ahead of endpoint defences. A handful of families dominate the 2024 to 2026 period.

Lumma Stealer is the most prominent at present. It runs a mature malware-as-a-service operation and is known for a rapid update cycle that repeatedly defeats new browser protections. After enforcement action removed other major players, affiliate use of Lumma jumped sharply. Stealc is a newer but very active entrant that reads cookie data straight from browser memory. Vidar has been around since 2018 and remains resilient, often doubling as a loader for second-stage payloads, though the lineage of older families like this is harder to pin down. Agent Tesla, technically a trojan, has historically been one of the more active credential stealers seen across the Benelux.

The professionalisation of these tools has drawn coordinated law-enforcement responses. The most significant to date is Operation Magnus. On 28 October 2024, an international coalition led by the Dutch police, the FBI, Eurojust and the Belgian federal police struck the infrastructure behind the RedLine and META infostealers. Before the takedown, those two strains accounted for 64% of all infostealer-infected devices worldwide, according to figures from Flashpoint. The operation seized backend servers in the Netherlands, took down command-and-control domains, dismantled Telegram channels, and led to arrests in Belgium. US prosecutors unsealed charges against one of RedLine’s main developers.

The result was real but temporary. Supply of fresh logs dipped, then affiliates migrated to alternatives within weeks. The episode showed both the impact of coordinated action and the resilience of the ecosystem behind it.

A note on the numbers you will see in the press. Claims of billions of stolen credentials from a single mega-leak circulated in 2025, but forensic analysis showed these were old, recycled and largely inactive databases consolidated into one dump, not fresh access. Treat headline credential counts with caution. What matters for your risk is recent, active logs tied to your own domains, not the size of a historical aggregation.

What reduces the damage

There is no control that guarantees no credential is ever stolen, especially when staff use unmanaged personal devices that cannot take a security agent. The realistic goal is to make a stolen credential worth little. That means separating two kinds of measure: ones that prevent infection and exfiltration, and ones that limit the blast radius when prevention fails.

On the prevention side, real-time web and DNS filtering through a Secure Web Gateway is the first line, cutting access to the malicious adverts and fake download pages that deliver infostealers. Disabling browser password storage through group policy or MDM, and moving staff to a managed password manager, removes one of the richest targets. Phishing-resistant authentication such as hardware-bound FIDO2 keys defeats the real-time phishing proxies that traditional one-time-code MFA cannot.

On the blast-radius side, the single most useful shift is replacing broad network access with least-privilege, identity-based access. A traditional VPN drops an authenticated user onto a flat segment where stolen credentials allow free lateral movement. Zero Trust Network Access authorises one user to one specific application. Even if a session token for that application is stolen, the rest of the network stays invisible. The attacker cannot scan, pivot or spread, which is exactly the path our guide on how attackers move once inside describes.

Device posture checks add a second gate. Before access is granted, the platform validates the state of the device, not just the identity. A request from an unmanaged endpoint that fails baseline requirements is refused, regardless of whether the credentials or cookies are valid. Shortening session lifetimes and revoking tokens automatically on a detected infection closes the remaining window. A password reset on its own is not enough, because active sessions survive it.

This is where a consolidated platform earns its place. Jimber brings web filtering, identity-based ZTNA and device posture into one cloud-managed console, so a valid password lifted from a stealer log still hits a wall at the access layer. The win is not perfect prevention. It is making the stolen credential useless. For industrial sites where legacy equipment cannot run an agent, Jimber’s NIAC hardware isolates those devices at the network level, so an IT-side compromise cannot reach the production floor. Infostealers are an endpoint story, but the useful defence here sits at the access and network layer, where stolen credentials are neutralised rather than merely detected.

Frequently asked questions

What is the difference between credential theft and session hijacking?

Credential theft targets the inputs to a login, the username and password, which a standard MFA challenge can still block. Session hijacking targets the output of a completed login, the session cookie. Because the attacker loads that cookie directly, the server treats the connection as the legitimate user continuing work, skipping both the password and the MFA check.

Why does MFA not stop stolen session cookies?

MFA verifies the user only at the moment of sign-in. Once that succeeds, the server issues a session token so the user is not challenged on every click. An infostealer steals the token after login, so an attacker reusing it bypasses the whole sign-in flow and never triggers a fresh MFA prompt.

Is a password reset enough after an infostealer infection?

No. A password reset changes the login credentials for future attempts but does nothing to active session tokens already registered as valid on the server. The attacker keeps access through the stolen cookie until an administrator revokes all active sessions. Effective clean-up needs a password reset, full session revocation and endpoint remediation together.

How do infostealers get onto a device in the first place?

The common routes are hijacked search adverts pointing to fake software downloads, trojanised or cracked software installers, malicious email attachments, and social-engineering lures such as fake CAPTCHA pages. Many infections land on unmanaged personal devices used for work, where corporate endpoint controls are absent.

How does Zero Trust Network Access limit the damage from a stealer log?

A traditional VPN grants broad network access after one login, so one set of stolen credentials gives wide reach. ZTNA grants access to specific authorised applications only and checks device posture continuously. If a cookie is stolen, the damage is confined to that single application, while the rest of the network stays unreachable, which blocks lateral movement and ransomware spread.

Are corporate logins really showing up in stealer logs?

Yes, and the share is rising. Flare Systems found that 11% of infostealer infections in 2025 contained credentials for corporate SSO or identity provider consoles, up from around 6% in early 2024. Microsoft Entra ID was the most exposed provider, present in 79% of corporate identity logs analysed.

Infostealers are quiet by design, which is what makes them dangerous. You will not always know a credential has leaked, so the defensive question is not whether one ever will, but how little an attacker can do with it. Least-privilege access, device posture and web filtering in one place make a stolen login a dead end rather than a foothold. To see how that holds up against your own access setup, book a Jimber demo and walk through it with the team.

Find out how we can protect your business

In our demo call we’ll show you how our technology works and how it can help you secure your data from cyber threats.

Cybersecurity
Are you an integrator or distributor?

Need an affordable cybersecurity solution for your customers?

We’d love to help you get your customers on board.

checkmark

White glove onboarding

checkmark

Team trainings

checkmark

Dedicated customer service rep

checkmark

Invoices for each client

checkmark

Security and Privacy guaranteed