What Are Infostealers: And Who Are The Players

Summary

Infostealers are no longer small-time annoyances. They’ve evolved into a multi-billion-dollar criminal ecosystem powering ransomware, fraud, and espionage. In 2024, 2.1 billion credentials were stolen globally. Phishing campaigns are up 84%, and macOS users are now firmly in the crosshairs. It should be a top priority for enterprises to be monitoring for these threats.

What Are Infostealer ?

Infostealers are a type of malware designed to secretly collect sensitive information from a victim's device and transmit it to a remote server controlled by cybercriminals. They operate covertly (avoiding detection) and can exfiltrate a wide range of personal and corporate data, targeting things like credentials, cookies, browser session high-jacking, vpn details and crypto wallets being a particular specialty for this type of malware. The data is then typically sold on dark web marketplaces or used for further cyberattacks, such as ransomware.

Infostealers are having their moment. These digital pickpockets are fully industrialised, operating in MaaS (malware-as-a-service) ecosystems, and fuelling everything from ransomware to corporate espionage.

While we are on the subject here is a ransomware snapshot of activity across groups so far this year from ransomware.live/stats number of victims is at a record high way above 2024 numbers.

Real-world wake-up calls? A European airline breach (referencing Air Europa) allegedly stealing VPN credentials, ending in ransomware detonation. A U.S. financial firm (referenced in an FBI advisory on Raccoon Stealer phishing fraud) traced a multimillion-dollar email scam to cookies stolen by Raccoon Stealer.

The Infostealer Players

Here is a snapshot of the players and a brief on each one

🔴 High Sophistication | 🟠 Medium

Lumma Stealer 🔴

• Sophistication: High – direct syscalls, anti‑sandbox evasion
• Active Versions / Status: Disrupted May 2025 (394k infections sinkholed)
• Known Actors: Scattered Spider + others
• Targeted Data: Browsers, wallets, cookies, chat apps, files
• Global Footprint: >394k Windows hosts in 2 months
• TTP Highlights: Fake CAPTCHA lures, stealth exfiltration, process hollowing

Raccoon Stealer 🟠

• Sophistication: Medium – wide support, less stealth
• Active Versions / Status: V2 live post‑2022, developer arrested Dec 2024
• Known Actors: Criminal MaaS operators
• Targeted Data: Browser credentials, cookies, autofill, crypto wallets
• Global Footprint: Hundreds of thousands of infections
• TTP Highlights: Delivered via cracked software & phishing, locale‑based avoidance, PowerShell loaders

RedLine Stealer 🔴

• Sophistication: Medium‑high – modular & fast‑evolving
• Active Versions / Status: Active and regularly updated
• Known Actors: Criminal MaaS operators
• Targeted Data: Credentials, cookies, wallets
• Global Footprint: Millions of infections annually
• TTP Highlights: Phishing attachments, regex‑based data harvesting

StealC 🔴

• Sophistication: High – reduced alerting and stealth‑focused
• Active Versions / Status: Active and expanding
• Known Actors: Credential harvesters & espionage actors
• Targeted Data: Credentials, session cookies, browser fingerprints
• Global Footprint: Top 3 globally by volume
• TTP Highlights: Low‑noise exfiltration, modular payloads

AMOS (Atomic macOS Stealer) 🔴

• Sophistication: High for macOS – persistent threat with reboot‑surviving implants
• Active Versions / Status: Latest version adds persistent backdoor
• Known Actors: Actors targeting macOS users
• Targeted Data: Keychain passwords, autofill, crypto data
• Global Footprint: Active in 120+ countries
• TTP Highlights: Fake apps/Homebrew clones, Gatekeeper bypass, persistence implants

How to Detect and Block

Threat hunting :

• Network hunting: Watch for suspicious POST traffic with encoded payloads to unclassified C2 domains.
• Endpoint behaviour: Detect process hollowing, direct syscall patterns (hello Lumma), and weird DLL placements.
• Cross-platform readiness: macOS is no longer immune - beef up telemetry there, too.

More on Threat Hunting and monitoring using platforms like Splunk

Strategic calls :

• Train your humans: Phishing is the top delivery vector. Make security awareness stick, tailor across different roles and responsibilities.
• Kill bad habits: Disable browser autofill for sensitive apps, enforce MFA, and reduce local admin rights.
• Zero trust everything: From cracked software to random "updates" - trust nothing without validation.
• Adopt rapid response playbooks: When credentials are compromised, seconds count.

Lessons Learned from the Breaches

• Airline Breach: One stolen VPN credential led to a full-scale ransomware incident - MFA and strict VPN access controls could have stopped it.
• Financial BEC Fraud: Browser cookies stolen via Raccoon enabled account takeover - browser hardening and session management were missing.

Why It Matters

Infostealers are the first domino in big-ticket compromises. Today’s stolen browser cookie can become tomorrow’s ransomware deployment or business email compromise. Even more concerning, many of these stolen credentials provide third‑party or supply‑chain access, turning a single infected workstation into a gateway to partner networks or critical vendor systems.

The takeaway? Infostealers may look like small-scale threats, but they warrant enterprise-grade defenses. Treat them as strategic risks, and position your organisation as a hardened, proactive defender and not easy prey.

Further Reading

• The Infostealer-Driven Surge in Account Takeovers and BEC Attacks – Whitepaper written by Hack Notice
• IBM Threat Intelligence Index – Broader threat context including infostealer trends.
• CISA – Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations