Infostealer

In

cybercriminals

.

Infostealers usually consist of a bot framework that allows the attacker to configure the behaviour of the infostealer, and a management panel that takes the form of a server to which the infostealer sends data. Infostealers infiltrate devices through

pirated software

, among other methods. Once downloaded, the infostealers gather sensitive information about the user's device and send the data back to the server.

Infostealers are usually distributed under the malware-

spearphishing campaigns for other cyber-attacks, such as the deployment of ransomware

.

The number of stolen data logs being sold on the Russian Market, a cybercrime forum, has increased significantly since 2022. According to Kaspersky's research in mid-2023, 24% of malware offered as a service are infostealers. In February 2025, SparkCat, the first OCR infostealer, was discovered in the iOS App store.^[1]

Overview

In

command and control server, often known as the management panel or interface.^[2]

The bot framework includes a builder that allows the attacker to configure how the infostealer will behave on a user's computer and what kind of information it will steal. The management interface, usually written in traditional

cloud infrastructure.^[4] The management interface primarily functions as a web server to which the infostealer sends confidential information. The interface also provides the attacker with information about the status of deployed infostealers and allows the attacker to control their behaviour.^[3]

Distribution and use

Infostealers are commonly distributed through the malware-as-a-service (MaaS) model, enabling individuals with varying technical knowledge to deploy these malicious programs. Under this model, three distinct groups typically emerge: developers, malware service providers, and operators. Developers, the most technically skilled, write the infostealer code. Malware service providers purchase licenses for the malware and offer it as a service to other cybercriminals. The operators, who can be developers or service providers themselves depending on their skill level, use these services to perform credential theft.^[2]

Once the malware is purchased, it is spread to target victim machines using various

command-and-control servers, allowing the attacker to steal information from the user's computer. While most infostealers primarily target credentials, some also enable attackers to remotely introduce and execute other malware, such as ransomware, on the victim's computer.^[2]^[6]

Credentials obtained from infostealer attacks are often distributed as logs or credential dumps, typically shared on paste sites like

zombie networks and reputation-boosting operations,^[11] or as springboards for more sophisticated attacks such as scamming businesses, distributing ransomware, or conducting state-sponsored espionage.^[7]^[12] Additionally, some cybercriminals use stolen credentials for social engineering attacks, impersonating the original owner to claim they have been a victim of a crime and soliciting money from the victim's contacts.^[13]^[14] Many buyers of these stolen credentials take precautions to maintain access for longer periods, such as changing passwords and using Tor networks to obscure their locations, which helps avoid detection by services that might otherwise identify and shut down the stolen credentials.^[13]^[14]

Features

An infostealer's primary function is to exfiltrate sensitive information about the victim to an attacker's

remote access trojans and ransomware.^[3]

In 2009, researchers at the

POP3 and FTP protocols. In addition to this, the malware allowed the researchers to define a set of configuration files to specify a list of web injections to perform on a user's computer as well as another configuration file that controlled which web URLs the malware would monitor. Another configuration also allowed the researchers to define a set of rules that could be used to test if additional HTTP requests contained passwords or other sensitive information.^[17]

More recently, in 2020, researchers at the

AZORult infostealer. Amongst the functions discovered by the researchers was a builder, which allowed operators to define what kind of data would be stolen. The researchers also found evidence of plugins that stole a user's browsing history, a customisable regex-based mechanism that allows the attacker to retrieve arbitrary files from a user's computer, a browser password extractor module, a module to extract Skype history, and a module to find and exfiltrate cryptocurrency wallet files.^[15]

The researchers also found that the data most frequently stolen using the AZORult infostealers and sold on the black market could be broadly categorised into three main types: fingerprints, cookies, and resources. Fingerprints consisted of identifiers that were constructed by probing a variety of features made available by the browser. These were not tied to a specific service but were considered to be an accurately unique identifier for a user's browsers. Cookies allowed buyers to hijack a victim's browser session by injecting it into a browser environment. Resources refer to browser-related files found on a user's operating system, such as password storage files.^[18]

Economics and impact

Setting up an infostealer operation has become increasingly accessible due to the proliferation of stealer-as-a-service enterprises, significantly lowering financial and technical barriers. This makes it feasible for even less sophisticated cybercriminals to engage in such activities.

command-and-control server. The primary ongoing cost incurred by these operators is the cost associated with hosting the servers. Based on these calculations, the researchers concluded that the stealer-as-a-service business model is extremely profitable, with many operators achieving profit margins of over 90% with revenues in the high thousands.^[20]

