infostealer
Infostealer is a malware category designed to steal credentials and other sensitive data from infected devices. The content states that it siphons data stored in web browsers, including usernames and passwords, session cookies, autofill data, and credit card numbers, and can also steal information from email clients, messaging applications, cryptocurrency wallets, and LLM/AI service accounts. Stolen session cookies may enable account hijacking and MFA bypass. Data stolen by infostealers is commonly aggregated into stealer logs and then shared, merged, resold, or searched across Telegram channels, Tor sites, underground forums, and markets.
The content highlights cracked software, fake games, and gaming-related files as major infection vectors. In one cited study of 50,000 infections, 41.47% of victims were infected through gaming-related files, and 17.65% of all infections involved cracked versions of games. Fake 'Battlefield 6' cracks and trainers are specifically mentioned as lures used to spread infostealers. The content also notes that infostealer databases may include credentials harvested from infected browsers, phishing kits, and cracked software.
Operationally, infostealer-derived credentials have been used to enable downstream intrusions. The content states that attackers accessed Snowflake customer environments using stolen credentials obtained via infostealer malware, often where MFA was not enabled, and that Scania’s Financial Services insurance application was breached using an external IT partner’s credentials that Scania believes were stolen by infostealer malware. The Snowflake-related activity is linked in the content to actors associated with 'The Com' and a 'Shiny Hunters' offshoot referred to as SLH/SLSH, while the Scania incident involved extortion and subsequent leaking or attempted sale of stolen data.
The content also describes widespread criminal use of infostealer logs in underground markets, including sale of credentials for services such as ChatGPT, Perplexity, and Gemini. It notes a 30% increase in infostealer cases involving one security vendor’s clients in 2025. A large credential dataset discussed in the content contained 183 million unique email/password pairs and 23 billion rows sourced from infostealer malware logs, Telegram groups, and online forums, illustrating the scale of credential theft associated with this malware type.
High-confidence indicators and artifacts mentioned in the content are behavioral rather than family-specific: stealer logs containing browser credentials, session cookies, autofill data, credit card data, messaging and email account data, cryptocurrency wallet data, and credentials later appearing in Telegram channels, Tor sites, underground forums, and credential markets. No specific malware family names, hashes, domains, or infrastructure uniquely attributable to a single infostealer strain are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Aqua Security announced that the open-source Trivy project ... had been recently compromised through a misconfigured GitHub Actions workflow... The incident was assigned CVE-2026-33634.
GReAT experts discovered a critical vulnerability — tracked as CVE-2026-3102 — which is triggered during the processing of malicious image files containing embedded shell commands within their metadata. When a vulnerable version of ExifTool on macOS processes such a file, the command is executed.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
6 techniques
Initial Access
The stolen credentials were either sold on the dark web or used to take over victims’ accounts.
The infostealer in the poisoned versions of Litellm... enables a full range of credential theft, including lifting SSH keys and cloud credentials...
Scammers use sensationalist ‘leaked videos’ and ‘breaking news’ stories to lure you into clicking on malicious links. The most likely end result is getting an infostealer on your phone or computers.
The project has also recently been targeted in a supply-chain attack, where TeamPCP hackers released malicious PyPI packages that deployed an infostealer to harvest credentials, tokens, and secrets from infected systems.
The same day, threat actors also published malicious versions of two of the Checkmarx VS Code plug-ins to the OpenVSX registry ... GitGuardian on Tuesday reported that the campaign had spread to the PyPI software registry, where the threat actor it identifies as TeamPCP had infected Litellm packages versions 1.82.7 and 1.82.8 with the same infostealer malware used in the Trivy campaign.
Execution
2 techniques
Execution
Persistence
3 techniques
Persistence
The stolen credentials were either sold on the dark web or used to take over victims’ accounts.
Privilege Escalation
3 techniques
Privilege Escalation
The stolen credentials were either sold on the dark web or used to take over victims’ accounts.
Stealth
3 techniques
Stealth
In some cases, after compressing the stolen credentials into a stealer log and exfiltrating them to attacker-specified destinations, the malware auto-deletes the log file to evade detection.
Defense Impairment
1 technique
Defense Impairment
Credential Access
11 techniques
Credential Access
Infostealer is a type of malware designed to silently steal credentials from an infected device. That includes passwords, email addresses, usernames, and authentication tokens.
This category of malware is designed to harvest passwords, record keystrokes and even steal session cookies to bypass multi-factor authentication (MFA) on your accounts.
In certain situations, these tokens may even enable attackers to bypass multi-factor authentication (MFA) protections.
These artifacts contained an infostealer capable of harvesting environment variables, cloud tokens, and SSH keys from build environments.
These artifacts contained an infostealer capable of harvesting environment variables, cloud tokens, and SSH keys from build environments.
The session information referenced by investigators reportedly included session tokens, which can allow unauthorized access to online accounts without requiring passwords.
These artifacts contained an infostealer capable of harvesting environment variables, cloud tokens, and SSH keys from build environments.
These artifacts contained an infostealer capable of harvesting environment variables, cloud tokens, and SSH keys from build environments.
the threat actor used information-stealing malware between 2024 and 2025 to infect users’ devices and steal browser sessions and account credentials.
Discovery
2 techniques
Discovery
Collection
6 techniques
Collection
These artifacts contained an infostealer capable of harvesting environment variables, cloud tokens, and SSH keys from build environments.
Infostealer is a type of malware designed to silently steal credentials from an infected device. That includes passwords, email addresses, usernames, and authentication tokens.
This category of malware is designed to harvest passwords, record keystrokes and even steal session cookies to bypass multi-factor authentication (MFA) on your accounts.
These artifacts contained an infostealer capable of harvesting environment variables, cloud tokens, and SSH keys from build environments.
Command and Control
1 technique
Command and Control
IOCs tracked for this family
480 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential-stealing malware used to harvest usernames/passwords (often from browsers or local stores). The stolen credentials were then used to access Snowflake customer instances, particularly where MFA was not enabled.
Infostealer malware is currently being distributed through fake or cracked video game files, targeting gamers to steal credentials, financial information, and personal data.
Infostealer malware is designed to extract sensitive data such as credentials, session cookies, and financial information from infected systems. The stolen data is compiled into 'stealer logs' which are then sold on underground markets. These logs can include credentials for LLM accounts, corporate networks, banking, VPNs, and more.
Infostealers are malware designed to steal sensitive information such as credentials, browser data, and other personal information from infected systems. In this context, they are distributed via fake game cracks and trainers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.