ARTICLE
15 July 2025

The Silent Epidemic: Infostealers And The Evolution Of Cybercrime In 2025

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group LLC logo
Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Explore Firm Details
"Infostealers" have transformed from niche threats into the backbone of modern cybercrime, fueling a $4.88 million average breach cost in 2024. In this article we synthesize the latest threat intelligence...
Germany Technology
Xiangrui Kong and Rob Phillips

"Infostealers" have transformed from niche threats into the backbone of modern cybercrime, fueling a $4.88 million average breach cost in 2024. In this article we synthesize the latest threat intelligence to expose critical inaccuracies in mainstream cybersecurity narratives and provide evidence-based defenses against these stealthy data predators

The New Anatomy of Infostealers

Infostealers are advanced malware engineered to covertly harvest credentials, financial data, and session cookies. Unlike traditional malware, they prioritize stealth over disruption, operating undetected for months. Modern variants like Lumma Stealer exemplify this evolution — written in C++/ASM with LLVM obfuscation, they evade decompilers and execute via syscalls to bypass security hooks.

Critical corrections to common misconceptions:

  1. Beyond Keyloggers: While keylogging persists, modern stealers use form grabbing, clipboard hijacking, and browser session theft to capture pre-encrypted data and session tokens.
  2. MFA Bypass Capabilities: Stolen cookies enable session hijacking, nullifying multifactor authentication (MFA). The HellCat ransomware group exploited this in 2025 breaches at Jaguar Land Rover and Telefónica.
  3. Antivirus Evasion: 88% of infected devices had updated antivirus software (Kaspersky, Norton, etc.), proving traditional signatures are insufficient against human-enabled execution.

Infection Vectors: Beyond Phishing

While phishing delivers 84% of infostealers (per International Business Machines Corporation), attackers now leverage multi-vector strategies:

  • Malvertising: Poisoned Google Ads for queries like "Notepad++ download" redirect to cloned sites delivering Lumma Stealer.
  • EtherHiding: Malicious JavaScript hosted on Binance Smart Chain retrieves payloads from blockchain, evading domain-blocking.
  • Trojanized Software: Pirated apps (e.g., Photoshop cracks) bundle silent installers.
  • ClickFix Social Engineering: Fake CAPTCHA lures prompt users to paste malicious commands into Windows Run, deploying infostealers directly in memory.

For example, in April 2025, a Canadian phishing campaign used invoice lures to funnel victims through Prometheus TDS, ultimately executing Lumma Stealer via PowerShell memory injection.

The Dark Web Economy

The infostealer supply chain operates on a Malware-as-a-Service (MaaS) model with three tiers:

  1. Developers (e.g., Storm-2477 for Lumma)
  2. Service Providers (reselling access)
  3. Operators (running campaigns)

Stolen Data Pricing on Russian Market Forums:

Data Type

Price Range

Buyer Use Case

Social Media Logins

$10–$50

Impersonation scams

Banking Credentials

$50–$200+

Fraudulent transfers

Full Identity ("Fullz")

$100–$500

Loan fraud, identity theft

Corporate Email Access

$200–$1,000+

Ransomware deployment

Real-World Impact: 2025 Breach Analysis

Infostealers enable 54% of ransomware attacks. Notable 2025 incidents:

  • Jaguar Land Rover: The HellCat ransomware group, using stolen Jira credentials from infostealers, breached Jaguar Land Rover, leaking proprietary documents and employee data. A second hacker, "APTS," exploited 2021 infostealer credentials to exfiltrate 350GB more, showing the cascading risks of unmonitored credentials.
  • Royal Mail: Threat actor "GHNA" leaked 144GB of Royal Mail data, including customer PII and Mailchimp mailing lists, via a 2021 infostealer infection at Spectos. AI-driven analysis of the 16,549 files amplified the threat, enabling targeted phishing.
  • Samsung Tickets: A hacker, "GHNA," leaked 270,000 customer tickets from Samsung Germany, sourced from a third-party provider, Spectos, via a 2021 infostealer infection. The free data dump exposed sensitive customer information, highlighting the longevity of stolen credentials.

