Recent Surge in Infostealer and Credential Theft Tactics
Threat actors have significantly escalated the use of information-stealing malware and credential theft techniques, leveraging new methods to bypass traditional security controls and exploit human vulnerabilities. Flashpoint reports an 800% increase in infostealer-driven credential theft in 2025, with over 1.8 billion accounts compromised globally. Attackers are neutralizing Windows' Mark of the Web (MotW) protections using drag-and-drop lures, exploiting vulnerabilities, and targeting alternative software to evade detection. The rise of session token theft is also enabling attackers to bypass multi-factor authentication (MFA), as tokens stored in browsers are increasingly targeted and sold on underground markets, often escaping detection by network-focused security tools.
The evolving threat landscape is further complicated by the proliferation of infostealer malware, which has become a primary entry point for enterprise breaches. Security experts emphasize the need for organizations to look beyond malware signatures and focus on deceptive initial access vectors, such as malicious scripts, third-party supply chain risks, and user manipulation. Effective defense now requires monitoring browser behavior, treating client-side security as a core responsibility, and understanding the full identity attack surface to counteract these sophisticated evasion tactics.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers document new infostealer defense-evasion techniques
Flashpoint described threat actors using newer evasion methods in 2025, including drag-and-drop lures to bypass Windows Mark of the Web protections, abuse of trusted applications such as Google Web Designer, and targeting weaker alternative software. These techniques were used to evade traditional perimeter and malware-based defenses while enabling credential and session theft.
Attackers increasingly steal session tokens to bypass MFA
By late 2025, researchers observed growing use of session token and session cookie theft to hijack already authenticated browser sessions, allowing attackers to bypass multi-factor authentication. The activity was linked to malicious or compromised scripts running in browsers and to infostealer operations prioritizing authenticated session access over password theft alone.
Infostealer-driven credential theft surges in 2025
Flashpoint reported that infostealer-driven credential theft rose by 800% during 2025, with more than 1.8 billion accounts compromised globally. The increase reflected a broader shift toward identity-focused attacks and social-engineering-led initial access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Credential Theft and Identity-Based Intrusions Surge Across Enterprises
**Credential compromise** and identity abuse are increasing as attackers rely more on stolen logins, session artifacts, and phishing rather than noisy exploitation alone. Recorded Future reported a sharp rise in exposed credentials during 2025, including nearly **2 billion** credentials indexed from malware combo lists, with the second half of the year up **50%** over the first and Q4 up **90%** over Q1. The trend is being driven by the industrialization of **infostealer malware**, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, while weak identity governance continues to expand the attack surface. A separate survey of UK organizations found **77%** fail to promptly disable former employees' accounts, **34%** grant overly broad access, and many still use manual processes such as spreadsheets for account validation, creating persistent opportunities for unauthorized access. A targeted phishing attempt against **Outpost24** illustrates how these identity-focused attacks are being operationalized against even security vendors. Attackers used a convincing fake JP Morgan email, valid **DKIM** authentication via Amazon SES infrastructure, and a **seven-stage redirect chain** leveraging trusted brands including Cisco to steer a C-suite executive toward a Microsoft Office credential-harvesting page while evading email defenses. The broader threat environment shows the same shift toward access abuse and stealthier post-compromise tradecraft: Google Threat Intelligence Group found ransomware actors increasingly favor native Windows tools over **Cobalt Strike**, with data theft present in **77%** of incidents and exploitation of VPNs and firewalls still common for initial access. Together, the reporting shows attackers are increasingly **logging in rather than breaking in**, then using legitimate access and built-in tools to deepen compromise and extort victims.
Apr 24, 2026
Microsoft Reports Surge in Identity-Based Attacks Driven by Infostealers
Microsoft has reported a significant increase in identity-based cyberattacks, with a 32% rise in such incidents during the first half of 2025. The company’s annual threat assessment highlights a shift in attacker tactics, with hackers increasingly using stolen credentials obtained through infostealers or from large-scale data breaches to gain initial access to systems. Malware families such as Lumma Stealer, RedLine, Vidar, Atomic Stealer, and Raccoon Stealer, traditionally used after initial compromise, are now being deployed as first-stage payloads, making credential theft a foundational component of modern cybercrime campaigns. This evolution in attack methodology has led to greater specialization within the cybercrime ecosystem, with distinct roles for initial access brokers, credential sellers, and ransomware operators who leverage stolen credentials for extortion. Microsoft also noted its collaboration with federal authorities to disrupt infostealer infrastructure, such as the Lumma Stealer network, though threat actors have demonstrated resilience by quickly reestablishing operations. The report underscores the growing threat posed by identity compromise and the need for organizations to strengthen credential management and detection capabilities.
Mar 21, 2026
Infostealer Malware Resurgence Targeting Browser Credentials, Crypto Wallets, and Cloud-Synced Data
Threat researchers reported continued growth in the **infostealer** ecosystem, with new families emphasizing theft of browser credentials, session cookies, and cryptocurrency wallet data. Zscaler ThreatLabz detailed **Marco Stealer**, first observed in June 2025, which profiles infected hosts (e.g., OS version, hardware ID, IP/geolocation) and targets browser data plus cryptocurrency wallet information from browser extensions; it also searches for sensitive files in local and **cloud-synced** locations, including folders associated with *Dropbox* and *Google Drive*, and uses anti-analysis measures such as runtime string decryption. Separately, Cyfirma described **LTX Stealer**, a Windows-focused infostealer built around a bundled **Node.js runtime** and delivered via an Inno Setup installer (`Negro.exe`) that drops an unusually large (~271 MB) payload—reportedly to evade scanning heuristics. LTX Stealer targets Chromium-based browsers by extracting keys from `Local State` to decrypt saved passwords and cookies, collects screenshots, and stages data for exfiltration while using services such as *Supabase* (authentication) and *Cloudflare* (infrastructure masking). Flare’s research contextualized these developments as part of an “infostealer arms race,” observing multiple variants being marketed/updated across dark web forums and highlighting the downstream impact: analysis of **18.7M** infostealer logs (2025) found enterprise SSO/IdP credentials in more than 10% of infections, and Verizon DBIR data cited by Flare linked infostealer credential exposure to a significant share of ransomware victimization; Flare also noted stealer developers rapidly adapting to Chrome’s evolving credential protections (e.g., post-`v127` application-bound encryption and newer Chrome releases).
Mar 21, 2026