Infostealers Are Not “Just Another Malware”: They Are the New Black Gold of Cybercrime.
Threat Landscape in Numbers: The ACN Assessment
Infostealers are not simply another malware family; they are the new “black gold” of cybercrime.
They are the driving force behind ransomware campaigns, financial fraud, identity theft, and initial network access operations—often months after the original infection.
From Silent Infection to Breach
Information stealers—commonly referred to as infostealers—are malware designed to unlawfully collect data from compromised devices and transmit it to infrastructure controlled by threat actors.
The stolen data is packaged into so-called stealer logs: bundles of credentials, cookies, files, and configuration data that feed a structured criminal economy in which malware developers are not necessarily the same actors who ultimately leverage the data to target enterprises and public administrations.
Typical targets include:
- · Credentials for online banking, social media, email accounts, VPN, and FTP access
- · Browser and session data (history, cookies, tokens, extensions)
- · Financial information (cards, accounts) and cryptocurrency wallets
- · Personal data and clipboard contents
- · Sensitive documents and files (PDFs, Office documents, images, intellectual property), along with hardware, software, and installed security solution details
The result marks a qualitative leap compared to “traditional” malware: the compromise is no longer limited to a single machine but extends to the entire trust perimeter associated with a user’s digital identities—both personal and professional.
Threat Landscape in Numbers: The ACN Assessment
The ACN report “Infostealer – Threat Characteristics and Recommendations” portrays a threat that has become structural.
In 2023 alone, infostealers are estimated to have compromised approximately 500 million devices, generating over 2 billion logs distributed across the criminal ecosystem.
Looking ahead to 2025, within the Italian context, the malware families most responsible for credential exfiltration are:
| Family | Ruolo nel contesto italiano 2025 |
| LummaC2 | Primary source of exfiltrated credentials from Italian entities |
| RedLine Stealer | Second in volume of stolen credentials in Italy |
| DcRat | Among the top infostealers impacting Italian credentials |
| StealC | Active in both national and international contexts |
| Vidar Stealer | Among the most active families targeting Italian users |
Globally, in 2025, the most “profitable” infostealers in terms of compromised credentials include LummaC2, RedLine Stealer, Arkei Stealer, StealC, and Raccoon Stealer.
The ecosystem is broad, but certain names recur consistently in logs involving Italian users and organizations.
How an Infostealer Enters the Enterprise
One of the key messages of the ACN report is that infostealers rely on extremely common vectors, fully aligned with users’ and employees’ digital habits.
Primary Initial Access Vectors:
Phishing
The dominant vector: emails impersonating banks, cloud services, or enterprise tools, containing malicious attachments (PDFs, macro-enabled Office documents, HTML files) or links to compromised websites.
Large-scale campaigns leverage botnets to maximize volume, while spearphishing delivers highly personalized messages targeting key roles, supply chains, and trusted contacts.
Drive‑by compromise e malvertising
Simply visiting a compromised website may trigger background execution of infostealer code.
Techniques such as malvertising (malicious ads purchased through legitimate ad networks) and SEO poisoning (pushing malicious sites to the top of search engine results) shift part of the risk from “clicking an attachment” to merely “browsing an apparently trustworthy site.”
Counterfeit software and unofficial downloads
Pirated software, cracking tools, video games, and “free trials” of paid applications provide ideal distribution channels.
While particularly effective against consumer users, harvested logs ultimately end up in marketplaces where actors seeking enterprise access can purchase them.
The Blind Spot: A Case Study
A CSIRT Italy case study illustrates the issue clearly: a research institution is hit by ransomware, resulting in encrypted servers and clients and service disruption.
Effective backups limit data loss—but a critical question remains: how did the attacker obtain the employee’s VPN credentials used as the entry point?
The investigation reveals:
- The corporate workstation shows no evidence of infostealer infection or phishing compromise.
- Weeks later, the VPN credentials appear within a log package of a well-known infostealer, first sold and later released publicly.
The employee’s personal laptop — occasionally used for VPN access — had been infected approximately six months earlier.
