Infostealer malware
Infostealer malware is a class of credential-theft malware referenced here as compromising devices and harvesting credentials and other sensitive data from infected systems. The content states that recent infostealer strains have been observed bypassing recent Google Chrome security patches, enabling theft of credentials and sensitive data despite browser security updates. It is also described as being installed on victims’ devices through social-engineering scenarios in which a fake support representative convinces a user to grant remote access, after which banking credentials are stolen or infostealer malware is deployed. The malware’s output is reflected in large-scale credential ecosystems: stolen credentials captured from infected devices are collected from infostealer logs and then shared, merged, and resold via Telegram channels, Tor sites, and underground forums. One cited dataset aggregated real credentials from infostealer malware logs at very large scale. The content also links infostealer-derived credential theft to a real-world intrusion in the automotive sector: Scania’s external IT partner was reportedly compromised by infostealer malware, and the stolen partner credentials were then used in the May 28–29, 2025 breach of Scania, resulting in theft and extortion involving insurance claim documents. High-confidence impacts mentioned include theft of banking credentials, account credentials, and sensitive data from infected devices; use of stolen credentials for follow-on intrusions; and contribution to underground credential markets.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
2 techniques
Stealth
Credential Access
7 techniques
Credential Access
Naz.API is different. It’s a 71-million-credential stealer log, credentials captured directly from infected machines by infostealer malware, in cleartext, at the moment of theft. No hashing. No cracking required. Username, password, and the URL it was entered on, all captured live.
Infostealer Malware: Harvesting session tokens and login credentials from employees or affiliated hosts to quietly bypass multi-factor authentication.
And once you have that, you don’t need passwords anymore. You’ve got sessions, tokens and access.
Infostealer Malware: Harvesting session tokens and login credentials from employees or affiliated hosts to quietly bypass multi-factor authentication.
Attackers obtained valid login credentials using infostealer malware, software that silently captures usernames and passwords from infected devices.
Another approach observed is use of Adversary-in-the-Middle (AiTM) phishing pages or infostealer malware. These tools not only capture credentials but also extract SSO session cookies and OAuth tokens directly from the victim’s browser or memory.
the credential statistics reflect credentials identified on Check Point's External Risk Management platform... the credentials were identified within infostealer malware logs, which typically reflect opportunistic compromise rather than deliberate targeting...
Collection
2 techniques
Collection
Naz.API is different. It’s a 71-million-credential stealer log, credentials captured directly from infected machines by infostealer malware, in cleartext, at the moment of theft. No hashing. No cracking required. Username, password, and the URL it was entered on, all captured live.
Command and Control
1 technique
Command and Control
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware designed to steal credentials and sensitive information from infected systems, enabling further attacks such as unauthorized access and data theft.
Infostealer malware is designed to steal sensitive information such as banking credentials from infected devices, often delivered through tech support scams targeting the elderly.
Infostealer malware is designed to steal credentials and other sensitive information from infected devices. The stolen data is then aggregated and sold or shared on underground forums, Telegram channels, and other dark web marketplaces. This type of malware is a primary source for large-scale credential dumps and fuels the digital supply chain of credential theft.
Malware designed to steal sensitive information from victims, noted for its ability to bypass recent Chrome security patches.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.