Stealing the Show: Top 5 Infostealer Trends

7 minute read

As IT technologies and services have expanded over the past two decades, infostealers have likewise evolved to maximize collection potential, take advantage of increased complexity, and evade improved defenses. The rise of remote work since 2020 has particularly expanded organizations’ attack surfaces, incentivizing infostealer craftsmanship and increased circulation across the dark web. The ubiquity and sophistication of modern infostealers requires closer inspection by both defenders and users in organizations across all verticals.

2022 marked an unprecedented year for infostealer development and availability, representing a shift in threat actor use cases and the arrival of several new infostealer families. Ransomware groups in particular are more frequently leveraging infostealers such as Vidar[1], KPOT[2], and others to gain initial access.

To help you stay better informed on this evolving threat, we compiled our list of top 5 infostealer trends that have been observed in ransomware attacks and business email compromise.

1.     Strong demand for infostealer botnet logs

Threat actors known as Initial Access Brokers (IABs) are selling infostealer malware and malware-as-a-service offerings through the dark web and private transactions at an increasing rate. The low cost and ease-of-use of infostealers, in conjunction with wider obtainability have added to their pervasive use in recent years.

Figure 1: Rhadamanthys Stealer Dark Web Advertisement, Source: ZeroFox Threat Intelligence

The lucrative sale of victim credential dumps and data from infostealers have remained prevalent across the dark web and covert communication channels.

The high profile Uber hack in September 2022 serves as a prime example of the associated risk that organizations face. In mid-September, screenshots were posted to Twitter displaying evidence that a threat actor had infiltrated Uber’s internal IT environment. Security researcher’s analysis of file tray items in the SentinelOne screenshots led to the finding that access was achieved through the purchase of infostealer logs posted to the dark web.[3] The LOGID* zip files in FIgures 2 and 3 were discovered to be first posted in marketplaces between the dates of September 12-14, 2022, with the hack occurring on September 15, 2022.

Figure 2: Uber Hack – SentinelOne Screenshot, Source vx-underground Twitter Post
Figure 3: Attributed Infostealer Log Files

2.     Targeting multi-factor authentication (MFA)

In response to MFA becoming more widely deployed in corporate environments, infostealers such as Rhadamanthys and Erbium Stealers (first observed in 2022) were able to specifically target session tokens, which can be used to bypass certain MFA safeguards. This development has been a boon to the compromise of larger, high-value targets.

How it works:

Figure 4: MFA Bypass Flow

CircleCI, a company specializing in popular CI/CD solutions, released an incident report on January 13, 2023 illustrating the inherent dangers of MFA bypass. In this case, an employee’s laptop became infected with infostealer malware that stole the user’s browser session tokens. Although the company had MFA in place, threat actors were able to use the cookies to access internal applications and steal CircleCI customer data.[4]

When responding to malware infections such as infostealers, security teams commonly perform the following process to remediate the threat:

  1. Identify the malware-infected device
  2. Isolate the user and device from the network
  3. Reimage the user’s device

This approach leaves a couple of key gaps: it doesn’t account for the stolen credentials and session tokens that the threat actor already received. And, it doesn’t identify how the infostealer came to be on the device.

3.     Targeting email

Similar to MFA bypass, threat actors have found that email scams are another mechanism to successfully attack high-value organizations and have proven to be incredibly profitable. StrelaStealer, discovered recently by DCSO Cytec[5], operates entirely for the purpose of stealing email credentials. StrelaStealer’s development and propagation represents both a departure from the traditional functions of infostealers, such as theft of browser credentials and clipboard data, and the staggering increase in cyberattacks targeting email platforms.

4.      Malicious search engine advertisements

As organizations have become more adept at defending against traditional malware delivery methods, threat actors have developed new ways to deceive victims and disseminate payloads. The SANS Storm Center and FBI recently published reports[6] of an uptick in adversaries impersonating legitimate brands and software through Search Engine Optimization (SEO), using search engine advertisements (See Fig. 5) to redirect users to infostealer downloads[7].

How it works

Figure 5: Malicious Search Engine Advertisement Flow
Figure 6: Search Engine Advertisement Promoting Fake Software

5.     Updated infostealer payloads

Trojanizing infostealer payloads has long been a successful method for threat actors to obtain initial access to systems and organizations. A study conducted by Tidal Cyber revealed that a more recent trend to achieve this access is to impersonate legitimate software that organizations use to conduct business, particularly those for remote and hybrid business models. Examples include remote access and messaging software.[8]

Rhadamanthys Stealer, released in July 2022, has been observed propagating through a combination of both malicious search engine advertisements and impersonations of legitimate software. Threat actors behind the infostealer created search engine advertisements that posed as legitimate download sites for many brands such as Anydesk, Zoom, and Notepad ++ to lure victims. Threat actors used crafted payloads and similar domain registrations to further establish legitimacy.

Organizations can mitigate the threat of infostealers and other malware by implementing a robust security strategy based on ZeroFox’s recommendations below.

  • Perform on-going scans of deep and dark web data sources to help detect stolen credentials and sensitive data. Organization-owned data and credentials identified during deep and dark web scans should be reviewed for further evidence of threat actor use on the dark web.
  • Invalidate the user’s sessions to limit stolen cookies from being used to access the affected application. If SSO is involved, all SSO sessions for the user should be invalidated and reviewed individually for signs of unauthorized activity.
  • Require the user to reset their password and implement MFA if it wasn’t already required.
  • Identify how the information stealer came to be on the system. Review the login history for the affected user and identify any unauthorized access.
  • Implement phishing-resistant MFA where supported.
  • Remediate the information stealer along with other malware and persistence mechanisms identified during the investigation. Utilize domain protection services to receive notifications regarding registration of potentially malicious and similar domains to prevent domain spoofing. Domain protection will not only provide timely alerts, but also expedite domain takedown efforts and help prevent security incidents.

Experiencing an incident or looking to protect your organization from an infostealer attack? Contact ZeroFox today by emailing us at [email protected], calling our hotline at 1-866-936-9369, or filling out our online form at

See ZeroFox in action