Full Report
Stealer malware no longer just steals passwords. In 2025, it steals live sessions—and attackers are moving faster and more efficiently than ever. While many associate account takeovers with personal services, the real threat is unfolding in the enterprise. Flare’s latest research, The Account and Session Takeover Economy, analyzed over 20 million stealer logs and tracked attacker activity across
Analysis Summary
# Tool/Technique: Stealer Malware (General)
## Overview
Commodity stealer malware is being used to collect not only passwords but also live session tokens (cookies) from compromised enterprise endpoints. Attackers are exploiting these stolen sessions to gain rapid, MFA-bypass access to critical business systems, often performing account takeovers in under 24 hours post-infection.
## Technical Details
- Type: Malware family (Commodity Stealers)
- Platform: Endpoints (Implied Windows/Desktop OS based on commodity malware trends and common credential storage locations)
- Capabilities: Extract and exfiltrate browser cookies, saved credentials, session tokens, and cryptocurrency wallet information. Rapidly exfiltrate data, often via Telegram bots or C2 servers.
- First Seen: Ongoing evolution, with current focus on session hijacking reported in 2025 research.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1190 - Exploit Public-Facing Application (Implied delivery via fake updates/cracked software)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers
## Functionality
### Core Capabilities
- Data extraction from compromised endpoints, focusing on browser data (cookies, session tokens, saved passwords).
- Automated exfiltration of collected data.
- Delivery method often involves social engineering via phishing attachments or malicious installers (cracked software, fake updates).
### Advanced Features
- Focus on stealing **session tokens/cookies** which allow attackers to bypass Multi-Factor Authentication (MFA).
- Use of Telegram bots as a primary method for data aggregation and immediate command/control interaction.
- Integration with marketplace listings that include browser fingerprinting data and ready-made login scripts.
## Indicators of Compromise
- File Hashes: Not specified for general family, but specific hashes would be associated with deployed samples of Redline, Raccoon, or LummaC2.
- File Names: Not specified, depends on initial payload delivery mechanism (e.g., attachment names, installer names).
- Registry Keys: Not specified.
- Network Indicators: Exfiltration observed pointing toward **Telegram bots** or associated adversary-controlled C2 infrastructure (specific domains/IPs were not listed/defanged).
- Behavioral Indicators: Rapid execution of data collection processes post-initial execution; network communication with Telegram endpoints shortly after payload execution.
## Associated Threat Actors
The research indicates these commodity tools are used by a wide array of groups involved in **ransomware, fraud, and espionage**. Specific threat groups are not detailed but benefit from the industrialized nature of this underground market.
## Detection Methods
- Signature-based detection: Applicable for known malware binaries (Redline, Raccoon, LummaC2).
- Behavioral detection: Monitoring for processes rapidly accessing browser storage locations and exfiltrating large amounts of data, especially over atypical channels like Telegram.
- YARA rules: Applicable for identifying specific strings or structural components of the known stealer binaries.
## Mitigation Strategies
- Revoke all active sessions immediately following any confirmed endpoint compromise, as password resets alone are insufficient against token theft.
- Implement strict application control to limit execution of unverified software/cracked applications.
- Monitor network traffic for known **Telegram** infrastructure utilized for exfiltration.
- Deploy anomaly detection focusing on browser fingerprinting and unusual login sources/locations for enterprise applications.
## Related Tools/Techniques
- **Redline Stealer** (Cited as responsible for 44% of logs analyzed).
- **Raccoon Stealer** (Cited as responsible for 25% of logs analyzed).
- **LummaC2 Stealer** (Cited as responsible for 18% of logs analyzed).
- Use of **Anti-detect Browsers** by attackers to utilize stolen session tokens seamlessly.
---
# Tool/Technique: Redline Stealer
## Overview
Redline is a commodity infostealer malware identified as the most prevalent tool in the analyzed stealer logs (44%), responsible for extracting credentials and session tokens from infected machines.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Implied)
- Capabilities: Extracts browser cookies, saved credentials, session tokens, and crypto wallet data; exfiltrates data rapidly.
- First Seen: Evolved commodity malware; prevalent in 2025 research findings.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Harvesting of high-value session data from browsers.
- Fast exfiltration mechanism, often leveraging Telegram.
### Advanced Features
- High prevalence in the underground market, suggesting ease of access and reliability for attackers.
## Indicators of Compromise
- File Hashes: Not specified.
- File Names: Not specified.
- Registry Keys: Not specified.
- Network Indicators: Exfiltration channels include Telegram bots.
- Behavioral Indicators: Aggressive scanning and collection of browser storage files.
## Associated Threat Actors
Used broadly by various cybercriminals, including ransomware and fraud groups leveraging industrialized access.
