Infostealers: The Malware Economy Powering Today’s Cybercrime

Introduction

Cybersecurity headlines often focus on ransomware attacks, nation-state espionage campaigns, and large-scale data breaches affecting millions of users. These events understandably capture attention because they represent the visible impact of cybercrime.

However, behind many of these high-profile incidents lies a far quieter but equally significant threat.

Infostealer malware.

Infostealers are specialised forms of malicious software designed to collect sensitive information from infected devices. Rather than immediately disrupting systems or encrypting data like ransomware, these malware families focus on harvesting valuable digital assets such as credentials, authentication tokens, and browser-stored information.

The scale of this activity is staggering.

Security research indicates that more than 11.1 million machines have been infected by infostealer malware, producing vast quantities of credential logs that circulate through underground cybercrime markets. These logs frequently contain thousands of credentials from individual devices, including corporate accounts, SaaS platform logins, and privileged system access.

Collectively, this ecosystem has produced billions of stolen credentials, many of which are traded and reused across multiple cybercrime operations.

For attackers, infostealers provide a powerful advantage. Instead of attempting to breach corporate networks directly, they can simply purchase access to compromised accounts harvested from infected users.

In many cases, these credentials belong to employees who have logged into enterprise services from personal devices or insecure environments.

The result is a thriving underground economy in which stolen credentials are continuously harvested, traded, and exploited.



Understanding how this ecosystem operates is critical for organisations seeking to defend themselves against modern cyber threats.

The Infostealer Explosion

Over the past decade, infostealer malware has evolved into one of the most effective tools in the cybercrime arsenal.

Unlike traditional malware designed to disrupt systems or destroy data, infostealers are optimised for stealth and data collection. Their primary objective is to quietly extract sensitive information from infected devices and transmit it back to attacker-controlled infrastructure.

This approach has proven extremely effective.

Instead of directly attacking organisations, an approach that often triggers security defences, criminals target individual users.

Employees, contractors, developers and administrators frequently access corporate systems from personal devices. When these devices become infected, the malware can capture credentials used to access enterprise services.

Infostealer malware commonly harvests several categories of information.

Browser Credentials

Most modern browsers store usernames and passwords to simplify authentication. Infostealers extract these stored credentials, which may include access to business applications, internal systems and cloud platforms.

Session Cookies

Session tokens allow users to remain logged into applications without repeatedly entering passwords. When stolen, these cookies can enable attackers to access accounts without triggering authentication controls such as multi-factor authentication.

Cryptocurrency Wallets

Infostealers frequently target cryptocurrency wallets stored on infected systems, allowing attackers to steal digital assets directly.

SaaS Platform Logins

Credentials used to access services such as Microsoft 365, Google Workspace, Slack or Salesforce are often stored in browsers and captured by infostealer malware.

Corporate Credentials

Perhaps most concerningly, employees often store credentials for enterprise systems in browsers or password managers on personal machines. These credentials can provide attackers with direct access to corporate environments.



Once collected, this information is compiled into structured credential logs, which may contain thousands of individual records from a single infected device.

These logs are then transmitted to command-and-control infrastructure controlled by cybercriminal operators.

From there, they enter the cybercrime marketplace.

The Rise of Vidar 2.0 After Lumma

The infostealer ecosystem behaves much like a competitive technology market.

New malware families emerge, gain popularity, and sometimes disappear following law enforcement action or operational disruption. However, the underlying demand for stolen credentials ensures that the ecosystem quickly adapts.

A clear example of this resilience can be seen in the rise of Vidar, an infostealer malware family that has become increasingly prominent following disruptions to other major infostealer operations such as Lumma.

When law enforcement agencies or security companies disrupt one malware family, others quickly fill the gap.

This dynamic reflects the broader structure of the cybercrime economy.

Many infostealer operations operate under a malware-as-a-service model, where developers create the malware platform and distribute it to affiliates. These affiliates are responsible for spreading infections through phishing campaigns, malicious downloads or compromised websites.

In return, affiliates share a portion of the stolen data or profits with the developers.

When one malware platform is disrupted, affiliates simply migrate to alternative services.

As a result, the ecosystem remains highly resilient.



The emergence of Vidar and similar malware families demonstrates how quickly new tools can gain traction in underground markets.

These malware platforms often include features such as:

• Automated data exfiltration

• Credential harvesting modules

• Browser extension extraction

• Cryptocurrency wallet theft

• System profiling.

Many variants also include mechanisms to evade detection by endpoint security tools.

This continuous innovation ensures that infostealer malware remains a persistent and evolving threat.

The Infostealer Marketplace

Once infostealer malware collects credentials from infected devices, the next stage of the ecosystem begins.

The stolen data is transformed into a tradable commodity.

Cybercriminal operators organise harvested credentials into structured logs containing information such as:

• Usernames and passwords

• Authentication cookies

• System information

• Installed applications

• IP addresses and geographic location.

These logs can provide attackers with valuable insight into the environments from which the credentials were stolen.

For example, a log might reveal that an infected device belongs to an employee of a financial institution or technology company. It may also indicate which corporate platforms the user accessed from that device.

This information significantly increases the value of the stolen credentials.

The distribution of these logs occurs through several channels within the cybercrime ecosystem.

Telegram Markets

Encrypted messaging platforms such as Telegram have become popular marketplaces for trading stolen credentials. Sellers advertise credential logs, often categorised by geography, organisation type or service access.

Buyers can browse listings and purchase data directly.

