Infostealers are not new, but the malware is increasingly being used to gather credentials to perform high-profile cyberattacks. The data-stealing malware has been named in multiple breaches, including the infamous Snowflake incident that rippled through the supply chain in 2024.

In 2024, infostealer malware was leveraged to exfiltrate 2.1 billion credentials – almost two-thirds of all those stolen. 23 million devices and hosts worldwide were compromised with infostealers last year, most of which were on Windows-based corporate systems, according to a report from Flashpoint.

Infostealers have become “a cornerstone of cybercriminal activity” because they automate one of the “most relevant activities that threat actors do” after gaining initial access: Information gathering, says Daniel dos Santos, senior director, head of research at Forescout. “This can be used for several purposes, including lateral movement in the network with the stolen credentials, exfiltration for further sale in underground markets, or stealing cryptocurrency for immediate financial gain.”

What do UK businesses need to do to stay on top of this growing threat?

Prolific Threat Vector

Infostealers are a type of malware that gathers data including passwords, browser information and financial or cryptocurrency wallet data. The malware makes its way onto devices via a number of means including phishing emails, malicious websites and software downloads.

As they’re used in a growing number of attacks, infostealers have become “the most prolific threat vector in 2025” says Craig Rozenski, principal threat intelligence analyst at NormCyber. “The ease of deployment through malware-as-a-service (MaaS) models mean that low-skilled threat actors can now buy or rent stealer kits from dark web marketplaces.”

The malware is attractive to adversaries because it yields rich and actionable data, he says. This includes live session tokens, browser cookies, and autofill details which can bypass multifactor authentication (MFA) and allow direct access to cloud platforms or internal systems. “This has proven more effective than brute-force or password-spraying approaches alone, driving greater adoption across the criminal ecosystem.”

A primary driver of infostealer proliferation is the “low barrier to entry for aspiring cybercriminals,” says Jake Addison, SOC manager at Reliance Cyber.

He says infostealers offer “a rapid path to financial profit” compared to other cybercriminal activities such as ransomware, which “can take weeks or months to monetise.”

Infostealers of Note

Multiple infostealers exist, but several have been more dominant during 2025, according to experts. Raccoon Stealer stands out as the most frequently encountered infostealer, accounting for the highest volume of incidents, according to Rozenski.

Despite law enforcement disruption, LummaStealer remains “one of the most prolific infostealers,” says Addison. It operates under a MaaS model, making it “accessible to a wide range of threat actors,” he says.

RedLine is another highly-deployed infostealer globally, known for its “affordability” and consistent updates. “It is adept at stealing credentials, logging keystrokes and capturing form data, often targeting VPNs, email clients, messaging applications and cryptocurrency extensions,” Addison notes.

Meanwhile, StealC has gained prominence due to its stealth techniques, which help it evade security alerts, says Addison.

Active since 2018, Vidar  continues to be another notable threat in the underground market, prized for its reliability and comprehensive data collection abilities.

SolarMarker also dominated major incidents last year, says Jim Walter, senior threat researcher at SentinelOne. “It lands through SEO poisoning and signed installers and steals enterprise login details such as VPN or cloud applications to access SaaS and identity providers.”

Infostealer Development 

Infostealer malware is already a concern, and it is evolving to become more sophisticated. Traditionally, infostealers harvest credentials before gaining access to corporate or cloud systems. But now, researchers are starting to see valid cloud authentication tokens and API keys being hardcoded into the infostealer malware, says Walter. “As a result, these types of infostealers can connect to cloud services the moment they lands, bypassing traditional defences in an instant,” he warns.

Predictably, AI is also set to super-charge infostealer attacks. Walter says SentinelOne is now tracking for a new AI-assisted infostealer it calls Predator AI. “The malware doesn’t just steal passwords and credentials. It integrates with ChatGPT to analyse huge amounts of stolen data to identify high-value accounts and business domains.”

Predator AI is also able to organise the stolen data, enabling cybercriminals to “operate more efficiently” and “increase the speed and volume of attacks,” he says. “While this infostealer isn’t a game-changer yet, it shows where cybercriminals are investing their resources and what businesses should look out for next.“

Defending Against Infostealers 

With developments such as these happening fast, defending against infostealers is “really hard,” says Tony Gee, principal cybersecurity consultant at 3B Data Security. He emphasises a need to focus on “detecting the compromised credentials while also responding to their abuse.”

This means employing cookie replay detection to determine when a cookie is reused, he explains. It requires asking: “Has the browser fingerprint, IP and other data changed? If so, require revalidation.”

At the same time, breaking single sign on journeys is “crucial” for critical applications, says Gee. He recommends requiring users to revalidate MFA when accessing critical applications, making sure admins are required to also do so.

Meanwhile, firms should mandate password changes more frequently, but “resolve the pain” by providing password managers, he adds.

Credentials remain the most reliable route into any company's systems. As infostealers now directly harvest them at scale, security teams should reduce the attack surface and limit the number of passwords, tokens and admin rights that exist, says Walter. “Enforcing MFA for both human and machine logins ensures that even if a password is stolen, attackers are unable to gain access. And if a password or credential does get leaked, treat it like a security breach and rotate immediately:  Deleting a line in Git isn’t remediation.”

Social engineering and human exploitation also plays a huge role in modern infostealer attacks, says Walter. “Education and awareness around common social engineering TTPs is critical. Many infostealers are launched through email, SMS and voice-based phishing and rely on a human clicking a malicious link or downloading an attachment. Organisations need to train all staff to recognise phishing so they can identify intrusion attempts before credentials are stolen and fall into the wrong hands.”

Kate O'Flaherty Cybersecurity and privacy journalist