Here is the scenario I see most often in incident response work: a business owner contacts me a week after discovering their Microsoft 365 account was accessed from an IP address in Eastern Europe. They had MFA enabled. They hadn't clicked anything suspicious. The password was unique. Nobody else had their credentials. And yet, someone logged in — and it worked.

The explanation, in almost every case, is an infostealer. Not a brute-force attack. Not a phishing page. A piece of malware that ran silently on one of their machines — for anywhere from a few minutes to a few weeks — harvested every stored credential, every active browser session, and every authentication cookie, then transmitted the entire package to a criminal marketplace before quietly self-destructing.

The session cookie is what matters. An authentication cookie is the proof your browser holds after you log in — the token your bank, your email provider, your Microsoft 365 tenancy uses to confirm "this is already authenticated, let them through." An infostealer that captures this cookie allows an attacker to replay it in their own browser and walk straight into your account as if they were already authenticated. MFA was satisfied when you logged in. The attacker doesn't need to satisfy it again. They just import the cookie and they're in.

~$10
Average price of a stealer log with active credentials on dark web markets
<60s
Time for a modern infostealer to harvest and exfiltrate a full machine profile
Growth in infostealer deployment incidents between 2023 and 2025
0
Files written to disk by some memory-only variants — nothing for AV to scan

What Infostealers Actually Take

The name "infostealer" undersells the scope. These are not tools that grab a password or two. A single execution on an infected machine produces a comprehensive dossier of everything the device has ever touched — typically packaged into a compressed archive and transmitted within seconds of infection.

🔑
Saved Browser Passwords
Every username and password stored in Chrome, Edge, Firefox, Brave, and Opera — including passwords saved months or years ago that the user has long forgotten.
🍪
Session Cookies
Active authentication tokens for every site currently or recently logged into. Importing these into an attacker's browser bypasses login and MFA entirely — the session is already authenticated.
💳
Autofill Data
Credit card numbers, CVVs, expiry dates, billing addresses, names — everything saved in browser autofill. Often includes multiple cards and years of transaction history if the browser syncs with a payment profile.
📧
Email & Messaging Clients
Credentials and message history from Outlook, Thunderbird, Telegram, Signal desktop, Discord, and WhatsApp Web. Session tokens for messaging platforms enable account takeover without re-authentication.
🪙
Crypto Wallets
Wallet files, seed phrases, and extension data from MetaMask, Exodus, Electrum, Coinbase Wallet, and 20+ other wallet applications. A stolen seed phrase = permanent loss of all funds.
🖥️
System Intelligence
Machine name, OS version, installed software, hardware specs, running processes, network interfaces, and a screenshot taken at time of infection. Used to assess value and identify additional attack paths.
🔐
VPN & RDP Credentials
Saved credentials from VPN clients (Cisco AnyConnect, FortiClient, OpenVPN), RDP connection files, and SSH private keys. Direct corporate network access, handed to the attacker on a platter.
📁
Targeted File Grab
Many stealers also scan the Desktop, Documents, and Downloads folders for files matching patterns like *password*, *invoice*, *.kdbx (KeePass), and common financial file types.
⚠️
THE SESSION COOKIE PROBLEM BREAKS YOUR MFA MODEL

Multi-factor authentication protects the login event. Once you've authenticated — once you've typed your password and approved the MFA prompt — your browser receives a session cookie that proves you're logged in. This cookie is what an infostealer steals. The attacker doesn't try to log in through the front door. They import your cookie and skip the login entirely. They are already inside. MFA was never asked. This is not a flaw in MFA — it is a fundamental characteristic of how web sessions work. The only defences against cookie theft are preventing the infostealer from running in the first place, and limiting session lifetime.

The Major Infostealer Families — Active in 2025–2026

The infostealer landscape operates as a mature, competitive software market. Developers maintain their malware, release updates, offer customer support to criminal subscribers, and compete on features and price. These are the dominant families currently active in the wild.

Lumma Stealer
MaaS · Active 2022–Present · Dominant in 2025–2026
HIGHEST VOLUME

Lumma Stealer (also known as LummaC2) is currently the single most prolific infostealer in deployment globally, accounting for a significant share of all credential theft incidents in 2025. It operates as a Malware-as-a-Service — criminals subscribe to it on a tiered plan starting at around $250/month — and its developers maintain it actively, releasing updates that break security vendor signatures within days of detection.

