Recent Surge in Infostealer and Credential Theft Tactics
Threat actors have significantly escalated the use of information-stealing malware and credential theft techniques, leveraging new methods to bypass traditional security controls and exploit human vulnerabilities. Flashpoint reports an 800% increase in infostealer-driven credential theft in 2025, with over 1.8 billion accounts compromised globally. Attackers are neutralizing Windows' Mark of the Web (MotW) protections using drag-and-drop lures, exploiting vulnerabilities, and targeting alternative software to evade detection. The rise of session token theft is also enabling attackers to bypass multi-factor authentication (MFA), as tokens stored in browsers are increasingly targeted and sold on underground markets, often escaping detection by network-focused security tools.
The evolving threat landscape is further complicated by the proliferation of infostealer malware, which has become a primary entry point for enterprise breaches. Security experts emphasize the need for organizations to look beyond malware signatures and focus on deceptive initial access vectors, such as malicious scripts, third-party supply chain risks, and user manipulation. Effective defense now requires monitoring browser behavior, treating client-side security as a core responsibility, and understanding the full identity attack surface to counteract these sophisticated evasion tactics.
Related Entities
Organizations
Sources
Related Stories
Microsoft Reports Surge in Identity-Based Attacks Driven by Infostealers
Microsoft has reported a significant increase in identity-based cyberattacks, with a 32% rise in such incidents during the first half of 2025. The company’s annual threat assessment highlights a shift in attacker tactics, with hackers increasingly using stolen credentials obtained through infostealers or from large-scale data breaches to gain initial access to systems. Malware families such as Lumma Stealer, RedLine, Vidar, Atomic Stealer, and Raccoon Stealer, traditionally used after initial compromise, are now being deployed as first-stage payloads, making credential theft a foundational component of modern cybercrime campaigns. This evolution in attack methodology has led to greater specialization within the cybercrime ecosystem, with distinct roles for initial access brokers, credential sellers, and ransomware operators who leverage stolen credentials for extortion. Microsoft also noted its collaboration with federal authorities to disrupt infostealer infrastructure, such as the Lumma Stealer network, though threat actors have demonstrated resilience by quickly reestablishing operations. The report underscores the growing threat posed by identity compromise and the need for organizations to strengthen credential management and detection capabilities.
4 months ago
Infostealer Malware Resurgence Targeting Browser Credentials, Crypto Wallets, and Cloud-Synced Data
Threat researchers reported continued growth in the **infostealer** ecosystem, with new families emphasizing theft of browser credentials, session cookies, and cryptocurrency wallet data. Zscaler ThreatLabz detailed **Marco Stealer**, first observed in June 2025, which profiles infected hosts (e.g., OS version, hardware ID, IP/geolocation) and targets browser data plus cryptocurrency wallet information from browser extensions; it also searches for sensitive files in local and **cloud-synced** locations, including folders associated with *Dropbox* and *Google Drive*, and uses anti-analysis measures such as runtime string decryption. Separately, Cyfirma described **LTX Stealer**, a Windows-focused infostealer built around a bundled **Node.js runtime** and delivered via an Inno Setup installer (`Negro.exe`) that drops an unusually large (~271 MB) payload—reportedly to evade scanning heuristics. LTX Stealer targets Chromium-based browsers by extracting keys from `Local State` to decrypt saved passwords and cookies, collects screenshots, and stages data for exfiltration while using services such as *Supabase* (authentication) and *Cloudflare* (infrastructure masking). Flare’s research contextualized these developments as part of an “infostealer arms race,” observing multiple variants being marketed/updated across dark web forums and highlighting the downstream impact: analysis of **18.7M** infostealer logs (2025) found enterprise SSO/IdP credentials in more than 10% of infections, and Verizon DBIR data cited by Flare linked infostealer credential exposure to a significant share of ransomware victimization; Flare also noted stealer developers rapidly adapting to Chrome’s evolving credential protections (e.g., post-`v127` application-bound encryption and newer Chrome releases).
1 months ago
Identity-Driven Intrusions Fueled by Infostealer Credentials and MFA-Aware Phishing
Threat actors are increasingly achieving initial access through **identity compromise** rather than software exploitation, with infostealer malware and phishing infrastructure supplying large volumes of valid credentials for automated login attempts against enterprise authentication front doors. Defused Cyber reported a large-scale credential-stuffing campaign targeting **F5 BIG-IP** and other SSO-adjacent services (including **ADFS**, **STS**, and **OWA**), where honeypots observed high-confidence corporate email/password pairs being submitted at scale from `219.75.254.166` (OPTAGE Inc., Japan). Correlation against Hudson Rock’s infostealer telemetry indicated the majority of observed credentials were harvested from **infostealer-infected employee endpoints**, suggesting a pipeline from endpoint infection to external SSO gateway intrusion attempts impacting major enterprises and public-sector entities. In parallel, Datadog Security Labs documented the evolution of the **1Phish** kit into an operationally mature, **MFA-aware** phishing framework targeting *1Password* users, shifting from simple credential capture to multi-stage workflows that explicitly collect **2FA codes**—consistent with real-time authentication attempts even without confirmed reverse-proxy session hijacking. Broader incident-response telemetry in Sophos’ Active Adversary Report reinforces the same trend: **identity-related techniques** (compromised credentials, brute force, phishing) accounted for a majority of observed root causes, and attackers often pivot quickly to **Active Directory** after initial access. A separate finance-sector “2026” threat landscape post is largely high-level and does not add specific, verifiable details to the infostealer/SSO or 1Phish activity described elsewhere.
2 weeks ago