Infostealers Turn Millions of Devices Into Large-Scale Credential Theft Networks

Infostealer malware has become one of the most effective tools in modern cybercrime, shifting attackers away from traditional system exploitation toward stolen credentials as the main entry point into targets.

Security researchers report that infostealers now represent a primary source of access for ransomware groups and other threat actors. Instead of breaking into systems, attackers increasingly rely on credentials that already provide valid authentication—essentially entering networks as “authorized users.”

Massive Scale of Infection and Data Theft

According to threat intelligence reports, more than 11.1 million devices were infected with infostealers during 2025. These infections have contributed to the circulation of over 3.3 billion credentials, session tokens, browser artifacts, and identity-related data across underground marketplaces.

This stolen information is highly valuable because it often grants direct, authenticated access to corporate systems, cloud platforms, and personal accounts without triggering traditional security defenses.

Researchers have identified 30+ distinct infostealer families, with the ecosystem constantly evolving as malware variants are created, modified, and removed through law enforcement actions.

Infostealers are commonly distributed via malware-as-a-service (MaaS) platforms, with some variants available for as little as $60 per month, making them accessible even to low-skilled attackers.

Most Active Infostealer Families

In 2025, the most prominent infostealers included Lumma, Acreed, Rhadamanthys, Vidar, and StealC. However, the landscape shifted quickly in early 2026, with Vidar rising to dominance and accounting for more than 70% of infections, while once-leading strains like Lumma dropped significantly in prevalence.

How Infostealers Operate

Infostealers typically begin by infecting a user’s system through social engineering, phishing campaigns, or malicious downloads. Once executed, they quietly operate on desktops or laptops—often the primary entry point into enterprise networks.

Their behavior is designed to evade detection and maximize data theft:

They may first check whether they are running in a sandbox or security analysis environment. If detected, they terminate immediately to avoid exposure to security tools.

To avoid detection by antivirus software, infostealers often use encryption and obfuscation techniques. Decryption happens in memory, making analysis difficult and limiting the visibility of malicious code.

What Data Infostealers Target

Once active, infostealers collect a wide range of sensitive information, typically including:

• Website and enterprise login credentials (VPN, RDP, VNC, SaaS, webmail)
• Cloud and email account credentials
• Password manager data and autofill information
• Browser cookies and active session tokens
• Cryptocurrency wallet data, including seed phrases and private keys
• Credit card and financial information
• System metadata such as operating system details, IP address, and hardware identifiers

By combining credentials with system context, attackers gain a complete identity profile that can be used for highly targeted intrusions.

Data Exfiltration and Monetization

Stolen information is compiled into logs, often compressed or encrypted to avoid detection by security tools such as data loss prevention systems. These logs are then transmitted to attacker-controlled servers.

Once collected, the data is monetized in multiple ways. Attackers may use it directly for intrusion or sell it on underground marketplaces to other cybercriminal groups.

A common downstream use is ransomware deployment. Compromised credentials allow attackers to enter corporate systems undetected, escalate access, and deploy ransomware before defenders can respond.

A Low-Visibility but High-Impact Threat

Infostealers are particularly dangerous because they are easy to deploy, difficult to detect, and highly profitable. Many victims remain unaware of compromise until their stolen credentials appear in criminal marketplaces or are used in a subsequent attack.

By the time detection occurs, attackers often already have persistent access or have moved laterally within the network, making remediation significantly more difficult.