Infostealer
Part of a series on |
Computer hacking |
---|
In computing, infostealers are a form of malicious software created to breach computer systems to steal sensitive information, such as login details, financial information, and other personally identifiable information. The stolen information is then packaged, sent to the attacker, and often traded on illicit markets to other cybercriminals.
Infostealers usually consist of a bot framework that allows the attacker to configure the behaviour of the infostealer, and a management panel that takes the form of a server to which the infostealer sends data. Infostealers infiltrate devices through phishing attacks, infected websites, and malicious software downloads, including video game mods and pirated software, among other methods. Once downloaded, the infostealers gather sensitive information about the user's device and send the data back to the server.
Infostealers are usually distributed under the malware-as-a-service (MaaS) model, where developers allow other parties to use their infostealers for subscription fees. The functionality of infostealers can vary, with some focused on data harvesting, while others offer remote access that allows additional malware to be executed. Stolen data may then be used in spearphishing campaigns for other cyber-attacks, such as the deployment of ransomware.
The number of stolen data logs being sold on the Russian Market, a cybercrime forum, has increased significantly since 2022. According to Kaspersky's research in mid-2023, 24% of malware offered as a service are infostealers.
Overview
[edit]In cybercrime, credential theft is a well-known mechanism through which malicious individuals steal personal information, such as usernames, passwords, or cookies, to illegitimately gain access to a victim's online accounts and computer. This crime typically unfolds in four stages, with the first being the acquisition of the stolen credentials. Infostealers are a specific type of malware that are designed for this initial stage. They usually consist of two distinct parts: the bot framework and a command and control server, often known as the management panel or interface.[1]
The bot framework includes a builder that allows the attacker to configure how the infostealer will behave on a user's computer and what kind of information it will steal. The management interface, usually written in traditional web development languages like PHP, HTML, and JavaScript,[2] is typically hosted on the commercial cloud infrastructure.[3] The management interface primarily functions as a web server to which the infostealer sends confidential information. The interface also provides the attacker with information about the status of deployed infostealers and allows the attacker to control their behaviour.[2]
Reports from 2025 highlight the continued growth of infostealer threats. According to infostealers.com, a significant increase in infostealer infections has affected major organizations, including Samsung, Royal Mail, and Telefónica. These breaches often involve the theft of sensitive customer data, which is then used for further cybercrimes, such as ransomware attacks and targeted phishing. Infostealers are frequently used to steal credentials that grant unauthorized access to corporate networks, enabling additional attacks, such as ransomware deployment. For instance, the HELLCAT ransomware group has used stolen Jira credentials obtained from infostealer logs to breach organizations.[4] In 2025, infostealer detections increased by 104% compared to the previous year, underscoring their growing prevalence in cybercrime.[5]
Notable Incidents
[edit]Infostealers have been involved in several high-profile breaches in recent years. Below are some notable incidents:
- Royal Mail Group Data Leak (February 2025): A hacker known as GHNA leaked 144GB of data from Royal Mail Group, including customer and operational information. The data was stolen using credentials compromised by the Raccoon Infostealer in 2021, by the same hacker responsible for the Samsung Tickets breach. This incident highlighted the persistent threat of infostealer logs used years after initial compromise.[6]
- Samsung Tickets Data Leak (March 2025): A hacker known as GHNA leaked 270,000 customer tickets from Samsung Germany's ticketing system, samsung-shop.spectos.com. The data was stolen using credentials compromised by the Raccoon Infostealer in 2021. The leaked information included full names, email addresses, home addresses, order numbers, model numbers, payment methods, prices, discounts, tracking URLs, ticket IDs, agent emails, and issue descriptions with vendor responses. This breach highlighted the long-term risks of credential theft via infostealers.[7]
- Telefónica Breach (March 2025): Infostealer malware compromised employee credentials at Telefónica, enabling attackers to conduct social engineering attacks. The stolen credentials facilitated unauthorized access to internal systems, demonstrating how infostealers can serve as a gateway for further malicious activities.[8]