The chain is straightforward:
Consumer-grade infostealer → VPN credential theft → sale on criminal market → purchase by ransomware group → compromise of research institution.
Malware distributors and ransomware operators are distinct actors, connected by the value of stolen logs.
Behind the Scenes: MaaS, Log Markets, and Initial Access Brokers
Infostealers are not just code—they represent a business model.
The ACN report describes an ecosystem structured around Malware-as-a-Service (MaaS), where competencies and responsibilities are distributed along the value chain.
ECOSYSTEM ACTORS:
- MaaS developers and operators
Offer monthly subscriptions (typically $50–$250) including access to the infostealer, command-and-control infrastructure, technical support, and dashboards for log analysis.
Variants targeting less common operating systems (e.g., macOS) are often more expensive, reflecting lower availability of high-quality malware for those platforms.
- Log markets
- Centralized marketplaces: aggregate massive volumes of logs with filters by country, ISP, malware family, and collection date.
- Decentralized marketplaces: messaging-platform-based channels offering subscription access ($100–$500/month) and private cloud links.
Low-value or “squeezed” logs may be released for free to build reputation and visibility.
- Centralized marketplaces: aggregate massive volumes of logs with filters by country, ISP, malware family, and collection date.
- Initial Access Brokers (IABs)
Purchase logs in bulk, extract high-value access (corporate VPNs, admin panels, financial services), verify validity, and sometimes deploy persistence mechanisms.
They then resell access—often to ransomware operators—at significantly higher prices, potentially reaching thousands of dollars per single infrastructure.
For organizations, this means corporate credentials may circulate and change criminal hands long before an incident is detected within the internal perimeter.
ACN Recommendations: Strengthening Resilience
ACN provides differentiated recommendations for individuals and organizations, calibrated by cybersecurity maturity level.
Priorities for Individuals
- Enable MFA wherever possible (email, social media, banking, VPN) to mitigate credential reuse from stolen logs.
- Install and maintain updated security solutions on all devices.
- Download software exclusively from official sources.
- Use encrypted password managers instead of browser autofill.
- Keep operating systems and applications up to date to reduce drive-by exploit exposure.
For advanced users: shorten session cookie duration and adopt explicit logout practices.
Priorities for Organizations
For companies – and for a vendor like Gyala – it makes sense to think in terms of “baseline” + “progressive hardening”.
- Baseline
- Mandatory MFA for all internet-exposed services, particularly VPN and privileged accounts.
- Structured password policies and timely deprovisioning.
- Continuous training on phishing and safe downloads.
- Network and endpoint log monitoring with anomaly detection capabilities for exfiltration indicators.
- Mandatory MFA for all internet-exposed services, particularly VPN and privileged accounts.
- Intermediate Maturity
- Strict enforcement of least privilege and separation of admin accounts.
- Email protection controls (SPF, DKIM, DMARC, attachment sandboxing).
- Restrictions on execution from temporary directories and monitoring of PowerShell/script usage.
- Deployment of EDR and behavioral detection tools targeting collection and exfiltration patterns.
- Strict enforcement of least privilege and separation of admin accounts.
- Advanced Maturity
- Certificate-based authentication for critical access.
- Cyber Threat Intelligence capabilities to identify corporate credentials circulating in infostealer log markets.
- Closure of unnecessary ports and protocols (RDP, Telnet, Microsoft RPC, FTP) to limit post-access escalation opportunities.
- Certificate-based authentication for critical access.
How Gyala Can Support You
The threat landscape outlined by ACN highlights a critical reality: in many cases, the true “patient zero” is not a zero-day exploit, but rather a combination of poor digital hygiene, unsecured personal devices, and lack of visibility into logs circulating within the criminal ecosystem.
- Integrate endpoint, network, identity, and threat intelligence telemetry in order to detect infostealer-specific patterns before they evolve into ransomware incidents.
- Define and enforce automated policies and targeted controls, with explicit focus on credential theft and session hijacking.
- Continuously monitor lateral movement and anomalous behavior deviating from the expected baseline of users or services, enabling immediate containment and response.
