A ‘significant increase’ in infostealer malware attacks left 3.9 billion credentials exposed to cyber criminals last year – and experts worry this is a ticking time bomb for enterprises
The threat of infostealer malware is on the rise, with 4.3 million machines infected last year alone
Researchers have warned that billions of credentials exposed to cyber criminals were sourced from infostealer logs last year – and it's created a ticking time bomb for enterprises as hackers begin cracking systems.
KELA Cyber Threat Intelligence’s State of Cybercrime 2024 report singled out infostealers as a persistent threat that usually serve as “precursors to advanced attacks, including ransomware and espionage”.
The firm said it observed more than 4.3 million machines around the world that had been infected with infostealer malware, such as Lumma stealer or RedLine, in 2024.
It estimated that this would account for more than 330 million credentials compromised using infostealers, which it said was slightly higher than the figures from 2023.
KELA warned that these credentials could be leveraged in future attacks that could balloon into “massive extortion campaigns”, citing the string of attacks leveraging compromised Snowflake credentials throughout 2024 that impacted at least 165 different companies.
In addition to the 330 million credentials KELA identified, the report said it also observed 3.9 billion credentials shared in the form of credential lists. These credential lists, commonly referred to as url:login:pass (ULP) files by threat actors, are compilations of data obtained during attacks.
These could be credentials harvested from a diverse range of sources, such as third-party breaches or phishing, but the report claimed that most ULP files are sourced from infostealer logs.
Lumma remains the most popular infostealer malware strain according to KELA, and was responsible for 40.48% of the infected machines in its data lake.
Other top offenders were StealC (20.29%, and Redline (16.43%), which KELA noted had been disrupted in October 2024 as part of Operation Magnus.
India, Brazil, and Indonesia were the top three most affected nations accounting for 20.12% of bots infected by infostealer malware in 2024.
KELA also highlighted the sensitive services most commonly targeted using these compromised credentials with the most frequently attacked being business cloud solutions (22.02%), CMS (21.19%), email (13.85%), and user authentication systems (11.5%).
How to protect yourself against infostealer threats
According to Huntress’ 2025 Cyber Threat Report, infostealers accounted for nearly a quarter (24%) of all cyber incidents in 2024, making it the most common threat category of the year.
Speaking to ITPro, Jaron Bradley, director of Jamf Threat Labs at Jamf, said infostealers campaigns are on the rise with evidence suggesting they are a particularly effective tactic used by threat actors.
“There has been a significant increase in Infostealer campaigns, and they have proven highly effective, even on macOS. These stealers are designed to target specific locations on the user's hard drive, seeking critical files such as usernames, passwords, browser session data, cryptocurrency wallets, documents, and more.”
Bradley added that the initial stages of infostealer campaigns require actions from the victim, so by improving overall security awareness businesses can mitigate some of the threat they pose to their organization.
“Users should be cautious about opening software sent by strangers, particularly if it comes with unusual instructions, such as right-clicking or adjusting settings,” he explained.
“For these infostealers to fully succeed, they also require the victim's login password, which is typically obtained by simply prompting the user with a popup window. Users should always question why an application would need their login credentials before willingly providing them.”
As well as investing in improving company-wide security awareness, KELA suggested a number of additional counter measures businesses can take to protect themselves.
RELATED WHITEPAPER
These include deploying enhanced endpoint detection and response (EDR) solutions that use behavior-based analysis rather than solely signature-based methods to detect and isolate infostealer activity in real time.
Improved email security is also essential in preventing phishing attempts, which are the primary delivery method for infostealers, the report added.
Finally, network segmentation is another important defense layer used to limit lateral movement once the attacker is inside your perimeter and stop them from accessing critical systems and sensitive data.
MORE FROM ITPRO
-
European Commission opens public consultation on draft for high-risk AI guidelinesNews Guidance aims to help organizations and regulators decide whether their AI products and deployments need to conform to tougher rules
-
Microsoft reveals Surface Pro and Surface Laptop for BusinessNews New 13in Pro and Laptop claim big performance improvements and vast AI capabilities
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
‘The build pipeline is becoming the new frontline’: Axios npm compromise highlights growing software supply chain risks, experts warnNews Cyber criminals exploited a hijacked maintainer account to compromise one of the world's most widely used JavaScript libraries
-
'It's destructive, not ransomware': Security experts weigh in on motivation behind Stryker cyber attackNews The attack on medical tech company Stryker has severely impacted operations globally
-
Thousands of Asus routers are being used to fuel a massive cyber crime spreeNews Black Lotus Labs has spotted a massive botnet of Asus routers built by malware that uses a common peer networking tool
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in lifeNews With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
DIY hackers are turning to ‘flat-pack’ malware components to speed up attacks and cut costsNews While these malware campaigns are very basic, researchers noted “they still work”
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
