INFOSTEALER MALWARE: the theft that keeps taking
14th October 2025Infostealer malware has evolved into a huge enabler of cybercrime and by extension is a growing risk for insured’s. It has been linked to some very high-profile breaches recently causing huge business interruption loss.
Beyond passwords, the infostealer malware steals session cookies, two-factor authentication tokens, and corporate VPN credentials, allowing attackers to bypass traditional defenses. The stolen credentials are now the "initial access" sold on underground markets, fueling both huge data breaches and large ransomware attacks and payouts. Some stolen credentials remain valid and unchanged for extended periods and successful attacks have been seen to leverage credentials harvested more than 12 months earlier.
As Hudson Rock say in their blog:
"This delay between infection and exploitation is a reminder of the long tail of info-stealer campaigns, where stolen data can linger as a latent threat until the right buyer comes along."
Infostealer malware is among the most prevalent and effective tools for breaching security controls, with recent statistics showing it was involved in nearly two-thirds of all credential theft incidents worldwide in 2024 (including 9/10 largest insurance claims). Over 2.1 billion credentials have been stolen and used as initial access in ransomware campaigns and other attacks.
In 2025, infostealers accounted for up to 54% of ransomware breaches, and IBM reported an 84% year-over-year increase in infostealer delivery via email phishing, with identity-based intrusions (driven by infostealers) comprising nearly a third of all breach vectors.
Massive credential dumps, sometimes exceeding 16 billion unique login pairs, are routinely traced back to infostealer infections, illustrating that this malware type is now responsible for enabling account takeovers, bypassing authentication, and undermining both personal and corporate networks at scale.
Connection to Ransomware
Analysis carried out by Spycloud researchers, confirms that infostealer infections often precede ransomware attacks. Nearly one-third of organisations that experienced ransomware had prior infostealer infections, making mitigation and detection of malware infections an urgent priority.
Rise of Advanced Stealers
SpyCloud observed a 2000% increase in LummaC2 infostealer incidents over the past six months, making it one of the most prevalent and impactful strains alongside RedLine, Raccoon, and Vidar. Logs exfiltrated by LummaC2 are three times larger than those of other stealers, amplifying the threat footprint.
Implication for use of Bring Your Own Device (BYOD)
When personal devices are used to access corporate data and the personal device has been infected by infostealer malware, corporate data is at risk of being accessed together with potential exfiltration of valuable corporate network access credentials.
Some questions that those looking to manage this risk should ask:
1. What endpoint detection and response (EDR) or antivirus solutions are deployed to monitor and block infostealer malware?
2. Does the company employ dark web or threat intelligence monitoring to detect stolen credentials or leaked employee information proactively?
3. How are personal devices and Bring Your Own Device (BYOD) endpoints managed to prevent infostealers from accessing corporate data?
4. What password management policies and tools (e.g., enterprise password managers, blocking browser-stored passwords) are enforced?
5. How quickly are compromised credentials and affected accounts identified and remediated following an infostealer-related alert or incident?
6. Are there controls to prevent session hijacking or browser data theft that infostealers exploit to bypass MFA?
7. What incident response and post-infection remediation processes exist specifically for infostealer infections? Is this part of a IRP policy?
Referencing:
Keepnet, who analysed Verizon's data breach report 2025.
SpyCloud Analysis