The Infostealer Epidemic: Who’s Stealing What

ShakShak
4 min read

Summary

Infostealers are no longer small-time annoyances. They’ve evolved into a multi-billion-dollar criminal ecosystem powering ransomware, fraud, and espionage. In 2024, 2.1 billion credentials were stolen globally. Phishing campaigns are up 84%, and macOS users are now firmly in the crosshairs. It should be a top priority for enterprises to be monitoring for these threats.


Infostealers are having their moment. These digital pickpockets are fully industrialised, operating in MaaS (malware-as-a-service) ecosystems, and fuelling everything from ransomware to corporate espionage.

While we are on the subject here is a ransomware snapshot of activity across groups so far this year from ransomware.live/stats number of victims is at a record high way above 2024 numbers.

Real-world wake-up calls? A European airline breach (referencing Air Europa) allegedly stealing VPN credentials, ending in ransomware detonation. A U.S. financial firm (referenced in an FBI advisory on Raccoon Stealer phishing fraud) traced a multimillion-dollar email scam to cookies stolen by Raccoon Stealer.

Leak Screenshot


The Infostealer Matrix: Who’s Playing the Game?

🔴 High Sophistication | 🟠 Medium

Lumma Stealer 🔴

  • Sophistication: High – direct syscalls, anti‑sandbox evasion

  • Active Versions / Status: Disrupted May 2025 (394k infections sinkholed)

  • Known Actors: Scattered Spider + others

  • Targeted Data: Browsers, wallets, cookies, chat apps, files

  • Global Footprint: >394k Windows hosts in 2 months

  • TTP Highlights: Fake CAPTCHA lures, stealth exfiltration, process hollowing

Raccoon Stealer 🟠

  • Sophistication: Medium – wide support, less stealth

  • Active Versions / Status: V2 live post‑2022, developer arrested Dec 2024

  • Known Actors: Criminal MaaS operators

  • Targeted Data: Browser credentials, cookies, autofill, crypto wallets

  • Global Footprint: Hundreds of thousands of infections

  • TTP Highlights: Delivered via cracked software & phishing, locale‑based avoidance, PowerShell loaders

RedLine Stealer 🔴

  • Sophistication: Medium‑high – modular & fast‑evolving

  • Active Versions / Status: Active and regularly updated

  • Known Actors: Criminal MaaS operators

  • Targeted Data: Credentials, cookies, wallets

  • Global Footprint: Millions of infections annually

  • TTP Highlights: Phishing attachments, regex‑based data harvesting

StealC 🔴

  • Sophistication: High – reduced alerting and stealth‑focused

  • Active Versions / Status: Active and expanding

  • Known Actors: Credential harvesters & espionage actors

  • Targeted Data: Credentials, session cookies, browser fingerprints

  • Global Footprint: Top 3 globally by volume

  • TTP Highlights: Low‑noise exfiltration, modular payloads

AMOS (Atomic macOS Stealer) 🔴

  • Sophistication: High for macOS – persistent threat with reboot‑surviving implants

  • Active Versions / Status: Latest version adds persistent backdoor

  • Known Actors: Actors targeting macOS users

  • Targeted Data: Keychain passwords, autofill, crypto data

  • Global Footprint: Active in 120+ countries

  • TTP Highlights: Fake apps/Homebrew clones, Gatekeeper bypass, persistence implants


How to Detect and Block

Threat hunting :

  • Network hunting: Watch for suspicious POST traffic with encoded payloads to unclassified C2 domains.

  • Endpoint behaviour: Detect process hollowing, direct syscall patterns (hello Lumma), and weird DLL placements.

  • Cross-platform readiness: macOS is no longer immune - beef up telemetry there, too.

Strategic calls :

  • Train your humans: Phishing is the top delivery vector. Make security awareness stick.

  • Kill bad habits: Disable browser autofill for sensitive apps, enforce MFA, and reduce local admin rights.

  • Zero trust everything: From cracked software to random "updates" - trust nothing without validation.

  • Adopt rapid response playbooks: When credentials are compromised, seconds count.


Lessons Learned from the Breaches

  • Airline Breach: One stolen VPN credential led to a full-scale ransomware incident - MFA and strict VPN access controls could have stopped it.

  • Financial BEC Fraud: Browser cookies stolen via Raccoon enabled account takeover - browser hardening and session management were missing.


Why It Matters

Infostealers are the first domino in big-ticket compromises. Today’s stolen browser cookie can become tomorrow’s ransomware deployment or business email compromise. Even more concerning, many of these stolen credentials provide third‑party or supply‑chain access, turning a single infected workstation into a gateway to partner networks or critical vendor systems.

The takeaway? Infostealers may look like small-scale threats, but they warrant enterprise-grade defenses. Treat them as strategic risks, and position your organisation as a hardened, proactive defender and not easy prey.


Further Reading


0
Subscribe to my newsletter

Read articles from Shak directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Shak
Shak