Due to their extreme profitability and accessibility, the number of cybersecurity incidents that involve infostealers has risen.[7] The COVID-19 post-pandemic shift towards remote and hybrid work, where companies give employees access to enterprise services on their home machines, has also been cited as one of the reasons behind the increase in the effectiveness of infostealers.^[7]^[21] In 2023, research by Secureworks discovered that the number of infostealer logs—data exfiltrated from each computer—being sold on the Russian market, the biggest underground market, increased from 2 million to 5 million logs from June 2022 to February 2023.^[21] According to Kaspersky's research in mid-2023, 24% of malware offered as a service are infostealers.^[22]

References

Citations

^ "SparkCat Malware Uses OCR to Extract Crypto Wallet Recovery Phrases from Images". The Hacker News. Retrieved 2025-03-22.
^ ^a ^b ^c Avgetidis et al. 2023, pp. 5308
^ ^a ^b ^c ^d ^e Avgetidis et al. 2023, pp. 5308–5309
^ Avgetidis et al. 2023, pp. 5314, 5319
^ ^a ^b Nurmi, Niemelä & Brumley 2023, p. 1
^ Ryan 2021, p. 76
^ ^a ^b ^c ^d Newman 2024
^ Nurmi, Niemelä & Brumley 2023, p. 2
^ Nurmi, Niemelä & Brumley 2023, p. 6
^ Nurmi, Niemelä & Brumley 2023, p. 7
^ ^a ^b Nurmi, Niemelä & Brumley 2023, p. 8
^ Muncaster 2023
^ ^a ^b Onaolapo, Mariconti & Stringhini 2016, p. 65,70,76
^ ^a ^b Bursztein et al. 2014, p. 353
^ ^a ^b Campobasso & Allodi 2020, pp. 1669
^ Grammatikakis et al. 2021, pp. 121
^ Nicolas & Chien 2009, pp. 3–4
^ Campobasso & Allodi 2020, pp. 1669–1670
^ Avgetidis et al. 2023, p. 5309
^ Avgetidis et al. 2023, p. 5318
^ ^a ^b Hendery 2023
^ Lyons 2024

Sources

Avgetidis, Athanasios; Alrawi, Omar; Valakuzhy, Kevin; Lever, Charles; Burbage, Paul; Keromytis, Angelos D.; Monrose, Fabian; Antonakakis, Manos (2023). "Beyond The Gates: An Empirical Analysis of {HTTP-Managed} Password Stealers and Operators". USENIX Security: 5307–5324.
ISBN 978-1-939133-37-3
.

Bursztein, Elie; Benko, Borbala; Margolis, Daniel; Pietraszek, Tadek; Archer, Andy; Aquino, Allan; Pitsillidis, Andreas; Savage, Stefan (2014-11-05). "Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild". Proceedings of the 2014 Conference on Internet Measurement Conference. ACM. pp. 347–358.
ISBN 978-1-4503-3213-2
.

Campobasso, Michele; Allodi, Luca (2020-10-30). "Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at Scale". Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. ACM. pp. 1665–1680.
ISBN 978-1-4503-7089-9
.

Grammatikakis, Konstantinos P.; Koufos, Ioannis; Kolokotronis, Nicholas; Vassilakis, Costas; Shiaeles, Stavros (2021-07-26). "Understanding and Mitigating Banking Trojans: From Zeus to Emotet". 2021 IEEE International Conference on Cyber Security and Resilience (CSR). IEEE. pp. 121–128.
ISBN 978-1-6654-0285-9
.

Hendery, Simon (2023-05-17). "Data log thefts explode as infostealers gain popularity with cybercriminals".
SC Magazine. Archived
from the original on 2023-10-17. Retrieved 2024-07-18.

Lyons, Jessica (29 February 2024). "Ransomware gangs are paying attention to infostealers, so why aren't you?". The Register. Archived from the original on 11 September 2024. Retrieved 17 August 2024.
Muncaster, Phil (2023-02-09). "New Info-Stealer Discovered as Russia Prepares for New Offensive". Infosecurity Magazine. Archived from the original on 2024-09-11. Retrieved 2024-08-13.
Newman, Lily Hay (29 July 2024). "How Infostealers Pillaged the World's Passwords". Wired.
ISSN 1059-1028. Archived
from the original on 2024-08-13. Retrieved 2024-08-13.

Nicolas, Falliere; Chien, Eric (2009). "Zeus: King of the Bots" (PDF). Symantec. Archived from the original (PDF) on 2017-01-10.
Nurmi, Juha; Niemelä, Mikko; Brumley, Billy Bob (2023-08-29). "Malware Finances and Operations: A Data-Driven Study of the Value Chain for Infections and Compromised Access". Proceedings of the 18th International Conference on Availability, Reliability and Security. ACM. pp. 1–12.
ISBN 979-8-4007-0772-8
.