- Hot Topic Retail Breach (April 2025): An infostealer infection led to the exposure of personal and payment data belonging to 350 million Hot Topic customers, marking one of the largest retail breaches in history. The breach compromised sensitive information, including credit card details, highlighting the severe impact of infostealers on the retail sector.[9]
- HELLCAT Ransomware Group Attacks (April 2025): The HELLCAT ransomware group breached four organizations, HighWire Press, Inc. (USA), Asseco Poland S.A. (Poland), Racami, LLC (USA), and LeoVegas Group (Sweden), by exploiting Jira credentials stolen via various infostealers. The specific infostealers involved included Raccoon (used in 2022 for HighWire Press), StealC (used in 2024 for Asseco Poland), Redline (used in 2022 for Racami), and Lumma (used in 2024 for LeoVegas Group). These attacks demonstrated how infostealers are often used as a precursor to ransomware attacks by providing initial access to corporate systems.[10]
Distribution and use
[edit]Infostealers are commonly distributed through the malware-as-a-service (MaaS) model, enabling individuals with varying technical knowledge to deploy these malicious programs. Under this model, three distinct groups typically emerge: developers, malware service providers, and operators. Developers, the most technically skilled, write the infostealer code. Malware service providers purchase licenses for the malware and offer it as a service to other cybercriminals. The operators, who can be developers or service providers themselves depending on their skill level, use these services to perform credential theft.[1]
Once the malware is purchased, it is spread to target victim machines using various social engineering techniques. Phishing, including spear phishing campaigns that target specific victims, is commonly employed. Infostealers are commonly embedded in email attachments or malicious links that link to websites performing drive-by downloads.[2][11] Additionally, they are often bundled with compromised or malicious browser extensions, infected game cheating packages, and pirated or otherwise compromised software.[11] After the stealer is downloaded and run by a victim, it communicates with the attacker's command-and-control servers, allowing the attacker to steal information from the user's computer. While most infostealers primarily target credentials, some also enable attackers to remotely introduce and execute other malware, such as ransomware, on the victim's computer.[1][12]
Credentials obtained from infostealer attacks are often distributed as logs or credential dumps, typically shared on paste sites like Pastebin, where cybercriminals may offer free samples, or sold in bulk on underground hacking forums, often for amounts as low as $10.[13][14] Buyers of these stolen credentials usually log in to assess their value, particularly looking for credentials associated with financial services or linked to other credentials with similar patterns, as these are especially valuable.[15] High-value credentials are often sold to other cybercriminals at higher prices.[16] These credentials may then be used for various crimes, including financial fraud,[17] integrating the credentials into zombie networks and reputation-boosting operations,[17] or as springboards for more sophisticated attacks, such as scamming businesses, distributing ransomware, or conducting state-sponsored espionage.[13][18] Additionally, some cybercriminals use stolen credentials for social engineering attacks, impersonating the original owner to claim they have been a victim of a crime and soliciting money from the victim's contacts.[19][20] Many buyers of these stolen credentials take precautions to maintain access for longer periods, such as changing passwords and using Tor networks to obscure their locations, which helps avoid detection by services that might otherwise identify and shut down the stolen credentials.[19][20]
Features
[edit]An infostealer's primary function is to exfiltrate sensitive information about the victim to an attacker's command-and-control servers. The exact type of data that is exfiltrated will depend on the data-stealing features enabled by the operator and the specific variant of infostealer used.[21] Most infostealers, however, do contain functionality to harvest a variety of information about the host operating system, as well as system settings and user profiles. Some more advanced infostealers include the capability to introduce secondary malware, such as remote access trojans and ransomware.[2]
In 2009, researchers at the Symantec Rapid Response team released a technical analysis of the Zeus infostealer, one of the first infostealers to be created.[22] They found that the malware automatically exfiltrated all data stored in a computer's protected storage service (which was usually used by Internet Explorer to store passwords) and tries to capture any passwords sent to the computer using the POP3 and FTP protocols. In addition to this, the malware allowed the researchers to define a set of configuration files to specify a list of web injections to perform on a user's computer as well as another configuration file that controlled which web URLs the malware would monitor. Another configuration also allowed the researchers to define a set of rules that could be used to test if additional HTTP requests contained passwords or other sensitive information.[23]
More recently, in 2020, researchers at the Eindhoven University of Technology conducted a study analysing the information available for sale on the underground credential black market impaas.ru. As part of their study, they were able to replicate the workings of a version of the AZORult infostealer. Amongst the functions discovered by the researchers was a builder, which allowed operators to define what kind of data would be stolen. The researchers also found evidence of plugins that stole a user's browsing history, a customisable regex-based mechanism that allows the attacker to retrieve arbitrary files from a user's computer, a browser password extractor module, a module to extract Skype history, and a module to find and exfiltrate cryptocurrency wallet files.[21]
The researchers also found that the data most frequently stolen using the AZORult infostealers and sold on the black market could be broadly categorised into three main types: fingerprints, cookies, and resources. Fingerprints consisted of identifiers that were constructed by probing a variety of features made available by the browser. These were not tied to a specific service but were considered to be an accurately unique identifier for a user's browsers. Cookies allowed buyers to hijack a victim's browser session by injecting it into a browser environment. Resources refer to browser-related files found on a user's operating system, such as password storage files.[24]
Economics and impact
[edit]Setting up an infostealer operation has become increasingly accessible due to the proliferation of stealer-as-a-service enterprises, significantly lowering financial and technical barriers. This makes it feasible for even less sophisticated cybercriminals to engage in such activities.[2] In a 2023 paper, researchers from the Georgia Institute of Technology noted that the hosted stealer market is extremely mature and highly competitive, with some operators offering to set up infostealers for as low as $12.[25] For the service providers running these stealer operations, the researchers estimated that a typical infostealer operator incurs only a few one-off costs: the license to use the infostealer, which is obtained from a malware developer, and the registration fee for the domain used to host the command-and-control server. The primary ongoing cost incurred by these operators is the cost associated with hosting the servers. Based on these calculations, the researchers concluded that the stealer-as-a-service business model is extremely profitable, with many operators achieving profit margins of over 90% with revenues in the high thousands.[26]
Due to their extreme profitability and accessibility, the number of cybersecurity incidents that involve infostealers has risen.[13] The COVID-19 post-pandemic shift towards remote and hybrid work, where companies give employees access to enterprise services on their home machines, has been cited as one of the reasons behind the increase in the effectiveness of infostealers.[13][27] In 2023, research by Secureworks discovered that the number of infostealer logs, or data exfiltrated from each computer, increased from 2 million to 5 million logs from June 2022 to February 2023 on the Russian market, the biggest underground market.[27] According to Kaspersky's research in mid-2023, 24% of malware offered as a service are infostealers.[28] In 2024, infostealers were used to steal 2.1 billion credentials, over 60% of the 3.2 billion credentials stolen from all organizations. Infostealers are heavily utilized because of their low cost, with an average cost of $200 per month in 2024.[29]
References
[edit]Citations
[edit]- ^ a b c Avgetidis et al. 2023, pp. 5308
- ^ a b c d e Avgetidis et al. 2023, pp. 5308–5309
- ^ Avgetidis et al. 2023, pp. 5314, 5319
- ^ "Stealing the Future: Infostealers Power Cybercrime in 2025". infostealers.com. 2025-04-01. Retrieved 2025-04-25.
- ^ "Stealing the Future: Infostealers Power Cybercrime in 2025". infostealers.com. 2025-04-01. Retrieved 2025-04-25.
- ^ "Royal Mail Group Loses 144GB to Infostealers: Same Samsung Hacker, Same 2021 Infostealer Log". infostealers.com. 2025-02-01. Retrieved 2025-04-25.
- ^ "Samsung Tickets Data Leak: Infostealers Strike Again in Massive Free Dump". infostealers.com. 2025-03-01. Retrieved 2025-04-25.
- ^ "Telefónica Breach: Infostealer Malware Opens Door for Social Engineering Tactics". infostealers.com. 2025-03-01. Retrieved 2025-04-25.
- ^ "Largest Retail Breach in History: 350 Million Hot Topic Customers' Personal and Payment Data Exposed as a Result of Infostealer Infection". infostealers.com. 2025-04-01. Retrieved 2025-04-25.
- ^ "HELLCAT Ransomware Group Strikes Again: Four New Victims Breached via Jira Credentials from Infostealer Logs". infostealers.com. 2025-04-01. Retrieved 2025-04-25.
