What are infostealers?
Infostealers are a type of malware designed to infiltrate computer systems to steal information. They exfiltrate various data, including login credentials, session cookies, financial info, and personally identifiable information, sending it to a remote server controlled by cybercriminals.
Why are infostealers so bad?
SpyCloud recaptured over 642.4 million records from 13.2 million unique malware infections last year. Data stolen with infostealers can be used for various criminal activities by threat actors, including account takeover, identity theft and fraud, and used to gain unauthorized access to systems and networks, leading to a data breach or ransomware. Another challenge with infostealers is their non-persistent nature; they often execute and can remove themselves within seconds, leaving no trace of an attack and no forensic artifacts on the victim’s device to inform defenders on the type of attack encountered.
What information is collected by infostealers?
Infostealer malware can collect any, and all, information from an infected device and its browser, such as:
- Login credentials: Usernames, passwords, and other authentication details like session cookies for various online accounts. We’re now starting to see infostealers exfiltrate 2FA tokens and passkeys.
- Financial information: Credit card numbers, bank account details, and other financial data stored in the browser.
- Identity data: Social security numbers, addresses, phone numbers, and other forms of PII.
How do infostealers infect victims?
Infostealers spread like most other malware: through social engineering attacks, email, SEO poisoning, malicious links, botnets, etc.
SpyCloud researchers have observed the following attack vectors commonly used to spread infostealer malware:
- Malicious ads posted on popular sites
- Placing malicious links in YouTube descriptions
- Downloading game mods infected with malware
How are credential stuffing and infostealers related?
Credential stuffing is an automated attack that uses a combolist containing previously breached credentials for websites and applications. While combolists are typically usernames and passwords exposed in data breaches, some combolists now contain data from stealer logs (from infostealer malware). Infostealers extract a variety of valid authentication information from infected machines, including usernames, email addresses, passwords, browser cookies, and autofill data – in-use data that is fresher than older data breaches. This shift will make credential stuffing attempts more successful as long as the infostealer-exfiltrated data is not properly remediated.
See what's exposed
SpyCloud recaptures stolen credentials, session cookies, and other identity data from infostealer infections.
See what data tied to your domain is already in criminal hands.
What makes infostealers particularly dangerous: the forensic evasion problem
A critical challenge with infostealer malware is its non-persistent nature. Many infostealers execute, harvest all available data, and self-delete within seconds – leaving no forensic artifacts on the victim’s device. Standard endpoint detection and response (EDR) tools that rely on behavioral indicators or persistence mechanisms may not detect the infection at all. The only evidence of compromise is the stolen data itself, which surfaces in criminal markets rather than in security logs.
This means the first indication that an organization has of an infostealer infection is often not an internal alert – it is the appearance of employee credentials and session cookies in a darknet market or Telegram channel. By the time that signal reaches security teams through conventional monitoring, the data has typically already been sold to at least one buyer.
The personal device problem
Enterprise security controls – EDR, DLP, network monitoring – apply to managed corporate devices. Infostealer malware disproportionately infects personal and unmanaged devices: home computers, personal laptops, and mobile devices used for work. An employee whose personal device is infected may have their corporate credentials, VPN access tokens, and Microsoft 365 session cookies compromised with no visibility from IT.
That being said, our latest research shows that 40% of malware infections include on devices with EDR or antivirus solutions in place – so even managed devices aren’t safe from the infostealer threat.
How to detect and respond to infostealers
Traditional security measures, while helpful, are not enough to effectively detect and respond to infostealers. Visibility into data exfiltrated from infected devices is crucial; knowing what criminals have in hand from an affected device, including stolen credentials for critical workforce applications, is necessary to stop follow-on attacks. Especially in the cases of non-persistent malware, the only thing that can enable proper post-infection remediation is the exact data that’s been stolen.
Password reset is not enough: the post-infection remediation gap
When an infostealer infection is identified, the instinctive response is to force a password reset. This addresses only one dimension of the exposure. Infostealer logs contain not just passwords but active session cookies – and those cookies remain valid until they are explicitly invalidated by the application, regardless of whether the password has been changed. An attacker who purchased the stolen session cookies before the password reset can continue accessing the account through the hijacked session. Complete post-infection remediation requires invalidating all active sessions across all affected applications in addition to credential resets.
*For the full list of what infostealer logs contain, see stealer logs. For context on how session cookie theft enables ongoing access, see session hijacking.
SpyCloud’s malware record dataset – the industry’s largest repository of recaptured infostealer data – enables organizations to identify specific employee exposures in near real time and trigger automated post-infection remediation before stolen credentials and cookies can be used. See SpyCloud’s Endpoint Threat Protection for details on how automated remediation works in practice.
How SpyCloud helps prevent infostealer infections from becoming a bigger problem
Organizations should keep their first lines of malware defense current to combat threats as they emerge – but also be aware that there are additional post-infection malware remediation steps needed to account for exposures you may not even know you have. SpyCloud’s advanced malware protection capabilities help organizations remediate exposures from exfiltrated data including login credentials and authentication cookies/tokens that can easily open the door for account takeover and even ransomware. Today more than ever, it’s important to have a complete infostealer malware incident response plan.
FAQs
Infostealer malware harvests all available authentication data from an infected device, including: saved browser credentials (usernames and passwords across all browsers), active session cookies and authentication tokens (enabling MFA bypass), browser autofill data, device and browser fingerprint information, cryptocurrency wallet files and keys, and email and messaging data. The complete data package from a single device is called a stealer log.
Last year, SpyCloud recaptured 13.2 million infostealer logs, containing 642.4 million credentials, 8.6 billion cookies, and 38.5 million third-party application credentials. We also recaptured more than 18 million non-human identity assets from malware infections including API keys, tokens, secrets, service accounts, and automation credentials.
A: Many infostealer variants are non-persistent: they execute, harvest all available data, and self-delete within seconds, leaving no files, registry entries, or behavioral indicators for endpoint detection tools to find. This means standard EDR and antivirus solutions may not detect the infection at all. The first evidence of compromise often surfaces in criminal markets – when the stolen credentials and session cookies appear for sale – rather than in internal security logs. This forensic evasion is why darknet monitoring for exposed identity data is a critical detection layer that operates independently of endpoint security tools.