Onaolapo, Jeremiah; Mariconti, Enrico; Stringhini, Gianluca (2016-11-14). "What Happens After You Are PWND: Understanding the Use of Leaked Webmail Credentials in the Wild". Proceedings of the 2016 Internet Measurement Conference. ACM. pp. 65–79.
ISBN 978-1-4503-4526-2
.

Ryan, Matthew (2021), Ryan, Matthew (ed.), "Ransomware Case Studies", Ransomware Revolution: The Rise of a Prodigious Cyber Threat, Advances in Information Security, vol. 85, Cham: Springer International Publishing, pp. 65–91,
ISBN 978-3-030-66583-8
, retrieved 2024-08-13

[1] "SparkCat Malware Uses OCR to Extract Crypto Wallet Recovery Phrases from Images". The Hacker News. Retrieved 2025-03-22.

[usenix5308-2] Avgetidis et al. 2023, pp. 5308

[usenix5308-5309-3] Avgetidis et al. 2023, pp. 5308–5309

[4] Avgetidis et al. 2023, pp. 5314, 5319

[finance1-5] Nurmi, Niemelä & Brumley 2023, p. 1

[ryan-6] Ryan 2021, p. 76

[wired-7] Newman 2024

[finance2-8] Nurmi, Niemelä & Brumley 2023, p. 2

[finance6-9] Nurmi, Niemelä & Brumley 2023, p. 6

[finance7-10] Nurmi, Niemelä & Brumley 2023, p. 7

[finance8-11] Nurmi, Niemelä & Brumley 2023, p. 8

[12] Muncaster 2023

[what_happen-13] Onaolapo, Mariconti & Stringhini 2016, p. 65,70,76

[imc353-14] Bursztein et al. 2014, p. 353

[impaas1669-15] Campobasso & Allodi 2020, pp. 1669

[16] Grammatikakis et al. 2021, pp. 121

[symantec-17] Nicolas & Chien 2009, pp. 3–4

[impaas1669-70-18] Campobasso & Allodi 2020, pp. 1669–1670

[usenix5309-19] Avgetidis et al. 2023, p. 5309

[usenix5318-20] Avgetidis et al. 2023, p. 5318

[scmedia-21] Hendery 2023

[register-22] Lyons 2024

[1]

[2]

[4]

[3]

[6]

[11]

[7]

[12]

[13]

[14]

[17]

[15]

[18]

[20]

[21]

[22]

v t e Malware topics
Infectious malware	Comparison of computer viruses Computer virus Computer worm List of computer worms Timeline of computer viruses and worms
Concealment	Backdoor Clickjacking Man-in-the-browser Man-in-the-middle Rootkit Trojan horse Zombie computer
Malware for profit	Adware Botnet Crimeware Fleeceware Form grabbing Fraudulent dialer Infostealer Keystroke logging Malbot Privacy-invasive software Ransomware Rogue security software Scareware Spyware Web threats
By operating system	Android malware Classic Mac OS viruses iOS malware Linux malware MacOS malware Macro virus Mobile malware Palm OS viruses HyperCard viruses
Protection	Anti-keylogger Antivirus software Browser security Data loss prevention software Defensive computing Firewall Internet security Intrusion detection system Mobile security Network security
Countermeasures	Computer and network surveillance Honeypot Operation: Bot Roast

v t e Software distribution
Licenses	Beerware Floating licensing Free and open-source Free Open source Freely redistributable License-free Proprietary Public domain Source-available
Compensation models	Adware Commercial software Retail software Crippleware Crowdfunding Freemium Freeware Pay what you want Careware Donationware Open-core model Postcardware Shareware Nagware Trialware
Delivery methods	Digital distribution File sharing On-premises Pre-installed Product bundling Retail software Sneakernet Software as a service
Deceptive and/or illicit	Unwanted software bundling Malware Infostealer Ransomware Spyware Trojan horse Worm Scareware Shovelware
Software release life cycle	Abandonware End-of-life Long-term support Software maintenance Software maintainer Software publisher Vaporware list
Copy protection	Digital rights management Software protection dongle License manager Product activation Product key Software copyright Software license server Software patent Torrent poisoning

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electronic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Bombs Fork Logic Time Zip Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Fraudulent dialers Hacktivism Infostealer Insecure direct object reference Keystroke loggers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Software obfuscation Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Information security management Information risk management Security information and event management (SIEM) Runtime application self-protection Site isolation