- ^ a b Nurmi, Niemelä & Brumley 2023, p. 1
- ^ Ryan 2021, p. 76
- ^ a b c d Newman 2024
- ^ Nurmi, Niemelä & Brumley 2023, p. 2
- ^ Nurmi, Niemelä & Brumley 2023, p. 6
- ^ Nurmi, Niemelä & Brumley 2023, p. 7
- ^ a b Nurmi, Niemelä & Brumley 2023, p. 8
- ^ Muncaster 2023
- ^ a b Onaolapo, Mariconti & Stringhini 2016, p. 65,70,76
- ^ a b Bursztein et al. 2014, p. 353
- ^ a b Campobasso & Allodi 2020, pp. 1669
- ^ Grammatikakis et al. 2021, pp. 121
- ^ Nicolas & Chien 2009, pp. 3–4
- ^ Campobasso & Allodi 2020, pp. 1669–1670
- ^ Avgetidis et al. 2023, p. 5309
- ^ Avgetidis et al. 2023, p. 5318
- ^ a b Hendery 2023
- ^ Lyons 2024
- ^ Kapko, Matt (2025-03-18). "Infostealers fueled cyberattacks and snagged 2.1B credentials last year". CyberScoop. Retrieved 2025-04-22.
Sources
[edit]- Avgetidis, Athanasios; Alrawi, Omar; Valakuzhy, Kevin; Lever, Charles; Burbage, Paul; Keromytis, Angelos D.; Monrose, Fabian; Antonakakis, Manos (2023). "Beyond The Gates: An Empirical Analysis of {HTTP-Managed} Password Stealers and Operators". USENIX Security: 5307–5324. ISBN 978-1-939133-37-3.
- Bursztein, Elie; Benko, Borbala; Margolis, Daniel; Pietraszek, Tadek; Archer, Andy; Aquino, Allan; Pitsillidis, Andreas; Savage, Stefan (2014-11-05). "Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild". Proceedings of the 2014 Conference on Internet Measurement Conference. ACM. pp. 347–358. doi:10.1145/2663716.2663749. ISBN 978-1-4503-3213-2.
- Campobasso, Michele; Allodi, Luca (2020-10-30). "Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at Scale". Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. ACM. pp. 1665–1680. arXiv:2009.04344. doi:10.1145/3372297.3417892. ISBN 978-1-4503-7089-9.
- Grammatikakis, Konstantinos P.; Koufos, Ioannis; Kolokotronis, Nicholas; Vassilakis, Costas; Shiaeles, Stavros (2021-07-26). "Understanding and Mitigating Banking Trojans: From Zeus to Emotet". 2021 IEEE International Conference on Cyber Security and Resilience (CSR). IEEE. pp. 121–128. arXiv:2109.01610. doi:10.1109/CSR51186.2021.9527960. ISBN 978-1-6654-0285-9.
- Hendery, Simon (2023-05-17). "Data log thefts explode as infostealers gain popularity with cybercriminals". SC Magazine. Archived from the original on 2023-10-17. Retrieved 2024-07-18.
- Lyons, Jessica (29 February 2024). "Ransomware gangs are paying attention to infostealers, so why aren't you?". The Register. Archived from the original on 11 September 2024. Retrieved 17 August 2024.
- Muncaster, Phil (2023-02-09). "New Info-Stealer Discovered as Russia Prepares for New Offensive". Infosecurity Magazine. Archived from the original on 2024-09-11. Retrieved 2024-08-13.
- Newman, Lily Hay (29 July 2024). "How Infostealers Pillaged the World's Passwords". Wired. ISSN 1059-1028. Archived from the original on 2024-08-13. Retrieved 2024-08-13.
- Nicolas, Falliere; Chien, Eric (2009). "Zeus: King of the Bots" (PDF). Symantec. Archived from the original (PDF) on 2017-01-10.
- Nurmi, Juha; Niemelä, Mikko; Brumley, Billy Bob (2023-08-29). "Malware Finances and Operations: A Data-Driven Study of the Value Chain for Infections and Compromised Access". Proceedings of the 18th International Conference on Availability, Reliability and Security. ACM. pp. 1–12. arXiv:2306.15726. doi:10.1145/3600160.3605047. ISBN 979-8-4007-0772-8.
- Onaolapo, Jeremiah; Mariconti, Enrico; Stringhini, Gianluca (2016-11-14). "What Happens After You Are PWND: Understanding the Use of Leaked Webmail Credentials in the Wild". Proceedings of the 2016 Internet Measurement Conference. ACM. pp. 65–79. doi:10.1145/2987443.2987475. ISBN 978-1-4503-4526-2.
- Ryan, Matthew (2021), Ryan, Matthew (ed.), "Ransomware Case Studies", Ransomware Revolution: The Rise of a Prodigious Cyber Threat, Advances in Information Security, vol. 85, Cham: Springer International Publishing, pp. 65–91, doi:10.1007/978-3-030-66583-8_5, ISBN 978-3-030-66583-8, retrieved 2024-08-13