Lumma's distinguishing capability is its advanced anti-analysis engine. It detects virtual machine environments and automated sandbox analysis, changing its behaviour to appear benign when it suspects it's being examined. It uses domain generation algorithms to create new C2 infrastructure continuously, making blocklists ineffective. Its most recent versions use legitimate cloud services — including Steam user profiles and Telegram channels — as C2 channels, making traffic indistinguishable from normal user behaviour.

Lumma targets 50+ browsers, all major cryptocurrency wallets, and specifically hunts for two-factor authenticator databases. If your team member has their 2FA TOTP seeds stored in a desktop authenticator app, Lumma will harvest those too — giving the attacker not just your current session cookie but the ability to generate valid future MFA codes.

ANTI-VM / ANTI-SANDBOX MOST ACTIVE 2025–26 USES STEAM/TELEGRAM AS C2 STEALS 2FA TOTP SEEDS FROM $250/MONTH MAAS
RedLine Stealer
MaaS · Active 2020–Present · Widely distributed
MOST WIDESPREAD

RedLine is the most widely distributed infostealer by sheer volume of unique samples in circulation — a consequence of its low entry price (from around $100/month) and its years-long availability on criminal forums. It lacks Lumma's sophisticated evasion but compensates with ubiquity: it appears in phishing campaigns, malvertising, fake software downloads, and YouTube comment spam at a scale that other families cannot match.

RedLine is particularly prevalent in campaigns targeting gaming communities — fake cheat software, cracked game downloads, and "free V-Bucks" generators — which matters because those same machines are often also used for work. A staff member who installs cracked software on the same machine they use to access your practice management system or accounting platform has handed attackers access to both.

MOST DISTRIBUTED GLOBALLY GAMING/CRACKED SOFTWARE VECTOR LOW ENTRY COST — WIDELY ACCESSIBLE CONSTANT NEW VARIANTS
Vidar Stealer
MaaS · Active 2018–Present · Sold on Russian-language forums
DOCUMENT-FOCUSED

Vidar is a descendant of the Arkei stealer codebase and is particularly notable for its targeted file exfiltration capabilities. Beyond credentials and cookies, Vidar actively hunts for documents matching financial and professional patterns — tax documents, invoices, contracts, and password manager database files. For a professional practice this is acutely dangerous: Vidar specifically targets KeePass (.kdbx), LastPass, and 1Password vault files, as well as Bitwarden local exports. A stolen password manager database potentially yields hundreds of credentials in a single operation.

Vidar uses Telegram channels and Mastodon profiles as part of its C2 infrastructure — legitimate social platforms that most corporate firewalls will never block, making outbound communication invisible to most perimeter security tools.

HUNTS FINANCIAL DOCUMENTS TARGETS PASSWORD MANAGER DATABASES TELEGRAM C2 — BYPASSES FIREWALLS
StealC
MaaS · Active 2023–Present · Lightweight & modular
SMALLEST FOOTPRINT

StealC emerged in 2023 as a lightweight, modular alternative marketed explicitly on its small binary size and low detection rate. Its developers advertise it as "under 200KB" — small enough to be embedded in macros, email attachments, and drive-by download payloads without triggering size-based heuristics. It is modular: operators select only the data collection components they need, further reducing the malware's signature footprint.

StealC is heavily used in ClickFix campaigns — a 2024–2025 attack technique where users are tricked into running malicious PowerShell commands that they paste directly into their own Run dialog or terminal, believing they are fixing a technical problem on a webpage. No file is written to disk in the initial stage. The user executes the payload themselves. This technique completely bypasses execution prevention controls.

UNDER 200KB — LOW AV DETECTION MODULAR — MINIMAL SIGNATURE USED IN CLICKFIX CAMPAIGNS
Meduza / Raccoon V2 / Atomic
Multiple actors · macOS and Windows variants emerging
CROSS-PLATFORM

This group represents the newer generation of stealers: cross-platform capability is the defining feature. Atomic Stealer (AMOS) specifically targets macOS — a platform whose users have historically underestimated their exposure, often believing Macs don't get malware. Atomic targets macOS Keychain (where Safari, Mail, and system credentials are stored), Chrome and Firefox on macOS, and MetaMask and other crypto extensions on Safari.

Meduza Stealer targets Windows and focuses heavily on corporate credential theft — RDP credentials, VPN configs, and network-attached storage access — making it particularly dangerous for small businesses where one machine often holds credentials to everything else. Raccoon V2, the successor to the original Raccoon Stealer, rebuilt itself after its original developers were arrested in 2022 and is again active with an updated evasion engine.

ATOMIC — MACOS KEYCHAIN MEDUZA — RDP/VPN FOCUS RACCOON V2 — REBUILT AFTER ARRESTS CROSS-PLATFORM COVERAGE

How Infostealers Reach Your Machines

Infostealers don't compromise infrastructure — they compromise people. Every entry path exploits a human behaviour that is entirely normal and entirely reasonable in isolation.

PATH 1
Phishing & Malicious Attachments
An email arrives with an attachment — a PDF, a Word document with an "enable macros to view" prompt, an ISO or ZIP file containing an executable. The email may be from a spoofed supplier, a fake courier notification, or a convincing SARS communication. One click runs the payload. Modern stealers delivered via phishing execute entirely in memory via PowerShell or WMIC — no file written to disk, no antivirus scan, running and gone within 45 seconds.
PATH 2
Malvertising — Poisoned Google & Bing Ads
In 2024 and 2025, malvertising became the single fastest-growing delivery vector for infostealers. Attackers buy Google or Bing search ads that appear above legitimate results for searches like "download Notepad++", "Adobe Acrobat free", "AnyDesk download". The ad link goes to a convincing clone of the real download page. The "installer" packages the legitimate software alongside the stealer payload, so the install appears to work. The user gets Notepad++. The attacker gets everything on the machine. This requires no phishing email and no suspicious behaviour from the user.
PATH 3
Cracked Software & Torrent Sites
Pirated software, cracked games, and "free" versions of commercial applications are one of the most consistent infostealer delivery mechanisms. The cracked installer is real — the software works — but the package includes a bundled stealer. Staff who install pirated software on machines that also access your network or cloud services are bridging the gap between a personal compromise and a business one. RedLine's dominance in gaming communities makes this particularly relevant for any business where staff work from personal machines or use work machines for personal activity.
PATH 4
ClickFix — "Paste This to Fix the Problem"
ClickFix is a social engineering technique that emerged in 2024 and spread rapidly through 2025. The user visits a website — sometimes a legitimate site that has been compromised, sometimes a purpose-built fake — that displays an error: "Your browser needs updating," or "This document could not be displayed — paste the following command to fix it." A PowerShell or CMD command is pre-populated in a copyable text box. The user pastes it into their Windows Run dialog or terminal. The command downloads and executes the infostealer. The user executed the payload themselves. No file execution was triggered automatically. No browser protection was bypassed. The user did it.
PATH 5
YouTube, GitHub & SEO Poisoning
Attackers publish tutorial videos with download links in the description — "Free Photoshop alternative 2025 — link below." The link goes to a GitHub repository or Google Drive containing a stealer-bundled archive. GitHub's reputation as a legitimate development platform means most security tools don't flag its download links. SEO poisoning creates fake software documentation sites that rank highly for searches like "[software name] free download" — the exact queries staff type when they need a tool. The result looks professional, the download works, and the machine is now compromised.

The Stealer Log Ecosystem — Where Your Data Goes After Theft

An infostealer does not use your credentials directly. The criminal who deployed it sells them. This is the stealer log market — one of the most active segments of the cybercriminal economy — and understanding it matters because it explains why a compromise from months ago can result in an account takeover today.

⚠ ILLUSTRATIVE — DARK WEB STEALER LOG MARKET LISTING FORMAT FICTIONAL DATA — REAL MARKET STRUCTURE
DOMAIN / TARGET
SAVED CREDS
ACTIVE COOKIES
CRYPTO
PRICE
gmail.com · outlook.com · paypal.com
47 logins
12 active
$8
practicename.co.za · medicalsoft.com · sars.gov.za
23 logins
5 active
$14
binance.com · metamask · coinbase.com
8 logins
3 active
Seed phrase
$220
Corporate VPN + RDP + Office 365 tenant
15 logins
8 active
$45

The major platforms — Russian Market and 2easy.shop — operate with searchable catalogues. Buyers filter by domain, country, number of active cookies, and whether specific services are present. Your business's credentials appear in these searches. Buyers don't need to know who you are — they search for logs containing your practice management software domain, your accountant's platform, your Microsoft 365 tenancy — and your staff member's stolen log appears in the results.

The critical detail about session cookies: market listings include a freshness indicator. Cookies have expiry times. Buyers seek recent logs — logs where the authentication cookies haven't yet expired and can still be replayed to access the account. This is why the time between infection and account takeover can be as short as hours. The attacker buys a fresh log, imports the cookies, and they're in before your IT team has seen any alert.

🔍
WHAT "CORPORATE ACCESS" LISTINGS MEAN FOR SMALL BUSINESSES

Some logs are specifically marketed as "corporate access" — meaning they contain credentials and active sessions for internal business systems, not just consumer platforms. These command premium prices. A log with an active Microsoft 365 session for an account that has Global Administrator privileges in a small business tenancy can sell for hundreds of dollars because it gives the buyer direct access to the entire organisation's email, files, and user management — and from there, to ransomware deployment.

What Infection Actually Looks Like — Nothing

This is the part that makes infostealers so dangerous in a small business environment. There is typically nothing to notice. Here is what the infection sequence looks like from the infected user's perspective:

INFECTION TIMELINE — USER EXPERIENCE vs WHAT'S ACTUALLY HAPPENING
// T+00:00 — User clicks link in email / downloads installer
USER SEES: Nothing unusual. File downloads normally.
BACKGROUND: Stealer payload extracted from archive, loaded into memory via PowerShell

// T+00:04 — Execution begins
USER SEES: Installer appears to run. Progress bar. Software installs correctly.
BACKGROUND: Stealer enumerating browser profiles, wallet files, VPN configs, running processes

// T+00:18 — Data collection complete
USER SEES: "Installation complete." Software opens. Looks fine.
BACKGROUND: 254 passwords, 89 cookies, 3 crypto wallets compressed into 4.2MB archive

// T+00:31 — Exfiltration
USER SEES: Nothing. Minor network blip. Imperceptible.
BACKGROUND: Archive transmitted to attacker C2 via HTTPS (looks like normal web traffic)

// T+00:47 — Cleanup
USER SEES: Nothing. Machine operates completely normally thereafter.
BACKGROUND: Stealer deletes all traces. No process. No file. No registry entry. Gone.

// T+04:00 — Attacker imports session cookies
USER SEES: Nothing. Still no awareness anything happened.
BACKGROUND: Attacker browsing Microsoft 365 as the user, from a datacenter IP in the Netherlands

There are no error messages. No slowdown. No pop-ups. No unusual behaviour. The machine works perfectly. The user has no reason to suspect anything happened. Without active endpoint detection and response monitoring, this attack is completely invisible from the business side — sometimes for days or weeks, until an account shows anomalous login activity or the attacker takes an action that triggers an alert somewhere downstream.

Defence: What Actually Works Against Infostealers

Standard antivirus is not sufficient. Modern infostealers are specifically engineered to evade signature detection, run without writing files to disk, and execute and exit before heuristic engines can complete an analysis. This doesn't mean you're defenceless — it means the right controls are different from what most small businesses currently have.

01
Deploy Behavioural EDR — Not Just Antivirus
Signature-based antivirus cannot catch polymorphic or memory-only stealers — by design. Endpoint Detection and Response (EDR) tools monitor for suspicious behaviour rather than known file signatures: a process that reads browser credential stores and then initiates an outbound HTTPS connection is suspicious regardless of what the file is called or whether its signature is known. Microsoft Defender for Business (included in Microsoft 365 Business Premium) provides EDR capability at a price point accessible to small businesses. Enable it, configure it, and act on its alerts.
02
Shorten Session Lifetimes — Force Re-Authentication
The session cookie attack only works while the cookie is valid. In Microsoft 365 Entra ID (Azure AD), configure Conditional Access policies to set a maximum session lifetime — eight hours is a reasonable balance between security and usability for most businesses. Enable Continuous Access Evaluation, which revokes sessions in near-real-time when anomalous conditions are detected (impossible travel, new IP, flagged risk level). A stolen cookie from a session that expired six hours ago is worthless.
03
Use Hardware Security Keys or Passkeys for Critical Accounts
FIDO2 hardware security keys (YubiKey, Google Titan) and passkeys provide phishing-resistant MFA that is also largely resistant to session cookie attacks on supported platforms. The key is cryptographically bound to the specific origin — even if an attacker captures a session cookie, re-authentication events require the physical key to be present. Implement this for admin accounts, finance accounts, and anyone with access to sensitive client or patient data as a priority.
04
Block Macro Execution in Microsoft Office
Office macros are a primary delivery vector for infostealers delivered via phishing attachments. In Microsoft 365, navigate to the Trust Center and disable macros for all documents from the internet. Use Group Policy or Intune to enforce this across all machines. If your business legitimately uses macros in specific internal documents, deploy a trusted publisher certificate for those files only. This eliminates one of the most consistent and effective initial access vectors with a single configuration change.
05
Enable Application Control — Only Approved Software Runs
Windows Defender Application Control (WDAC) or AppLocker allows you to specify which applications are permitted to execute on your machines. An infostealer dropped by a malicious installer cannot run if unsigned or unapproved executables are blocked. This is one of the most effective technical controls against nearly every malware category — it makes your machines inhospitable to any software you haven't explicitly permitted. It requires planning and initial configuration effort but dramatically raises the bar for every attack type.
06
Monitor for Impossible Travel and Anomalous Logins
Microsoft 365 and Google Workspace both provide sign-in audit logs. Enable alerts for logins from new countries, impossible travel (same account logged in from Cape Town and Netherlands within 2 hours), and logins at unusual hours. These anomalous access patterns are often the first — and sometimes only — observable indicator that stolen session cookies are being used. In Microsoft 365, configure Identity Protection risk policies to automatically require re-authentication when a risky sign-in is detected.
07
Enforce a No-Cracked-Software Policy — and Actually Verify It
A written policy is not enough. Audit installed software on business machines periodically — look for software that is commercially licensed but for which you have no purchase record. Tools like Microsoft Intune, PDQ Inventory, or even a simple PowerShell script can enumerate installed applications across your fleet. Any machine with unlicensed commercial software should be treated as potentially compromised and investigated. The combination of policy, awareness training explaining why this matters, and periodic audit is far more effective than policy alone.
08
Use a Password Manager — But Not the Browser
Browser-saved passwords are the first thing every infostealer harvests. Migrating all staff to a dedicated password manager — Bitwarden, 1Password, or KeePassXC with a remote database — keeps credentials out of the browser credential store that stealers target. This also prevents password reuse across personal and work accounts, which is how a personal compromise becomes a business one. Note that Vidar specifically hunts for KeePass and 1Password local database files — ensure your password manager vault is stored in a cloud-sync location that doesn't persist a local unencrypted copy on disk.

The Uncomfortable Reality

Infostealers occupy an uncomfortable middle ground in the threat landscape: they're technically unsophisticated enough that commodity criminals run them at scale, but their attack technique — session cookie theft bypassing MFA — is sophisticated enough to defeat the control most businesses believe protects them. The result is that businesses with "good" security hygiene — unique passwords, MFA enabled on everything — still get compromised, because neither control addresses the actual attack vector.

The defences that work are behavioural EDR, session lifetime management, and making your machines inhospitable to unsigned code execution. These are not expensive. They are, however, more nuanced to configure than enabling MFA — which is probably why most small businesses haven't done them yet.

If you want to know whether your current endpoint configuration would catch an infostealer deployment, Greyhat4Hire can test it. We run controlled infostealer simulations as part of our endpoint security assessments — the kind that show you exactly how far a real stealer would get before anything triggered an alert. Usually the answer is instructive.

🦷
Dr David Sykes
Dentist · Penetration Tester · Founder, Greyhat4Hire · South Africa

Dr Sykes runs a dental practice and a cybersecurity consultancy. His focus is translating enterprise threat intelligence into practical security for South African small businesses that the mainstream industry consistently underserves.

Share This Article