Hackers no longer force open the side-window when infostealers can give them a key to the front door.
Infostealers have become the primary source of stolen credentials for attackers. Using these credentials is now a favored route for bad actors to access a target effectively as an invited guest. It is quicker, easier, less visible and more effective than forcing an entry.
More than 11.1 million devices were infected with infostealers in 2025, reports Flashpoint. More than 3.3 billion credentials, browser artifacts, session information and other forms of identity are now circulating in illicit marketplaces. These don’t simply provide entry to a target, they often provide authorized access to valuable data undisturbed by security defenses within the target.
Flashpoint has found more than 30 unique strains of infostealer (from hereon referred to as ‘stealers’). The precise number of ‘individual’ stealers is difficult (and probably meaningless) to quantify – the marketplace changes almost daily with new stealers appearing, existing ones forked, and law-enforcement shutting down or at least disrupting others.
Stealers are available on the underground ecosystem, often via malware-as-a-service (MaaS) and for hire at as little as $60 per month. During 2025, the most successful stealers, in order, were Lumma, Acreed, Rhadamanthys, Vidar, and StealC. However, this can change rapidly. During the first two months of 2026, Vidar rose from fourth place to dominate, accounting for more than 73% of all infected hosts and devices. Lumma, number one in 2025, accounts for just 1.1%
When attackers acquire a stealer, they must then infect a target device. This could usually be any device connected to the network he intends to raid since secrets available here would provide access to other parts of the network. The most common delivery method would be any of the standard social engineering attacks against anyone with a desktop or laptop. Success somewhere is statistically almost guaranteed.
Individual stealers may have different processes and may steal different data. But however it operates and whatever it steals, it will be a subset of the following:
It may first determine whether it is running in a sandbox (meaning its presence has been detected by security controls). If so, it may terminate activity immediately to avoid being flagged by enterprise defense systems.
Its code may use string encryption and obfuscation to prevent detection by static analysis tools. Such decryption is decrypted in memory, making it visible only briefly. This makes it difficult for signature-based detection.
The stealer starts to gather (usually while still in memory) whatever data it is designed to collect – which is basically whatever the designer feels can most easily be monetized. Credentials are the primary target, including website passwords, enterprise credentials (VPN, RDP, VNC, webmail), SaaS logins, cloud platform credentials, email accounts, password manager stores, and autofill data possibly containing stored personal information such as names, phone numbers, and email addresses.
It may also steal browser cookies, active session tokens, and cloud/SaaS session artefacts. Stealers will look for any useful browser data, including installed extensions, and user agents. They may steal any cryptocurrency wallet information they can find, such as wallet seeds, and private keys whether from the browser or a desktop app; and any credit card data that can be found.
Stealers also gather system metadata (OS version, hardware, IP address and more). By combining data and metadata, stealers don’t just steal identity, they also steal context.
The stealer will package the data into content relevant files (known as stealer logs). It may compress and encrypt them to hide the content from enterprise DLP, and then send them to a web server controlled by the attacker.
The attacker monetizes the logs; possibly by making personal use of them, but more likely by selling them to criminal groups. A common use by these groups is to use the stolen identities to gain undetected access to deliver and activate ransomware before they can be detected and blocked. There is often a direct and relatively short line between stealer infection and ransom demand.
Stealers are easy to use, hard to detect or block, and rapacious in action. Most victims are unaware they are victims until they are breached by their own, but stolen, credentials. The only other visibility is threat intelligence finding the credentials being traded in illicit markets – but that visibility doesn’t prevent you being a victim, it merely confirms that you have become a victim.
Related: The Credential Crisis: How Stolen Credentials Defeat Modern Security
Related: Iranian Hackers Likely Used Malware-Stolen Credentials in Stryker Breach
Related: The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI
Related: Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime
