What is Malware?
Malware is malicious software designed to steal information, damage files or networks, or gain unauthorized access. Major categories include ransomware, trojans, spyware, and infostealers. For identity threats, infostealers matter most because they harvest the credentials and session tokens that fuel downstream attacks.
Malware as the first link in an identity attack chain
Malware – infostealers especially – is rarely the endgame. It’s the opening move in a chain ending in account takeover, ransomware, or fraud:
- Infection via phishing, malicious download, or trojanized software.
- Exfiltration – a stealer log transmitted within minutes.
- Distribution – sold in criminal markets within hours.
- Exploitation – VPN credentials drive ransomware, cookies drive takeover, financial credentials drive fraud.
The link between malware and major incidents is direct: SpyCloud analysis found 54% of ransomware victims had employee credentials sitting in infostealer logs before the attack.
See the data in the 2026 Annual Identity Exposure Report →
Why malware needs an identity-aware response
Conventional incident response is device-centric – isolate, remove, restore. That’s incomplete when an infostealer was involved:
- The malware leaves; the access stays. Stolen credentials and cookies are still valid and already circulating after the device is wiped.
- Wiping doesn’t revoke. Cleaning the endpoint does nothing to the attacker’s stolen sessions.
- Add an identity track. Identify exactly which credentials and sessions were exfiltrated and invalidate them.
- Scope human and machine identities. Treat both as part of the incident, not collateral – that’s the gap between “malware removed” and “attacker locked out.”
Infostealers vs. ransomware vs. trojans in the identity chain
The major malware categories play different roles, and for identity threats they aren’t equally relevant. Infostealers open the chain, harvesting the credentials and session cookies that become initial access. Trojans and loaders deliver other payloads – including infostealers – by disguising themselves as legitimate software. Ransomware closes the chain: the payload deployed after stolen identity data has already provided the foothold.
This is exactly why malware needs an identity-aware response. Removing the malware deals with the device, but the credentials and sessions it already exfiltrated stay valid until they’re separately invalidated.
A cleaned device doesn’t mean cleaned-up exposure.
Check Your Exposure to see what malware may have already taken from your domain.
Frequently Asked
Infostealer malware, because it specifically targets authentication data – credentials, session cookies, OAuth tokens, device fingerprints – across every application on a device. Unlike ransomware or trojans, infostealers operate silently, self-delete, and leave no forensic trace, while the stolen data is immediately sold for takeover, session hijacking, and ransomware access.
The common path: an infostealer harvests corporate credentials (VPN, RDP, privileged passwords) from a device; those sell to initial access brokers; brokers resell to ransomware affiliates; the affiliate logs in, persists, moves laterally, and deploys ransomware. SpyCloud found 54% of ransomware victims had prior infostealer exposure, making it a leading indicator.
Not fully. EDR may remove the malware, but it can’t revoke credentials and sessions already exfiltrated and sold. Many infostealers also self-delete before detection. Closing the identity damage requires identifying the exact stolen artifacts and invalidating them – a step separate from cleaning the device.