The AI Factor: Amplifying Infostealer Threats

Generative artificial intelligence (GenAI) is transforming the infostealer landscape by enabling attackers to scale and refine their operations. The IBM X-Force Threat Intelligence Index 2025 observes, "Threat actors are using AI to build websites and incorporate deepfakes in phishing attacks," as well as to craft phishing emails and malicious code, making campaigns more efficient and harder to detect. The Verizon 2025 DBIR highlights risks from GenAI platforms, noting, "15% of employees were routinely accessing GenAI systems on their corporate devices," often using non-corporate emails or bypassing authentication, creating new vulnerabilities.

Security analysts have demonstrated AI could analyze 7.19GB of Orange breach data in minutes, flagging payment details and SSO credentials for weaponization.

Defense Framework: Beyond Basic Hygiene

Prevention Strategies

  1. Remove Local Admin Access: Prevent the installation of unauthorized software by removing local admin access for all users.
  2. Restrict Browser Add-ons: Limit browser add-ons to reduce vulnerabilities and enhance security.
  3. Session Token Limits: Reduce token validity periods to hours, not weeks, to shrink attack windows.
  4. Password Policy Enforcement: Block browser password storage — the #1 infostealer target. Mandate enterprise password managers instead.
  5. DNS-layer filtering: To prevent drive-by sites and malvertising, use on-box, router, cloud and EDR\XDR where available. Quad9 is a free service run by IBM.
  6. Patch fast, patch right: If your browser, Java runtime, or VPN client is 30 days out of date, you are gift-wrapping credentials.

Detection and Response

  • EDR with Behavioral Analysis: Infostealer detections via endpoint monitoring.
  • Dark Web Monitoring: Use expert services to proactively scan the dark web for stolen credentials and immediately alert, prior to a breach.
  • Identity Threat Detection: Active scanning and spotting of anomalous logins from infostealer-sold credentials.

Organizational Policies

  • BYOD Segmentation: Isolate personal devices from core networks — 70% of infections originate here.
  • Phishing Simulations: Train staff to identify SEO-poisoned links and invoice lures.
  • Automated Patching: Prioritize browser/OS updates — unpatched vulnerabilities enable 32% of drive-by downloads.

Conclusion: The Indispensable Threat

Infostealers represent a serious threat in the cybersecurity landscape, capable of causing significant damage to individuals and organizations alike. By understanding how these malicious programs operate and implementing robust security measures, it is possible to reduce the risk of falling victim to an infostealer attack. Ankura's experts further note that dark web monitoring enhances protection by identifying and addressing threats early, helping organizations break the cyberattack kill chain, before a breach occurs.

References:

  1. Info Stealers Exposed: The Silent Threat Stealing Your Data
    URL: https://www.infostealers.com/article/info-stealers-exposed-the-silent-threat-stealing-your-data/
  2. Active Lumma Stealer Campaign Impacting U.S. SLTTs
    URL: https://www.cisecurity.org/insights/blog/active-lumma-stealer-campaign-impacting-us-sltts
  3. What is Dark Web Monitoring? Benefits & Risks (SentinelOne)
    URL: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/dark-web-monitoring/
  4. What Is Dark Web Monitoring? Features and Benefits (Fortinet)
    URL: https://www.fortinet.com/resources/cyberglossary/dark-web-monitoring
  5. Info Stealers | Red Canary Threat Detection Report
    URL: https://redcanary.com/threat-detection-report/trends/info-stealers/
  6. The 2025 Malware Protection Guide
    URL: https://www.superfast-it.com/articles/the-2025-malware-protection-guide
  7. Dark Web Monitoring: Key CISO Strategies For 2025 (Cyble)
    URL: https://cyble.com/knowledge-hub/dark-web-monitoring-strategies-cisos-2025/
  8. Infostealers on the Rise: A New Wave of Major Data Breaches (Constella Intelligence)
    URL: https://constella.ai/infostealers-on-the-rise-a-new-wave-of-major-data-breaches/
  9. Quad 9: An open DNS recursive service for free security and high privacy URL: https://quad9.net/

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Xiangrui Kong
Xiangrui Kong
Photo of Rob Phillips
Rob Phillips
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More