What are Infostealers?
Infostealers are part of a broader data exfiltration industry, with the resulting stolen information often packaged and traded on the dark web. Cybercriminals also market infostealers as Malware-as-a-Service (MaaS), lowering the barrier of entry for bad actors.
With a maturing ecosystem around data exfiltration and a shift away from other attack vectors, infostealers are a growing threat that you need to protect against.
The State of Cybersecurity in 2025: Infostealers Are on the Rise
Check Point’s State of Cyber Security 2025 Report goes into detail on the rapid rise of infostealers:
- The various malware infection vectors
- The expanding industry that has grown around corporate data exfiltration
- The potential data security implications for businesses
The report found that infostealer attacks grew by 58% in 2024.
While the technology behind information-stealing malware has not evolved significantly in the past year, the decline of big botnets, the maturation of the broader data exfiltration market, and the adoption of remote work make it an efficient entry point for breaching corporate networks.
Infostealer attacks are typically broad, targeting many people and organizations rather than looking to breach a specific corporate network.
Research shows that 70% of all infostealer-infected devices are personal rather than corporate. One of the main goals of targeting personal devices is to access corporate resources through Bring Your Own Device (BYOD) entry points.
The Infostealer Marketplace
A quick and relatively easy method of accessing sensitive corporate information, infostealers can rapidly gather significant quantities of logs (login credentials or other sensitive information that provides access to a corporate network, serving as the initial stage of a larger data breach).
Malware As a Service
With the ability to quickly gather large volumes of logs, the cybercriminals behind infostealers now market them to less technically advanced threat actors through MaaS.
Examples of the most popular infostealer MaaS platforms on the dark web include:
- RedLine Stealer
- LummaC2
- StealC
- Vidar
The MaaS customer or affiliate buys licenses for these infostealer tools to run their own infection campaigns. The batches of returned stolen data are then sold or traded within the infostealer marketplace. Most commonly through platforms such as Telegram or underground marketplaces, many of which are based in Russia.
MaaS infostealer platforms compete with one another based on the quality of logs and the ability to quickly classify and present stolen data on the marketplace. The value of these logs diminishes with time as security teams learn of the threat, remove the infostealer software from their network, and patch out any risks generated.
Therefore, infostealer vendors must provide fast access to their latest logs when they are most valuable.
Initial Access Brokers
Another player in the infostealer ecosystem, beyond vendors and affiliates, is Initial Access Brokers (IABs). These are people who leverage the initial information to gain a foothold in corporate networks.
They ensure a log can be converted into wider network access.
By performing this service, they can resell access to specific targets across forums on the dark web, attracting threat actors with specific goals, such as ransomware attacks. These threat actors might further monetize the initial data obtained by the infostealer by offering attack capabilities through Ransomware-as-a-Service (RaaS).
Money generated from these schemes, as well as simpler financial cybercrimes (identity theft, fraud, unauthorized transactions, etc.), fuel the growth of the infostealer ecosystem.
Infostealer Targets
Data analysis reveals that the most common logs available for sale belong to the largest online service providers and social media platforms, with the top 5 being:
- accounts.google.com
- facebook.com
- roblox.com
- login.live.com
- instagram.com
Given the broad, untargeted nature of most infostealer infection campaigns, it is unsurprising that stolen login credentials belong to the most popular services.
But, analysis suggests gamers could be more susceptible than others to infostealer attacks, with the prevalence of login credentials for related sites and services: Roblox, Discord, Twitch, and Epic Games in the top 13. This could be due to less stringent internet hygiene in these communities.
Infostealer Geographic Data
Infostealers are often closely linked to Russia, with logs sold on Russian markets. Analysis of the logs on the Russian Market shows that a significant portion originate from places like India and Brazil.
The top 5 countries of origin for logs sold on the Russian market are shown below:
- India 10%
- Brazil 8%
- Indonesia 5%
- Pakistan 5%
- Egypt 5%
How to Prevent Infostealers
Protecting against information-stealing malware and data exfiltration requires sophisticated security processes and best practices that cover your entire organization. This includes protecting every potential entry point, such as BYODs used for remote or hybrid work.
These devices dramatically extend your attack surface and offer info stealers many more opportunities.
IABs can identify logs for personal devices that offer an entry to a valuable corporate network – even bypassing Multi-Factor Authentication (MFA) mechanisms by stealing session cookies found on personal devices. So, any security process you have must extend beyond the traditional corporate perimeter to include every access point.
Key methods for preventing infostealers from infiltrating your systems:
- Spotting Social Engineering Attacks: Since infostealers are most commonly distributed through phishing and malicious downloads, your best defense is to train your staff to spot social engineering attacks. Additionally, you should consider email security tools that block suspicious emails or links.
- Preventing Browser Synchronization: This ensures that passwords to your corporate systems are not accessible through personal devices.
- Utilizing Advanced Identity Management and Access Control: These systems track behavior and respond to suspicious activity. Look for tools that immediately block or introduce new verification methods upon identifying suspicious activity.
- Proactively Search for Logs: Search for logs related to your company and its employees on infostealer markets or utilize dark-web threat intelligence to track potential leaks of data, including hijacked accounts.
- Incorporating Endpoint Detection and Response (EDR): Monitor and remediate malware cybersecurity threats like infostealers. Utilizing both behavior and signature-based detection, EDR tools can quickly identify malware on your network before it can escalate into a serious data breach.
- Leveraging MFA: While it is possible for info stealers to bypass MFA through session cookies, it is still a valuable tool in protecting against other forms of data being accessed. MFA provides a failsafe should an infostealer gain access to login credentials and try to mount a broader attack.
Prevent & Mitigate Infostealers with Check Point
Infostealers are a growing cybersecurity threat, enabling more serious data breaches. With an extensive cybercrime ecosystem developing around infostealers, this malware is the key to opening your network up to threat actors worldwide.
Modern infostealer marketplaces make hacking corporate networks and gaining unauthorized access a question of finances rather than technical skill. Databases of logs are available to anyone willing to pay. Without proper infostealer protections in place, you’re gambling that threat actors browsing the dark web go with another target over your business.
You can learn more about the growing risk of infostealers and how to protect your business by downloading The State of Cyber Security 2025 report from Check Point.
피드백