The Rise of Infostealers - The new threat for companies

Cybersecurity Insights by Markus Seme, April 22, 2025

In the ever-changing cyber threat landscape, new attack vectors continue to emerge. However, infostealers are no longer a passing trend — they have become one of the most efficient and lucrative forms of cybercrime. While ransomware once dominated headlines, cybercriminals are now increasingly focused on stealing credentials and sensitive information to resell on darknet marketplaces or reuse in targeted attacks.

Why are infostealers seeing such a sharp rise right now? Who is being targeted? And how much is operational technology (OT) security affected as well?

Definition of Infostealers

What are Infostealers and how do they work?

Infostealers are a specialized form of malware designed to extract sensitive data without being detected. While traditional viruses often aim to destroy or manipulate data, Infostealers focus on collecting as much valuable information as possible and passing it on to criminals. The most commonly stolen data includes

  • User credentials (passwords, session tokens, cloud access)
  • Browser data (saved forms, autofill data, cookies)
  • Financial information (credit card data, online banking access)
  • System and network details (IP addresses, VPN logins)
  • Crypto wallets and authentication tokens

Why are stolen session tokens so dangerous?

Infostealers don't always need to steal passwords. Many companies use multi-factor authentication (MFA) - but stolen session tokens from browsers or applications allow attackers direct access without triggering an additional MFA prompt.

How are Infostealers spread?

They are distributed through various methods, including:

  • Phishing emails with malicious attachments or links
  • Malvertising (malicious ads) that redirect users to infected sites
  • Trojanized software downloads, often via illegal crack sites or fake updates
  • Infostealer-as-a-Service (IaaS) - where criminals can rent popular stealers like "RedLine" or "Lumma" for just a few hundred dollars

As soon as a system is infected, the collected data is automatically sent to C2 (Command & Control) servers and often sold on the Darknet within a few minutes.

Why are infostealers a rapidly growing trend?

For years, ransomware attacks dominated the cyber threat landscape — but since 2024, there has been a significant shift toward infostealers. Why is this happening?

Breaking up large botnet infrastructures
  • Targeted law enforcement actions against large malware networks such as TrickBot and QakBot have forced cybercriminals to rethink.

  • Infostealers are easier to operate than ransomware or botnets, don't require complex infrastructure and are harder to trace.

Increasing use of remote work & BYOD (Bring Your Own Device)
  • 70% of infected devices are private end devices, not company-owned systems.
  • Companies often lack full control over the security status of these devices, which means stolen access data can be used without restriction in attacks.
Darknet marketplaces for stolen credentials are booming
  • There is a huge demand for stolen logins for Microsoft 365, VPNs and cloud accounts.
  • Initial access brokers (IABs) sell this data to ransomware groups or industrial spies.

Are OT systems affected?

As OT security is one of our focal points, it's especially relevant to examine how each cyber threat affects the OT environment. Operational technology (OT) is increasingly at risk, as many industrial control systems (ICS) now rely on cloud connectivity and remote access.

Potential problems in the OT environment therefore include the following:

  • Infostealers stealing VPN credentials used for OT maintenance.
  • Session hijacking enabling attackers to gain unauthorized access to critical control systems.
  • Poorly secured administrator accounts in production environments, significantly increasing overall risk.

Protective measures against Infostealers

What can companies do to better protect themselves against infostealers?

  1. Implement zero trust architecture – No direct access without MFA and strict network controls.
  2. Session monitoring & token validation – Compromised session cookies must be detected quickly.
  3. Stronger control of BYOD devices – Monitor or isolate private endpoints used for business access
  4. Regular threat intelligence & darknet monitoring – Identify if company data is being circulated or sold

Conclusion: Infostealers are the first step toward a corporate breach

Infostealers are evolving from a niche threat into one of the most dangerous cyber risks of 2025. Instead of laboriously breaking into networks, ransomware groups increasingly purchase stolen credentials on darknet marketplaces. The theft of session tokens is particularly critical, as it allows attackers to bypass traditional security mechanisms such as passwords and multi-factor authentication.

About the author

Markus Seme is Managing Director of BearingPoint Austria and part of the management of BearingPoint Products. With over 15 years of experience at BearingPoint, he focuses on cybersecurity, digital resilience, and innovative security solutions. He supports companies in defending against current and emerging cyber threats.

It all starts with a conversation.

Looking to strengthen your IT security? Our cybersecurity experts are here to help.
Get in touch with us