The Infostealer Epidemic: Who’s Stealing What


Summary
Infostealers are no longer small-time annoyances. They’ve evolved into a multi-billion-dollar criminal ecosystem powering ransomware, fraud, and espionage. In 2024, 2.1 billion credentials were stolen globally. Phishing campaigns are up 84%, and macOS users are now firmly in the crosshairs. It should be a top priority for enterprises to be monitoring for these threats.
Infostealers are having their moment. These digital pickpockets are fully industrialised, operating in MaaS (malware-as-a-service) ecosystems, and fuelling everything from ransomware to corporate espionage.
While we are on the subject here is a ransomware snapshot of activity across groups so far this year from ransomware.live/stats number of victims is at a record high way above 2024 numbers.
Real-world wake-up calls? A European airline breach (referencing Air Europa) allegedly stealing VPN credentials, ending in ransomware detonation. A U.S. financial firm (referenced in an FBI advisory on Raccoon Stealer phishing fraud) traced a multimillion-dollar email scam to cookies stolen by Raccoon Stealer.
The Infostealer Matrix: Who’s Playing the Game?
🔴 High Sophistication | 🟠 Medium
Lumma Stealer 🔴
Sophistication: High – direct syscalls, anti‑sandbox evasion
Active Versions / Status: Disrupted May 2025 (394k infections sinkholed)
Known Actors: Scattered Spider + others
Targeted Data: Browsers, wallets, cookies, chat apps, files
Global Footprint: >394k Windows hosts in 2 months
TTP Highlights: Fake CAPTCHA lures, stealth exfiltration, process hollowing
Raccoon Stealer 🟠
Sophistication: Medium – wide support, less stealth
Active Versions / Status: V2 live post‑2022, developer arrested Dec 2024
Known Actors: Criminal MaaS operators
Targeted Data: Browser credentials, cookies, autofill, crypto wallets
Global Footprint: Hundreds of thousands of infections
TTP Highlights: Delivered via cracked software & phishing, locale‑based avoidance, PowerShell loaders
RedLine Stealer 🔴
Sophistication: Medium‑high – modular & fast‑evolving
Active Versions / Status: Active and regularly updated
Known Actors: Criminal MaaS operators
Targeted Data: Credentials, cookies, wallets
Global Footprint: Millions of infections annually
TTP Highlights: Phishing attachments, regex‑based data harvesting
StealC 🔴
Sophistication: High – reduced alerting and stealth‑focused
Active Versions / Status: Active and expanding
Known Actors: Credential harvesters & espionage actors
Targeted Data: Credentials, session cookies, browser fingerprints
Global Footprint: Top 3 globally by volume
TTP Highlights: Low‑noise exfiltration, modular payloads
AMOS (Atomic macOS Stealer) 🔴
Sophistication: High for macOS – persistent threat with reboot‑surviving implants
Active Versions / Status: Latest version adds persistent backdoor
Known Actors: Actors targeting macOS users
Targeted Data: Keychain passwords, autofill, crypto data
Global Footprint: Active in 120+ countries
TTP Highlights: Fake apps/Homebrew clones, Gatekeeper bypass, persistence implants
How to Detect and Block
Threat hunting :
Network hunting: Watch for suspicious POST traffic with encoded payloads to unclassified C2 domains.
Endpoint behaviour: Detect process hollowing, direct syscall patterns (hello Lumma), and weird DLL placements.
Cross-platform readiness: macOS is no longer immune - beef up telemetry there, too.
Strategic calls :
Train your humans: Phishing is the top delivery vector. Make security awareness stick.
Kill bad habits: Disable browser autofill for sensitive apps, enforce MFA, and reduce local admin rights.
Zero trust everything: From cracked software to random "updates" - trust nothing without validation.
Adopt rapid response playbooks: When credentials are compromised, seconds count.
Lessons Learned from the Breaches
Airline Breach: One stolen VPN credential led to a full-scale ransomware incident - MFA and strict VPN access controls could have stopped it.
Financial BEC Fraud: Browser cookies stolen via Raccoon enabled account takeover - browser hardening and session management were missing.
Why It Matters
Infostealers are the first domino in big-ticket compromises. Today’s stolen browser cookie can become tomorrow’s ransomware deployment or business email compromise. Even more concerning, many of these stolen credentials provide third‑party or supply‑chain access, turning a single infected workstation into a gateway to partner networks or critical vendor systems.
The takeaway? Infostealers may look like small-scale threats, but they warrant enterprise-grade defenses. Treat them as strategic risks, and position your organisation as a hardened, proactive defender and not easy prey.
Further Reading
The Infostealer-Driven Surge in Account Takeovers and BEC Attacks – Whitepaper written by Hack Notice
IBM Threat Intelligence Index – Broader threat context including infostealer trends.
CISA – Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations
Pentera - Protect against credential exposure
Subscribe to my newsletter
Read articles from Shak directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
