DataBreachToday: Infostealers on the Loose

Credential theft via infostealers has escalated to alarming levels, as cybercriminals continuously adapt to enhanced security measures. By infiltrating corporate systems with malware that captures session cookies, attackers are now able to circumvent multifactor authentication protocols.

According to threat intelligence firm Flashpoint, approximately 5.8 million devices were compromised by infostealers in just the first half of this year, leading to the harvesting of over 1.8 billion credentials. This trove of stolen information is now circulating on dark web marketplaces, fueling identity-based attacks.

The Lumma Stealer was identified as the primary source of these infections, noted for its user-friendly interface. Other significant players in this landscape include RedLine, Stealc, Vidar, and Agent Tesla, each contributing to hundreds of thousands of infections.

Infostealers not only collect usernames, passwords, and session tokens but also permit attackers to access a victim’s currently active browser tabs, potentially evading multifactor authentication defenses. Ian Gray, Flashpoint’s vice president of intelligence, emphasized that a single infostealer log file can encompass enough data to facilitate lateral movement within corporate networks, paving the way for extensive network breaches.

These logs, often just a few megabytes, can be acquired for as little as $10 in malicious marketplaces. They are also available through subscription-based services, usually via platforms like Telegram, which deliver regular updates on new leaks.

Continuous Crackdown Efforts

In recent months, law enforcement agencies have intensified their efforts to dismantle operations related to infostealers. This includes joint operations that disrupted the activities of RedLine and Meta infostealers in October 2024, as well as the Lumma Stealer in May 2025. These operations led to the disabling of over 2,300 malicious domains used for their infrastructure.

Microsoft highlighted that from March to May this year, over 394,000 Windows systems globally were found to be compromised by Lumma. However, truly eradicating infostealers remains challenging without apprehending the operators behind them. Many of these operations appear to originate from Russia, a country that has historically shown little inclination to prosecute cybercriminals targeting foreign interests.

Shortly after a significant disruption, Lumma quickly reemerged, with its operators claiming in a cyber forum post that they had restored functionalities and improved logging capabilities, despite previous interventions by the FBI.

Despite an initial drop in targeted devices, reports indicate that by July, the volume of compromised accounts began to return to pre-disruption levels, illustrating the resilience of Lumma’s operational capabilities.

Defensive Measures Against Infostealers

Infostealers rely heavily on social engineering tactics to spread infections. Common methods involve offering illegitimate software via fake cracks or key generators, often distributed through compromised platforms like GitHub. Social media channels also serve as vectors for spreading malicious content, with networks like YouTube being used to distribute harmful videos under the guise of game hacks or software piracy.

Experts recommend that organizations enhance their defenses through comprehensive user education aimed at raising awareness about the risks of downloading software from unofficial sources. Additionally, maintaining robust cyber hygiene practices, including effective implementation of multifactor authentication, proper network segmentation, and strict access controls, can mitigate the impact of such threats.

Monitoring for potential credential leaks remains crucial. Cybersecurity firms like Flashpoint offer threat intelligence services designed to alert organizations when their credentials appear in potential breaches, underscoring the importance of being proactive in a continually evolving threat landscape.