Full Report
Recorded Future's 2025 Identity Threat Landscape Report analyzes hundreds of millions of compromised credentials to reveal how infostealer malware is evolving, which systems attackers are targeting, and what security teams must do to get ahead of credential-based breaches.
Analysis Summary
# Tool/Technique: Infostealer Malware-as-a-Service (MaaS)
## Overview
Infostealer malware is a class of malicious software designed to harvest sensitive data from infected hosts. In 2025, these tools have evolved into a highly efficient "Malware-as-a-Service" economy, primarily targeting credentials, session cookies, and system metadata to facilitate initial access for follow-on attacks like ransomware or data exfiltration.
## Technical Details
- **Type:** Malware Family / Infostealer
- **Platform:** Windows, macOS, Mobile (cross-platform proliferation)
- **Capabilities:** Credential harvesting, Session Cookie hijacking (MFA bypass), System Fingerprinting, Automated Exfiltration.
- **First Seen:** Historically late 2010s; current 2025 variants show advanced automated exfiltration and bypass features.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing]
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Password Stores]
- [T1539 - Steal Web Session Cookie]
- **[TA0009 - Collection]**
- [T1005 - Data from Local System]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **Browser Harvesting:** Extraction of usernames, passwords, and autofill data from Chromium and Gecko-based browsers.
- **Credential Volume:** In 2025, an average of 87 credentials were stolen per compromised device.
- **Log Generation:** Creation of "malware logs" containing comprehensive folders of stolen data sent to C2 servers.
### Advanced Features
- **Session Cookie Theft:** Capturing active session tokens (31% of 2025 logs), allowing attackers to bypass Multi-Factor Authentication (MFA) by masquerading as an already-authenticated user.
- **Targeted Harvesting:** Specifically identifying authorization URLs for high-value systems including VPNs (2.4%), RMM tools (6.19%), Cloud platforms (7.58%), and SIEM/Security software (1.17%).
## Indicators of Compromise
- **File Hashes:** [Specific hashes vary by family; monitored via 30+ malware families including RedLine, Vidar, Lumma, etc.]
- **File Names:** Frequently delivered via files named `Update.exe`, `Invoice.zip`, or masquerading as cracked software/freeware.
- **Network Indicators:**
- Exfiltration to Telegram API (e.g., `api.telegram[.]org`)
- C2 communication with dedicated domains (e.g., `panel-login[.]cc`)
- **Behavioral Indicators:**
- Unexplained access to browser profile folders (e.g., `\AppData\Local\Google\Chrome\User Data\Default`).
- PowerShell execution for system discovery or to disable Windows Defender.
## Associated Threat Actors
- **Initial Access Brokers (IABs):** Use these tools to sell access to Ransomware-as-a-Service (RaaS) affiliates.
- **MaaS Operators:** Groups managing platforms like Lumma, StealC, and Meduza.
## Detection Methods
- **Signature-based:** Monitoring for known infostealer binary signatures and packed executables.
- **Behavioral detection:** Monitoring for unauthorized processes accessing local "Login Data" SQLite databases or frequent egress to known "Leaked Credential" marketplaces.
- **Identity Intelligence:** Utilizing services like Recorded Future to identify when corporate credentials appear in malware logs on the dark web or Telegram.
## Mitigation Strategies
- **Token Invalidation:** Immediately clearing active web sessions and forcing password resets when a compromise is detected.
- **Device Posture:** Implementing Zero Trust Network Access (ZTNA) to ensure only managed, healthy devices can access enterprise applications.
- **Hardware-based MFA:** Shifting from SMS/TOTP to FIDO2/WebAuthn keys which are more resistant to session hijacking (though not entirely immune to all session theft).
- **Automated Remediation:** Integrating SOAR platforms with Identity Providers (Okta, Entra ID) to automate lockouts upon credential exposure alerts.
## Related Tools/Techniques
- **Combo Lists:** Aggregated lists of username/password pairs used for credential stuffing.
- **RMM Tools:** Often targeted by stealers to gain persistence and lateral movement capabilities.
- **Session Hijacking:** The primary technique utilized to circumvent modern MFA controls.