Dark Web Forums

Long-established underground forums continue to serve as hubs for credential trading. These forums often include reputation systems that allow buyers to assess the reliability of sellers.

Automated Credential Marketplaces

Some cybercrime platforms operate as automated marketplaces where buyers can search databases of stolen credentials. These platforms function similarly to legitimate e-commerce websites.

Buyers can filter credentials based on criteria such as domain names, geographic region, or access to specific services.

In many cases, these marketplaces offer fresh credential logs harvested from recently infected machines.

For attackers seeking access to corporate systems, this ecosystem dramatically reduces the effort required to obtain entry points.

Instead of conducting reconnaissance and phishing campaigns themselves, attackers can simply purchase access.

SaaS Credential Theft and Cloud Access

The growing reliance on cloud platforms has significantly increased the value of credentials harvested by infostealers.

In traditional IT environments, attackers often needed to compromise multiple systems to reach valuable assets.

In cloud environments, however, a single account may provide access to a wide range of services.

Infostealers increasingly target credentials associated with enterprise SaaS platforms.

These may include access to:

• Microsoft 365 administrative portals

• Google Workspace accounts

• Slack collaboration environments

• Salesforce customer databases

• GitHub or GitLab development repositories.

Access to these systems can provide attackers with sensitive business data, intellectual property, customer records and internal communications.

In some cases, attackers may obtain credentials belonging to cloud administrators or DevOps engineers.

Such accounts can provide control over cloud infrastructure, enabling attackers to create new users, deploy malicious workloads, or exfiltrate large volumes of data.

Development platforms are also valuable targets.

Credentials for repositories such as GitHub may provide access to source code, API keys and deployment pipelines. This information can enable further attacks against both the organisation and its customers.

The ability to obtain such credentials through infostealer logs dramatically simplifies the process of infiltrating corporate environments.

The Cybercrime Supply Chain

The infostealer ecosystem illustrates how cybercrime has evolved into a sophisticated supply chain.

Different actors specialise in different stages of the process.

Some groups focus on malware development, creating and maintaining infostealer platforms.

Others operate as infection distributors, spreading malware through phishing campaigns, malicious advertising networks, or compromised websites.

Another set of actors specialise in data aggregation and marketplace operations, organising stolen credentials and making them available to buyers.



Finally, attackers purchase these credentials to conduct further operations such as:

• Business email compromise

• Ransomware deployment

• Corporate espionage

• Financial fraud.

This division of labour allows cybercriminals to operate more efficiently.

Each participant focuses on a specific function within the ecosystem, creating a highly scalable criminal economy.

For organisations, this means that the initial theft of credentials may occur months before an actual breach takes place.

The credentials may circulate through underground markets before eventually being purchased by attackers targeting the organisation.

Cybergen Insight: Defending Against Identity-Based Attacks

Given the scale of the infostealer ecosystem, organisations must assume that at least some of their credentials may already exist within criminal marketplaces.



Defensive strategies must therefore focus not only on preventing malware infections but also on detecting and mitigating the consequences of credential theft.

Several defensive priorities are particularly important.

Dark Web Credential Monitoring

Monitoring underground marketplaces for leaked credentials can provide early warning of potential compromises.

Specialised threat intelligence services can identify credentials associated with corporate domains that appear within infostealer logs.

When such credentials are discovered, organisations can take immediate action by resetting passwords and investigating potential exposure.

Identity Threat Detection

Because stolen credentials are frequently used to access enterprise systems, organisations must implement robust identity monitoring capabilities.

This includes analysing authentication activity across cloud platforms and identifying unusual login patterns.

Indicators such as unexpected geographic access, abnormal device fingerprints, or unusual login times may signal the use of compromised credentials.

Endpoint Security

Preventing infostealer infections remains a critical defensive measure.

Endpoint security solutions should detect and block malware attempting to harvest browser data or system credentials.

Regular patching, application control policies, and user awareness training also help reduce the risk of infection.

Credential Rotation Policies

Even when credentials are compromised, effective rotation policies can limit the damage.

Organisations should enforce strong password policies and encourage the use of password managers to reduce reuse across services.

Where possible, credentials should be rotated automatically or replaced with stronger authentication mechanisms.

The Hidden Origin of Modern Breaches

Many high-profile cyber incidents appear to occur suddenly.

A company may discover that attackers have accessed sensitive data, deployed ransomware, or infiltrated internal systems.

However, in many cases the initial compromise occurred long before the attack was detected.

Infostealer malware may have harvested credentials from an employee’s personal device months earlier.

Those credentials may then have circulated through underground markets before eventually being purchased by attackers.

By the time the breach occurs, the initial credential theft may be far removed from the final intrusion.

This delayed attack chain makes detection particularly difficult.

Organisations may struggle to identify the origin of the compromise because the initial infection occurred outside the corporate network.

Closing Insight

Infostealers rarely generate the same headlines as ransomware attacks or large-scale data breaches.

Yet they play a central role in powering the modern cybercrime ecosystem.



By harvesting credentials from millions of infected devices, infostealer malware provides attackers with ready-made access to corporate systems.

These credentials circulate through underground markets where they are traded, purchased, and ultimately used to infiltrate organisations.

In this sense, infostealers represent the hidden engine driving many cyber attacks.

The breach itself may occur months later, but the real compromise often begins much earlier — at the moment credentials are first stolen.

For organisations seeking to strengthen their cybersecurity posture, recognising the role of the infostealer economy is essential.

Because in modern cybercrime, the attack often begins long before anyone realises it has started.

Ready to strengthen your security posture? Contact us today for more information on protecting your business.