## Detection Methods
Standard infostealer detection methods, including monitoring for known Redline binaries and specific data harvesting activities.
## Mitigation Strategies
Standard endpoint security measures, enhanced monitoring for session token theft/exfiltration.
## Related Tools/Techniques
Raccoon Stealer, LummaC2.
---
# Tool/Technique: Raccoon Stealer
## Overview
Raccoon is a widely used commodity infostealer, accounting for 25% of the stealer logs analyzed. It is employed to steal credentials and session tokens from compromised endpoints.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Implied)
- Capabilities: Steals browser artifacts, credentials, and tokens for subsequent sale or exploitation.
- First Seen: Ongoing commodity malware.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers
- TA0010 - Exfiltration
## Functionality
### Core Capabilities
- Credentials and session token harvesting.
- Data transfer to attackers/resellers.
## Indicators of Compromise
- File Hashes: Not specified.
- Network Indicators: Exfiltration via C2 or Telegram.
## Associated Threat Actors
Broad use across the underground economy for initial access broker activity.
## Mitigation Strategies
Focus on preventing initial execution and rapidly revoking sessions post-compromise.
## Related Tools/Techniques
Redline Stealer, LummaC2.
---
# Tool/Technique: LummaC2 Stealer
## Overview
LummaC2 is the third most prevalent stealer noted in the research (18% of logs), indicating its role in the mass harvesting of enterprise login credentials and session tokens.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Implied)
- Capabilities: Focuses on extracting session data and credentials, often utilizing C2 infrastructure for management.
- First Seen: Active commodity malware.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers
- TA0010 - Exfiltration
## Functionality
### Core Capabilities
- Theft of session secrets necessary for MFA bypass.
- Efficient exfiltration of stolen loot.
## Indicators of Compromise
- Network Indicators: Standard C2/Telegram exfiltration profiles.
## Associated Threat Actors
Used by various financially motivated cybercriminal enterprises.
## Mitigation Strategies
Treating sessions as high-value items and monitoring for suspicious usage patterns immediately following malware execution.
## Related Tools/Techniques
Redline Stealer, Raccoon Stealer.
---
# Technique: Session Token Hijacking (Enterprise Context)
## Overview
The technique involves attackers purchasing stolen session tokens (primarily for Microsoft, Google, AWS, Azure, GCP) and importing them into "anti-detect browsers" to gain direct, authenticated access to enterprise environments, bypassing traditional MFA checks.
## Technical Details
- Type: Technique (Exploitation of Stolen Sessions)
- Platform: Enterprise Cloud Services (M365, Google Workspace, AWS, Azure, GCP) and Internal Tools (Slack, Confluence).
- Capabilities: Seamless access to business-critical platforms using valid session data; rapid post-exploitation activities like data exfiltration or ransomware deployment.
- First Seen: Evolving from simple credential theft to focused session theft in 2025 reports.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers (Focus on tokens/cookies)
- TA0011 - Persistence
- T1649 - Account Manipulation (Implied, as access is maintained via session)
- TA0008 - Lateral Movement (Implied, once inside the enterprise network/tools)
## Functionality
### Core Capabilities
- Bypassing MFA by using pre-authenticated session cookies.
- Importing tokens into dedicated attacker browsers to mimic legitimate user activity.
- Quick pivoting within the accessed environment (e.g., accessing M365, then Slack, then cloud resources).
### Advanced Features
- Token marketplaces often provide associated browser fingerprint data to enhance mimicry.
- Ability to exploit high-privilege cloud access tokens (AWS/Azure/GCP).
## Indicators of Compromise
- File Hashes: N/A.
- Network Indicators: Suspicious logins or activity originating from non-standard IP addresses/devices accessing O365/Cloud consoles, even if MFA prompts are bypassed.
- Behavioral Indicators: Anomalous login times, rapid traversal between different applications (e.g., M365 to AWS console in minutes), access from newly seen geographies or devices.
## Associated Threat Actors
Ransomware gangs, fraudsters, and espionage groups who prioritize rapid initial access to business systems.
## Detection Methods
- Behavioral detection focusing on session integrity and device compromise indicators.
- Anomaly detection on login sources and browser characteristics (fingerprinting).
- Monitoring for unusual sequences of application access (e.g., immediately accessing rarely used admin dashboards).
## Mitigation Strategies
- Implement **session revocation** policies that aggressively terminate sessions upon endpoint security alerts or compromise detection.
- Harden session management security across all SaaS platforms.
- Investigate device posture checks that go beyond simple credentials.
## Related Tools/Techniques
Stealer Malware (the source of the tokens), Anti-detect Browsers (the tool used for exploitation).