Infostealer

An infostealer is a category of malware specialized in extracting credentials, cryptocurrency wallets, browser cookies, autofill data, and stored sessions from infected devices. Names: RedLine, Raccoon, Vidar, Lumma, Rhadamanthys, StealC. Sold as malware-as-a-service on cybercrime forums for $100 to $500 per month per operator. The dominant initial-access tool of the 2024-26 cybercrime economy, responsible for the majority of credential-related compromises documented in current incident reports.

What it means in practice

The infestation typically starts with a malicious download (cracked software, fake software updates, malicious GitHub releases impersonating popular tools, infected video tutorials). The malware runs once, extracts everything in 30 to 120 seconds (browser cookies including active sessions, password manager exports if accessible, crypto wallet files, Steam and Discord tokens, FTP and SSH credentials), exfiltrates to the operator’s command-and-control server, and often deletes itself. The user notices nothing. Days or weeks later, the credentials get sold in bulk on cybercrime forums and the buyers monetize through ATO. The 2024 Snowflake-customer cascade started with infostealer-harvested credentials of customer admins; the downstream damage to Ticketmaster, AT&T, Santander, and dozens of others ran into hundreds of millions of records.

Who is targeted, and by whom

Targets: anyone running unverified software downloads, anyone who clicked a malicious GitHub release or YouTube tutorial link, anyone whose family member did. The infection vector is opportunistic, not targeted; the value of the infection is determined later when the credentials get sold. Operators: organized cybercrime crews running infostealer-as-a-service platforms, bulk-credential brokers buying the output and reselling, and the downstream ATO crews monetizing the bought credentials. The defensive shift: hardware-key 2FA structurally defeats the cookie-theft path because session cookies tied to FIDO2 authentication do not transfer to the attacker’s machine usefully; the cryptographic binding requires the original key.

What you can change today

Three actions. First, do not run cracked software, do not download from unofficial sources, verify GitHub releases via the project’s published GPG signatures or release pages. Second, hardware-key 2FA on the keystone accounts (primary email, password manager, financial, code repositories) so cookie theft is not enough to compromise the account; the attacker still needs the physical key. Third, run a reputable EDR or AV (Microsoft Defender on Windows is reasonable, Malwarebytes for additional coverage, ClamAV on Linux) and audit it monthly. For browser hygiene: do not save passwords in the browser if you can avoid it (use a password manager instead); browser-saved credentials are the lowest-friction infostealer target.