Infostealers Turn Millions of Devices Into Credential Theft Machines

Summary

Infostealers have become the primary attack vector for credential theft, surpassing exploits as the preferred method for gaining unauthorized access. In 2025, over 11.1 million devices were compromised, resulting in 3.3 billion stolen credentials, browser artifacts, and identity data now available in illicit marketplaces. Flashpoint identified 30+ unique infostealer strains, with Vidar surging to dominate 73% of infections in early 2026, displacing previous leader Lumma.

Full text

Hackers no longer force open the side-window when infostealers can give them a key to the front door. Infostealers have become the primary source of stolen credentials for attackers. Using these credentials is now a favored route for bad actors to access a target effectively as an invited guest. It is quicker, easier, less visible and more effective than forcing an entry. More than 11.1 million devices were infected with infostealers in 2025, reports Flashpoint. More than 3.3 billion credentials, browser artifacts, session information and other forms of identity are now circulating in illicit marketplaces. These don’t simply provide entry to a target, they often provide authorized access to valuable data undisturbed by security defenses within the target. Flashpoint has found more than 30 unique strains of infostealer (from hereon referred to as ‘stealers’). The precise number of ‘individual’ stealers is difficult (and probably meaningless) to quantify – the marketplace changes almost daily with new stealers appearing, existing ones forked, and law-enforcement shutting down or at least disrupting others. Stealers are available on the underground ecosystem, often via malware-as-a-service (MaaS) and for hire at as little as $60 per month. During 2025, the most successful stealers, in order, were Lumma, Acreed, Rhadamanthys, Vidar, and StealC. However, this can change rapidly. During the first two months of 2026, Vidar rose from fourth place to dominate, accounting for more than 73% of all infected hosts and devices. Lumma, number one in 2025, accounts for just 1.1% When attackers acquire a stealer, they must then infect a target device. This could usually be any device connected to the network he intends to raid since secrets available here would provide access to other parts of the network. The most common delivery method would be any of the standard social engineering attacks against anyone with a desktop or laptop. Success somewhere is statistically almost guaranteed.Advertisement. Scroll to continue reading. Individual stealers may have different processes and may steal different data. But however it operates and whatever it steals, it will be a subset of the following: It may first determine whether it is running in a sandbox (meaning its presence has been detected by security controls). If so, it may terminate activity immediately to avoid being flagged by enterprise defense systems. Its code may use string encryption and obfuscation to prevent detection by static analysis tools. Such decryption is decrypted in memory, making it visible only briefly. This makes it difficult for signature-based detection. The stealer starts to gather (usually while still in memory) whatever data it is designed to collect – which is basically whatever the designer feels can most easily be monetized. Credentials are the primary target, including website passwords, enterprise credentials (VPN, RDP, VNC, webmail), SaaS logins, cloud platform credentials, email accounts, password manager stores, and autofill data possibly containing stored personal information such as names, phone numbers, and email addresses. It may also steal browser cookies, active session tokens, and cloud/SaaS session artefacts. Stealers will look for any useful browser data, including installed extensions, and user agents. They may steal any cryptocurrency wallet information they can find, such as wallet seeds, and private keys whether from the browser or a desktop app; and any credit card data that can be found. Stealers also gather system metadata (OS version, hardware, IP address and more). By combining data and metadata, stealers don’t just steal identity, they also steal context. The stealer will package the data into content relevant files (known as stealer logs). It may compress and encrypt them to hide the content from enterprise DLP, and then send them to a web server controlled by the attacker. The attacker monetizes the logs; possibly by making personal use of them, but more likely by selling them to criminal groups. A common use by these groups is to use the stolen identities to gain undetected access to deliver and activate ransomware before they can be detected and blocked. There is often a direct and relatively short line between stealer infection and ransom demand. Stealers are easy to use, hard to detect or block, and rapacious in action. Most victims are unaware they are victims until they are breached by their own, but stolen, credentials. The only other visibility is threat intelligence finding the credentials being traded in illicit markets – but that visibility doesn’t prevent you being a victim, it merely confirms that you have become a victim. Related: The Credential Crisis: How Stolen Credentials Defeat Modern Security Related: Iranian Hackers Likely Used Malware-Stolen Credentials in Stryker Breach Related: The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI Related: Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Kevin Townsend New Platform Uses Cryptographic Invisibility to Protect AI-Built ApplicationsWill AI Kill the Bug Bounty Industry?OWASP Incubator Project Helps Developers Find and Fix Vulnerable Dependencies in SecondsOffroad Emerges From Stealth With $7 Million to Tackle Enterprise Identity RiskSecurity of 100 AI Agents Tested and Ranked – What You Need to KnowTwo New Reports Offer Competing Explanations for Cybersecurity’s Growing CrisisExclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at RiskRussia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge Cyberattacks Latest News Cyera Raises $600 Million at $12 Billion ValuationAryon Security Raises $29 Million in Series A FundingCritical HVAC and UPS Vulnerabilities Could Let Hackers Disrupt Data CentersCISO Forum Webinar Today: 2026 Mid-Year ReviewNew Windows Zero-Day Exploit ‘RoguePlanet’ ReleasedAfter AI Reaches Production: 12 Ways Security Teams Can Take ControlServiceNow Patches Vulnerability Exploited Against Some CustomersCritical Vulnerabilities Patched in Fortinet, Ivanti Products Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register Virtual Roundtable: CISO Forum 2026 Mid-Year Review June 10, 2026 Explore how attackers are using AI to scale threats and how security teams can respond with AI-driven defenses. Protecting against unmonitored use of generative AI (Shadow AI) in business units and building and enforcing AI governance frameworks. Register People on the MoveOpal Security has appointed CPO, CTO, VP of Field Engineering, VP of Marketing, and Head of Product and Solutions Marketing.The Department of the Air Force has appointed Ashley Devoto as Chief Information Officer.Bartley Richardson has been named Chief AI and Autonomous Systems Officer at CrowdStrike.More People On The MoveExpert Insights After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI

Indicators of Compromise

• malware — Lumma
• malware — Acreed
• malware — Rhadamanthys
• malware — Vidar
• malware — StealC

Entities