Infostealer Malware Resurgence Targeting Browser Credentials, Crypto Wallets, and Cloud-Synced Data
Threat researchers reported continued growth in the infostealer ecosystem, with new families emphasizing theft of browser credentials, session cookies, and cryptocurrency wallet data. Zscaler ThreatLabz detailed Marco Stealer, first observed in June 2025, which profiles infected hosts (e.g., OS version, hardware ID, IP/geolocation) and targets browser data plus cryptocurrency wallet information from browser extensions; it also searches for sensitive files in local and cloud-synced locations, including folders associated with Dropbox and Google Drive, and uses anti-analysis measures such as runtime string decryption.
Separately, Cyfirma described LTX Stealer, a Windows-focused infostealer built around a bundled Node.js runtime and delivered via an Inno Setup installer (Negro.exe) that drops an unusually large (~271 MB) payload—reportedly to evade scanning heuristics. LTX Stealer targets Chromium-based browsers by extracting keys from Local State to decrypt saved passwords and cookies, collects screenshots, and stages data for exfiltration while using services such as Supabase (authentication) and Cloudflare (infrastructure masking). Flare’s research contextualized these developments as part of an “infostealer arms race,” observing multiple variants being marketed/updated across dark web forums and highlighting the downstream impact: analysis of 18.7M infostealer logs (2025) found enterprise SSO/IdP credentials in more than 10% of infections, and Verizon DBIR data cited by Flare linked infostealer credential exposure to a significant share of ransomware victimization; Flare also noted stealer developers rapidly adapting to Chrome’s evolving credential protections (e.g., post-v127 application-bound encryption and newer Chrome releases).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Stealer operators market Chrome 144 compatibility and evasion features
By the February 2026 forum snapshot, infostealer developers were advertising rapid adaptation to Chrome's newer protections, including claimed dynamic decryption support for Chrome 144. Sellers also aggressively promoted EDR and Windows Defender evasion capabilities to attract buyers.
Dark web snapshot shows active infostealer marketplace competition
A snapshot taken across multiple dark web forums found at least six infostealer variants being marketed, updated, or distributed for free. The activity reflected a mature, SaaS-like criminal ecosystem with tiered pricing, Telegram storefronts, and rapid versioned updates.
Google releases Chrome 144
Google Chrome version 144 was released, later becoming a benchmark used by infostealer developers to market compatibility with Chrome's evolving protections. Threat actors subsequently claimed dynamic decryption support for this version.
LTX Stealer emerges as a new Node.js-based infostealer
LTX Stealer emerged in early 2026 as a newly observed Windows information stealer that embeds a full Node.js runtime to execute malicious JavaScript without requiring Node.js to be installed. It targets Chromium-based browser credentials and cookies, cryptocurrency wallets, and also captures screenshots.
Marco Stealer first observed targeting victims worldwide
Zscaler ThreatLabz reported that the Marco Stealer malware family was first observed in June 2025. The stealer targets browser data, cryptocurrency wallets, and sensitive files in local and cloud-synced folders such as Dropbox and Google Drive.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Marco Stealer: The New "Data Raider" Targeting Crypto & Cloud Storage
securityonline.info
Open sourceNew Node.js Based LTX Stealer Attackers Users to Exfiltrate Login Credentials
cybersecuritynews.com
Open sourceInside the Infostealer Arms Race: How Stealer Malware Developers Are Competing to Own the Cybercrime Supply Chain - Flare | Threat Exposure Management | Unmatched Visibility into Cybercrime
flare.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Resurgence of Windows infostealers using stealth packaging and social-engineering lures
Threat researchers reported renewed activity from **Windows credential-stealing malware** that is designed to evade detection and rapidly scale infections. CYFIRMA described **LTX Stealer** as being delivered via a heavily obfuscated installer that abuses trusted developer and packaging tools—using *Inno Setup* to masquerade as legitimate software, embedding a full **Node.js runtime**, and compiling malicious JavaScript into bytecode to hinder reverse engineering. The installer reportedly contains an unusually large encrypted archive (hundreds of MB) intended to frustrate static scanning, and drops a payload (e.g., `updater.exe`) that functions as the bundled Node.js runtime used to execute the stealer logic. Separately, reporting citing Bitdefender said **Lumma Stealer** has returned “back at scale” after prior law-enforcement disruption of its infrastructure, rebuilding domains and command-and-control capacity to resume widespread credential and data theft. Lumma’s malware-as-a-service ecosystem continues to rely on high-conversion distribution methods, including lure sites offering pirated/cracked content and the **ClickFix** social-engineering technique that tricks users into infecting their own systems, underscoring how infostealer operators are combining resilient infrastructure with user-driven execution to maintain volume despite takedowns.
Mar 21, 2026
Recent Surge in Infostealer and Credential Theft Tactics
Threat actors have significantly escalated the use of information-stealing malware and credential theft techniques, leveraging new methods to bypass traditional security controls and exploit human vulnerabilities. Flashpoint reports an 800% increase in infostealer-driven credential theft in 2025, with over 1.8 billion accounts compromised globally. Attackers are neutralizing Windows' Mark of the Web (MotW) protections using drag-and-drop lures, exploiting vulnerabilities, and targeting alternative software to evade detection. The rise of session token theft is also enabling attackers to bypass multi-factor authentication (MFA), as tokens stored in browsers are increasingly targeted and sold on underground markets, often escaping detection by network-focused security tools. The evolving threat landscape is further complicated by the proliferation of infostealer malware, which has become a primary entry point for enterprise breaches. Security experts emphasize the need for organizations to look beyond malware signatures and focus on deceptive initial access vectors, such as malicious scripts, third-party supply chain risks, and user manipulation. Effective defense now requires monitoring browser behavior, treating client-side security as a core responsibility, and understanding the full identity attack surface to counteract these sophisticated evasion tactics.
Mar 21, 2026
Infostealer and Loader Malware Activity Targeting Windows Users
Multiple reports highlight active **Windows-focused malware** operations centered on credential theft and payload delivery. **Socelars** is described as a stealthy infostealer that prioritizes harvesting browser-stored session cookies and authentication artifacts (notably targeting *Facebook Ads Manager* sessions) to enable account takeover and fraud; it is reportedly distributed via fake websites posing as legitimate software (e.g., a PDF reader) and uses staged execution including system reconnaissance and a **UAC bypass via COM auto-elevation** before extracting browser session data for exfiltration. Separately, research details how established malware delivery ecosystems are evolving. Zscaler ThreatLabz reports **GuLoader (CloudEye)** increasingly abuses legitimate cloud services (e.g., *Google Drive* and *OneDrive*) to blend malicious downloads into normal traffic, while using polymorphism and control-flow obfuscation plus layered decryption to hinder analysis and deliver follow-on payloads such as RATs and stealers. Bitdefender reports a resurgence of **LummaStealer** despite prior law-enforcement disruption, attributing continued scale to social-engineering-heavy distribution (fake cracks/downloads and **fake CAPTCHA/“ClickFix”** lures) and the use of **CastleLoader** for modular, in-memory execution and obfuscated delivery; the report notes infrastructure overlap suggesting coordination or shared providers. A separate Unit 42 incident-response writeup on **Muddled Libra (Scattered Spider/UNC3944)** describes a distinct intrusion tradecraft involving unauthorized access to a *VMware vSphere* environment and a rogue VM used for reconnaissance, persistence, and interaction with enterprise infrastructure, and is not part of the infostealer/loader activity described in the other items.
Mar 21, 2026