Infostealer malware deployment has surged recently among both financially motivated cybercriminals and espionage-focused APT groups.

01001 10110 11010 00101 11100 01111 CYBER INSIGHTS CYBER INSIGHTS

Breakdown

Over the past year, there has been a significant increase in the deployment of infostealer malware by various cybercriminal groups, ranging from financially motivated threat actors to advanced persistent threats conducting espionage. Unlike traditional malware, which focuses on system disruption, ransomware, or persistent network access, infostealers are designed for rapid data extraction, often operating in the background with minimal detection. These threats are increasingly being used to harvest corporate credentials, browser session cookies, cryptocurrency wallets, and sensitive files, making them a primary tool for initial access brokers who sell stolen data on dark web marketplaces. While some infostealers, including Lumma, ACR Stealer, Stealc, Zhong, and Rhadamanthys, have been linked to cybercriminal groups aiming for financial gain, others, such as those targeting military and defense contractors, suggest a deeper connection to state-sponsored espionage efforts.

The Rising Threat of Infostealer Malware in Modern Cybersecurity

The shift toward infostealer deployment has been driven by its efficiency in compromising organizations without needing to maintain persistent access. Unlike ransomware or trojans that require prolonged network presence, infostealers operate within minutes, grabbing credentials and exiting before detection systems catch on. Attackers are increasingly distributing these tools through phishing campaigns, cracked software downloads, social engineering tactics, and even customer support chat platforms, broadening their reach and reducing the likelihood of suspicion. A growing concern is the use of "dead drop resolvers," where attackers hide command-and-control (C2) information within legitimate services like Google Docs, Steam, and Telegram, allowing them to update infrastructure while evading static detection mechanisms dynamically. This method enables them to adapt quickly, shifting attack vectors before security teams can react.

Recent intelligence highlights major security breaches where infostealers have compromised government agencies, defense contractors, and financial institutions. This indicates that cybercriminals are using these infections to conduct long-term reconnaissance, steal classified information, and facilitate larger breaches. The resale of stolen credentials on underground marketplaces means that even if a company is not directly targeted, its leaked credentials can be purchased and weaponized by another threat actor. The extent of these attacks is evident in recent large-scale breaches. The ALIEN TXTBASE Telegram channel was found hosting over 284 million compromised accounts, sourced from stolen infostealer logs. These credentials, obtained through widespread infections, contained sensitive login information for corporate and government networks. Cybercriminals are actively leveraging this stolen data, using it to conduct follow-up attacks or sell access to other threat actors. Have I Been Pwned has since integrated this data, allowing organizations to check if their credentials have been compromised, but the breach itself highlights the scale at which infostealers are being deployed.

Further illustrating this trend, the Larva-208 threat actor, also known as EncryptHub, has been conducting highly targeted phishing and social engineering campaigns to infiltrate corporate networks. By impersonating IT support and crafting fake login portals for VPN services like Cisco AnyConnect, Fortinet, and Microsoft 365, they steal multi-factor authentication tokens in real-time, gaining full access to corporate accounts. Once inside, EncryptHub deploys infostealers like Stealc and Rhadamanthys, along with custom PowerShell scripts designed to exfiltrate credentials, browser session cookies, cryptocurrency wallets, and password manager data. In many cases, ransomware is later deployed, demonstrating how infostealers are increasingly serving as an entry point for more destructive cyberattacks.

As infostealers continue to evolve, their impact is becoming more severe. The integration of anonymization networks like I2P, advanced obfuscation techniques, and automation to exploit credentials in real time is making them harder to detect. Many variants are now capable of bypassing multi-factor authentication using stolen session cookies, further increasing their effectiveness. With stolen credentials selling for as little as $10 per log, these malware variants have become a low-cost, high-reward tool for both independent cybercriminals and well-funded adversaries. While the rise of infostealers presents a significant threat, organizations that prioritize proactive monitoring, rapid incident response, and credential hygiene can significantly reduce the risk of long-term compromise and stay ahead of evolving attack tactics.

InfoStealers: The Growing Weapon of Choice for Cyber Criminals

ACR Stealer

  • Emergence Date: Early 2024
  • Targets: Web browser data, cryptocurrency wallets, and various system information
  • Tactics: Spread through cracked software and phishing campaigns
  • Utilization: Various cybercriminals have leveraged cracked software and fake CAPTCHA sites to disseminate ACR Stealers, aiming to harvest sensitive user data.
  • Recent Activities: In January 2025, ACR Stealer was observed exploiting Google Docs as a C2 channel, using the platform to conceal and dynamically update malicious infrastructure while exfiltrating stolen credentials.

