Hackers no longer need to break in through the back door when infostealers can hand them the keys to the front entrance.
Infostealers have become the go-to tool for stealing login credentials. Using these stolen details is now the preferred method for attackers to slip into a target’s systems like an invited guest. It’s faster, simpler, quieter, and far more effective than trying to force their way in.
According to Flashpoint, more than 11.1 million devices were compromised by infostealers in 2025. Over 3.3 billion credentials, browser data, session tokens, and other identity-related information are now being traded on underground markets. These stolen assets don’t just grant access—they often provide legitimate entry to sensitive data without triggering any security alarms within the target organization.
Flashpoint has identified more than 30 distinct infostealer variants (referred to hereafter as ‘stealers’). Pinpointing the exact number of individual stealers is challenging—and perhaps pointless—since the landscape shifts almost daily with new variants emerging, existing ones being forked, and law enforcement disrupting or shutting down others.
Stealers are readily available in the underground ecosystem, frequently offered as malware-as-a-service (MaaS) for as little as $60 per month. In 2025, the top-performing stealers were, in order: Lumma, Acreed, Rhadamanthys, Vidar, and StealC. However, rankings can shift quickly. In the first two months of 2026, Vidar surged from fourth place to dominate the field, accounting for over 73% of all infected devices. Meanwhile, Lumma, which led in 2025, dropped to just 1.1%.
Once an attacker obtains a stealer, the next step is infecting a target device. This could be any device connected to the intended network, since credentials found there often unlock access to other parts of the infrastructure. The most common infection method involves standard social engineering tactics aimed at anyone using a desktop or laptop. With enough attempts, success is statistically almost guaranteed.
While individual stealers may operate differently and target different data, they all follow a similar pattern:
First, the malware may check if it’s running in a sandbox—indicating it’s been detected by security systems. If so, it may shut down immediately to avoid being flagged by enterprise defenses.
Its code often uses string encryption and obfuscation to evade static analysis tools. Decryption happens in memory, making it visible only briefly and difficult for signature-based detection to catch.
The stealer begins collecting data—usually while still in memory—focusing on whatever the developer believes can be most easily monetized. Credentials are the main prize: website passwords, corporate logins (VPN, RDP, VNC, webmail), SaaS accounts, cloud platform access, email credentials, password manager stores, and autofill data that may include personal details like names, phone numbers, and email addresses.
It may also harvest browser cookies, active session tokens, and cloud/SaaS session artifacts. Stealers scan for useful browser information, including installed extensions and user agents. They target cryptocurrency wallet data—seeds and private keys from browsers or desktop apps—and any credit card information they can find.
Stealers also collect system metadata (OS version, hardware details, IP address, and more). By combining data and metadata, they don’t just steal identities—they steal context.
The stolen data is packaged into structured files called stealer logs. These may be compressed and encrypted to bypass enterprise DLP systems, then sent to a server controlled by the attacker.
The attacker then profits from these logs—either by using them personally or selling them to criminal groups. A common use is leveraging stolen identities to gain undetected access for deploying ransomware before being caught. There’s often a direct and short path from stealer infection to ransom demand.
Stealers are easy to deploy, difficult to detect or block, and extremely aggressive. Most victims don’t realize they’ve been compromised until their own stolen credentials are used against them. The only other warning sign is threat intelligence spotting credentials being sold on illicit markets—but that doesn’t prevent the breach; it only confirms it’s already happened.
Related: The Credential Crisis: How Stolen Credentials Defeat Modern Security
Related: Iranian Hackers Likely Used Malware-Stolen Credentials in Stryker Breach
Related: The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI
Related: Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime
