An infostealer (or stealer) is a type of malware designed to steal credentials, session cookies, autofill data, cryptocurrency wallets and application tokens from an infected device, package them and send them to the attacker within seconds. Unlike ransomware, it does not aim to make noise: its goal is to get in, exfiltrate everything valuable and disappear. The output of each infection is a stealer log, a data bundle that today feeds much of the cybercrime supply chain, from fraud to the intrusions that end in encryption and extortion.
In 2026, credential theft through infostealers has become the most profitable and scalable initial access vector for actors with limited resources. The reason is simple: a single valid session cookie from a corporate panel can be worth more, and cost far less effort, than finding and exploiting a zero-day vulnerability.
The essentials
- An infostealer steals credentials, cookies, autofill, crypto wallets and tokens, and produces a stealer log that is sold or reused.
- Session cookie theft enables pass-the-cookie: the attacker reuses your already authenticated session and bypasses MFA without knowing the password.
- The dominant families operate as malware as a service: Lumma, RedLine, Vidar, StealC and Raccoon, plus Atomic (AMOS) on macOS.
- Typical vectors are pirated software and keygens, search malvertising, fake installers and the ClickFix lure (pasting a command into PowerShell).
- Defense combines EDR with behavioral telemetry, leaked-credential monitoring, phishing-resistant MFA (FIDO2) and short sessions with token binding.
What is an infostealer
An infostealer is a malicious program specialized in the mass harvesting of secrets stored on the victim's machine. It does not encrypt, does not destroy and, in most cases, does not persist: it runs a theft routine, transmits the loot to a command and control server and often deletes itself to hinder forensic analysis. It belongs to the spyware family, one of the classic categories we cover in our guide to types of malware, but with an industrialization that sets it apart from the traditional spy.
The key thing to understand is that an infostealer does not attack systems: it attacks already legitimate data. It extracts what your browser and applications store for your convenience. That is the source of both its effectiveness and its stealth.
What it steals: the anatomy of a stealer log
A typical stealer log contains:
- Browser credentials: usernames and passwords saved in Chrome, Edge, Firefox and Chromium-based browsers, extracted from the
Login DataSQLite database. - Session cookies: including those of active, already authenticated sessions, which are the most valuable asset in the bundle.
- Autofill and card data: addresses, phone numbers and payment details.
- Cryptocurrency wallets:
wallet.datfiles and data from extensions such as MetaMask. - Application tokens: Discord, Telegram, Steam and email client sessions.
- System information and screenshots: machine name, IP, installed software and, sometimes, a screenshot of the desktop at the moment of theft.
That set is compressed, structured into readable folders (passwords.txt, cookies, autofills) and uploaded to the attacker. An operator with a control panel receives thousands of these bundles a day.
How stealer logs work step by step
The life cycle of an infostealer infection is fast and repeatable:
- Delivery. The victim runs the binary believing it is an installer, a crack or an update.
- Execution and evasion. The stealer checks for analysis environments (virtual machines, sandboxes), sometimes decrypts itself in memory and starts the collection routine.
- Collection. It reads browser databases, wallets and the configuration directories of known applications.
- Exfiltration. It packages everything and sends it over HTTPS, Telegram or its own control panel.
- Monetization. The log is used directly, sold on a marketplace or handed to a broker who will resell the access.
All of this can happen in under a minute after the double click. The victim rarely notices anything.
The underground economy of credential theft
What turns the infostealer into a systemic threat is not the malware itself, but the market around it. Stealer logs are traded at industrial scale in Telegram channels and specialized marketplaces. For years, platforms such as Genesis Market (seized in 2023 by Operation Cookie Monster) and Russian Market normalized the sale of fresh logs with a built-in search engine: a buyer could filter by domain, by country or by the presence of a specific cookie.
The underlying business model is malware as a service (MaaS). The developer sells monthly subscriptions to affiliates who spread the stealer and keep the logs. The developer never touches the victims; they only rent out the tool and the panel. This division of labor, identical to the one we describe for ransomware in Spain 2026, is what enables the volume.
From stealer log to ransomware: Initial Access Brokers
Here comes the most dangerous link for companies. Initial Access Brokers (IABs) buy or generate logs, identify those that contain corporate credentials or session cookies (VPN, admin panels, Microsoft 365, cloud consoles) and resell that access to ransomware operators.
The sequence is increasingly common: an employee infects their personal machine with a crack, that machine had a saved corporate VPN session, the log reaches an IAB and weeks later the organization suffers an encryption incident. A credential stolen from one person turns into an intrusion across an entire company. This is why credential theft is no longer an individual problem: it is a supply chain problem.
Dominant families in 2026
The ecosystem is dominated by a handful of families, with constant turnover after each law enforcement operation:
- Lumma (LummaC2): one of the most active MaaS offerings, with frequent updates and techniques to adapt to browser defenses.
- RedLine: for years the de facto standard, hit in October 2024 by Operation Magnus, which dismantled much of its infrastructure along with Meta (MetaStealer).
- Vidar: a veteran, modular and able to download additional payloads.
- StealC: heir to Vidar and Raccoon, popular for its low cost and agile panel.
- Raccoon Stealer: widely used until its operator was indicted; it still resurfaces in variants.
- Atomic Stealer (AMOS): a reminder that macOS is not immune, distributed through fake installers and malicious ads aimed at Mac users.
No family is truly novel in its technique: its competitive advantage is operational, price, support and the ability to dodge browser controls. Do not confuse these families with a generic trojan: although many are delivered as trojans, their specialty is the silent theft of data.
Infection vectors: cracks, malvertising and fake installers
Infostealers rarely exploit vulnerabilities. They exploit human decisions. The dominant vectors are:
- Pirated software, cracks and keygens: activators for paid programs and video game cheats, often promoted in videos with links in the description.
- Search malvertising: sponsored ads that mimic the official sites of popular tools (editors, meeting clients, system utilities) and serve a trojanized installer.
- Fake installers and updates: bogus browser or plugin updates that actually run the stealer.
- ClickFix and fake CAPTCHA: a rising technique where a website asks the victim to "verify they are human" by copying and pasting a command into the Windows Run box or PowerShell, downloading the malware with their own hands.
- SEO poisoning: ranking malicious pages for searches of specific software.
They all share one pattern: the victim installs the malware voluntarily. Many of these lures overlap with classic computer virus techniques, but adapted to today's mass distribution.
Why MFA is not enough: session cookie theft
This is the point that most surprises teams that rely on the second factor. Multi-factor authentication protects the moment of login, but once you authenticate, the application hands you a session cookie that represents your already validated identity. As long as that cookie is valid, it will not ask you for MFA again.
An infostealer steals precisely those cookies. The attacker imports them into their own browser and runs a pass-the-cookie attack: the application sees a legitimate session and does not require MFA, because the factor was already satisfied at the moment of theft. It needs neither your password nor your token. That is why OTP or push-based MFA, while essential, is not sufficient on its own against a stealer.
The industry's response has moved in two directions: on one hand, App-Bound Encryption in Chrome, which ties cookie decryption to the browser process to make theft harder (stealers have already started adapting); on the other, token binding standards such as DBSC (Device Bound Session Credentials), which bind the session to the device through a non-exportable private key, so that a stolen cookie is useless on another machine.
Detection and prevention
Effective defense assumes infection is possible and focuses on detecting it early and reducing the value of whatever can be stolen.
For users and IT teams
- Do not run pirated software or software from unofficial sources, and download tools only from the vendor's domain, never from an ad.
- EDR with behavioral telemetry: infostealers leave detectable traces, such as mass access to the
Login Datafile, reading crypto wallet directories or office processes spawning PowerShell. A good EDR alerts on these patterns even when the binary is unknown. - Browser hygiene: avoid saving passwords in the browser for critical accounts and use a dedicated password manager with automatic locking.
- Segregation: do not use personal machines to access corporate resources, and vice versa.
For security leaders
- Leaked-credential monitoring and log monitoring across underground sources, to detect when your own domain appears in a stealer log and force rotation before an IAB exploits it.
- Phishing-resistant MFA with FIDO2 and passkeys, which does not rely on reusable secrets.
- Short sessions and token binding: reduce cookie lifetimes and adopt DBSC or DPoP where possible, so a stolen cookie expires quickly or does not work off the device.
- Centralized session revocation at any sign of compromise, without waiting for natural expiry.
Frequently asked questions
What is a stealer?
A stealer is the shortened form of information stealer or infostealer: malware whose sole purpose is to steal sensitive information (passwords, cookies, wallets, tokens) from a machine and send it to the attacker. The output of its execution is a stealer log, the bundle with all the exfiltrated data.
What is an infostealer and how does it differ from a trojan?
An infostealer is malware specialized in stealing credentials and secrets. Many infostealers are distributed as trojans, that is, hidden inside an apparently legitimate program, but the trojan describes the delivery method and the infostealer describes the function. A trojan can do many things; an infostealer is dedicated exclusively to the silent theft of data.
Does MFA protect me from an infostealer?
Only partly. MFA protects the login, but an infostealer steals the already authenticated session cookie and lets the attacker reuse it without passing the second factor again (pass-the-cookie). Mitigating it requires short sessions, token binding and phishing-resistant MFA such as FIDO2.
How do I know if my credentials are in a stealer log?
At a personal level, breach notification services can indicate whether your email appears in known breaches. At a corporate level, specialized monitoring of credentials and logs across underground sources makes it possible to detect when your own domain is exposed and force password rotation and session revocation.
Do infostealers only affect Windows?
No. Windows remains the primary target by volume, but macOS is a growing target with families such as Atomic Stealer (AMOS), distributed through fake installers and malvertising. Variants that steal credentials on Android also exist.
Related resources
- Types of malware
- What is a trojan
- Ransomware in Spain 2026
- ChatGPT security in business and risks 2026
- What is vishing: voice attacks on business
Infostealer protection with Secra
At Secra we help organizations cut the chain that runs from credential theft to a serious incident: monitoring of credentials and stealer logs across underground sources, hardening authentication with phishing-resistant MFA and token binding, reviewing session policy and deploying behavior-based detection. We integrate it within our managed cybersecurity service, designed to detect exposure before an Initial Access Broker turns it into an intrusion.
Request an initial assessment and let us plan your organization's defense against infostealers together.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