Lumma Stealer

  • Emergence Date: Mid-2022
  • Targets: Cryptocurrency wallets, web browser data, email credentials, financial data, and sensitive files
  • Tactics: Distributed via cracked software, fake CAPTCHA sites, and phishing emails
  • Utilization: TA571 has employed unique social engineering tactics to spread infostealers like Lumma Stealer, tricking users into executing malicious scripts
  • Recent Activities: In 2025, Lumma Stealer continues to spread through cracked software, with cybercriminals embedding the malware into illicit downloads to infect unsuspecting users.

Rhadamanthys Stealer

  • Emergence Date: 2022
  • Targets: System information, credentials, and financial data
  • Tactics: Utilizes phishing emails with themes like copyright infringement to lure victims
  • Utilization: TA547 has targeted German organizations with the Rhadamanthys infostealer, distributing it through phishing emails impersonating reputable companies.
  • Recent Activities: In 2025, Rhadamanthys Infostealer was observed exploiting MSC files and Console Taskpad to execute malicious scripts and deliver payloads on compromised systems.

Stealc Stealer

  • Emergence Date: Emerged on underground forums in early 2023.
  • Targets: Web browsers to steal sensitive information
  • Tactics: Employs keylogging, form grabbing, and man-in-the-browser attacks to intercept and extract user data.
  • Utilization: Distributed as Malware-as-a-Service (MaaS), Stealc is utilized by various cybercriminals to harvest credentials and personal information.
  • Recent Activities: In January 2025, Stealc was distributed through a malware phishing campaign involving MintsLoader.

Zhong Stealer

  • Emergence Date: Late 2024
  • Targets: Information from infected systems
  • Tactics: Delivered through phishing campaigns and deceptive websites
  • Utilization: Used by various threat actors to harvest credentials, financial data, and session cookies
  • Recent Activities: In early 2025, Zhong Stealer was observed exploiting the AnyDesk remote access tool to target fintech and cryptocurrency companies.

Tracking the Hands Behind InfoStealer Campaigns

DeepSeek Impersonators

  • Emergence Date: January 2025
  • Attribution: Unknown cybercriminals leveraging the DeepSeek AI brand for malware distribution
  • Associated Malware: Various infostealers disguised as DeepSeek AI tools
  • Targets: Developers and IT professionals using Python Package Index (PyPI)
  • Common Tactics: Malicious Python packages uploaded to PyPI, designed to steal credentials and sensitive data
  • Recent Activities: Multiple trojanized DeepSeek-branded Python packages identified and removed from PyPI, but new variants continue to emerge.

FleshStealer Operators

  • Emergence Date: Early 2025
  • Attribution: Unknown, but activity suggests financially motivated cybercriminals
  • Associated Malware: FleshStealer
  • Targets: Various sectors, including corporate networks and individual users
  • Common Tactics: Phishing emails, trojanized software, and exploit kits to distribute FleshStealer
  • Recent Activities: Actively stealing sensitive user data, including credentials and financial information, with observed campaigns across multiple industries.

FrigidStealer Campaigns

  • Emergence Date: February 2025
  • Attribution: Unclear, but potentially linked to threat actors targeting Apple macOS users
  • Associated Malware: FrigidStealer
  • Targets: Mac users, specifically those in financial and business sectors
  • Common Tactics: Malicious websites, fake software downloads, and social engineering to lure victims into executing malware
  • Recent Activities: Ongoing attacks targeting Mac users to steal browser credentials, cryptocurrency wallets, and personal financial data.

Larva-208 (EncryptHub)

  • Emergence Date: Identified in June 2024
  • Attribution: Believed to be affiliated with RansomHub and BlackSuit ransomware groups, potentially acting as an initial access broker or direct affiliate
  • Associated Malware: Stealc, Rhadamanthys, Fickle Stealer, Custom PowerShell-based Encryptor, RansomHub, BlackSuit
  • Targets: Large organizations across various sectors worldwide, including corporate networks and high-value enterprises
  • Common Tactics: Uses spear-phishing, SMS phishing, and fake VPN login pages to steal credentials and MFA tokens
  • Recent Activities: As of 2025, EncryptHub has compromised at least 618 organizations globally.

Hunter Insights

There has been a significant increase in infostealer malware deployment by various threat actors, ranging from financially motivated cybercriminals to APTs conducting espionage. These tools are designed for rapid data extraction with minimal detection, primarily targeting corporate credentials, browser session cookies, cryptocurrency wallets, and sensitive files. Traditional malware typically focuses on system disruption or persistent access, but infostealers operate briefly to extract data, making them harder to detect. Infostealers have become primary tools for initial access brokers who sell stolen data on dark web marketplaces. Attackers increasingly use "dead drop resolvers" to hide C2 infrastructure within legitimate services like Google Docs, Steam, and Telegram.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.