Infostealer Malware Resurgence Targeting Browser Credentials, Crypto Wallets, and Cloud-Synced Data
Threat researchers reported continued growth in the infostealer ecosystem, with new families emphasizing theft of browser credentials, session cookies, and cryptocurrency wallet data. Zscaler ThreatLabz detailed Marco Stealer, first observed in June 2025, which profiles infected hosts (e.g., OS version, hardware ID, IP/geolocation) and targets browser data plus cryptocurrency wallet information from browser extensions; it also searches for sensitive files in local and cloud-synced locations, including folders associated with Dropbox and Google Drive, and uses anti-analysis measures such as runtime string decryption.
Separately, Cyfirma described LTX Stealer, a Windows-focused infostealer built around a bundled Node.js runtime and delivered via an Inno Setup installer (Negro.exe) that drops an unusually large (~271 MB) payload—reportedly to evade scanning heuristics. LTX Stealer targets Chromium-based browsers by extracting keys from Local State to decrypt saved passwords and cookies, collects screenshots, and stages data for exfiltration while using services such as Supabase (authentication) and Cloudflare (infrastructure masking). Flare’s research contextualized these developments as part of an “infostealer arms race,” observing multiple variants being marketed/updated across dark web forums and highlighting the downstream impact: analysis of 18.7M infostealer logs (2025) found enterprise SSO/IdP credentials in more than 10% of infections, and Verizon DBIR data cited by Flare linked infostealer credential exposure to a significant share of ransomware victimization; Flare also noted stealer developers rapidly adapting to Chrome’s evolving credential protections (e.g., post-v127 application-bound encryption and newer Chrome releases).
Related Entities
Affected Products
Sources
Related Stories
Resurgence of Windows infostealers using stealth packaging and social-engineering lures
Threat researchers reported renewed activity from **Windows credential-stealing malware** that is designed to evade detection and rapidly scale infections. CYFIRMA described **LTX Stealer** as being delivered via a heavily obfuscated installer that abuses trusted developer and packaging tools—using *Inno Setup* to masquerade as legitimate software, embedding a full **Node.js runtime**, and compiling malicious JavaScript into bytecode to hinder reverse engineering. The installer reportedly contains an unusually large encrypted archive (hundreds of MB) intended to frustrate static scanning, and drops a payload (e.g., `updater.exe`) that functions as the bundled Node.js runtime used to execute the stealer logic. Separately, reporting citing Bitdefender said **Lumma Stealer** has returned “back at scale” after prior law-enforcement disruption of its infrastructure, rebuilding domains and command-and-control capacity to resume widespread credential and data theft. Lumma’s malware-as-a-service ecosystem continues to rely on high-conversion distribution methods, including lure sites offering pirated/cracked content and the **ClickFix** social-engineering technique that tricks users into infecting their own systems, underscoring how infostealer operators are combining resilient infrastructure with user-driven execution to maintain volume despite takedowns.
1 months agoRecent Surge in Infostealer and Credential Theft Tactics
Threat actors have significantly escalated the use of information-stealing malware and credential theft techniques, leveraging new methods to bypass traditional security controls and exploit human vulnerabilities. Flashpoint reports an 800% increase in infostealer-driven credential theft in 2025, with over 1.8 billion accounts compromised globally. Attackers are neutralizing Windows' Mark of the Web (MotW) protections using drag-and-drop lures, exploiting vulnerabilities, and targeting alternative software to evade detection. The rise of session token theft is also enabling attackers to bypass multi-factor authentication (MFA), as tokens stored in browsers are increasingly targeted and sold on underground markets, often escaping detection by network-focused security tools. The evolving threat landscape is further complicated by the proliferation of infostealer malware, which has become a primary entry point for enterprise breaches. Security experts emphasize the need for organizations to look beyond malware signatures and focus on deceptive initial access vectors, such as malicious scripts, third-party supply chain risks, and user manipulation. Effective defense now requires monitoring browser behavior, treating client-side security as a core responsibility, and understanding the full identity attack surface to counteract these sophisticated evasion tactics.
2 months ago
Infostealer and Loader Malware Activity Targeting Windows Users
Multiple reports highlight active **Windows-focused malware** operations centered on credential theft and payload delivery. **Socelars** is described as a stealthy infostealer that prioritizes harvesting browser-stored session cookies and authentication artifacts (notably targeting *Facebook Ads Manager* sessions) to enable account takeover and fraud; it is reportedly distributed via fake websites posing as legitimate software (e.g., a PDF reader) and uses staged execution including system reconnaissance and a **UAC bypass via COM auto-elevation** before extracting browser session data for exfiltration. Separately, research details how established malware delivery ecosystems are evolving. Zscaler ThreatLabz reports **GuLoader (CloudEye)** increasingly abuses legitimate cloud services (e.g., *Google Drive* and *OneDrive*) to blend malicious downloads into normal traffic, while using polymorphism and control-flow obfuscation plus layered decryption to hinder analysis and deliver follow-on payloads such as RATs and stealers. Bitdefender reports a resurgence of **LummaStealer** despite prior law-enforcement disruption, attributing continued scale to social-engineering-heavy distribution (fake cracks/downloads and **fake CAPTCHA/“ClickFix”** lures) and the use of **CastleLoader** for modular, in-memory execution and obfuscated delivery; the report notes infrastructure overlap suggesting coordination or shared providers. A separate Unit 42 incident-response writeup on **Muddled Libra (Scattered Spider/UNC3944)** describes a distinct intrusion tradecraft involving unauthorized access to a *VMware vSphere* environment and a rogue VM used for reconnaissance, persistence, and interaction with enterprise infrastructure, and is not part of the infostealer/loader activity described in the other items.
1 months ago