The most prominent infostealers and how businesses can protect against them

As malware continues to evolve, infostealers are increasingly providing adversaries with the credentials they need to perform devastating cyber-attacks.

You don’t have to look far to find examples, with intrusions at Schneider Electric and Telefonica were also perpetrated using credentials stolen via infostealers.

Attacks using infostealers often precede other breaches such as ransomware. 54% of ransomware victims’ credentials first appeared in infostealer dumps, according to Verizon’s 2025 Data Breach Investigations report.

In September, cybersecurity researchers at Proofpoint issued a warning over a significant rise in the use of Stealerium malware used to harvest sensitive data from victims worldwide. The infostealer can exfiltrate a wide range of data, from browser credentials and crypto wallets to Wi-Fi profiles and VPN configurations.

Apart from Stealerium, what are the most prominent infostealers of 2025 – and how can leaders protect their businesses as new strains continue to evolve?

Lumma Stealer

Perhaps the most famous infostealer and certainly the most active is Lumma Stealer. Attacks involving Lumma Stealer still account for four times more than prominent stealer Rhadamanthys and eight times more than Vidar, says Spence Hutchinson, staff threat intelligence researcher at eSentire TRU.

Lumma, which is attributed to a malware author called Shamel, is found for sale on Russian-speaking crime forums and has been distributed since at least July 2024 via GitHub networks such as the Stargazers Ghost Network.

Microsoft Threat Intelligence has noted that Lumma Stealer uses multi-vector delivery methods for attacks.

“Its operators demonstrate resourcefulness and proficiency in impersonation tactics,” the researchers wrote in May.

“The Lumma Stealer distribution infrastructure is flexible and adaptable. Operators continually refine their techniques, rotating malicious domains, exploiting ad networks, and leveraging legitimate cloud services to evade detection and maintain operational continuity.

In May, Lumma Stealer was disrupted by a joint US-EU-Japanese law enforcement action that took down infrastructure used to host deployments. After that, the software re-emerged with added stealthy malware processes to avoid detection.

The malware now includes capabilities such as AMSI bypass, process hollowing, code flow obfuscation, encrypted command and control communications, persistence via registry modifications, and DLL sideloading, Daniel dos Santos, senior director, head of research at Forescout tells IT Pro.

Rhadamanthys

First seen in 2022, Rhadamanthys is a complex, multi-modular malware sold on the underground market. The malware is thought to have been created by experienced developers, and has been used in ClickFix campaigns in 2025.

Its latest release, v0.9.2, comes with “significant updates that may impact detection”, according to an October report by Check Point Research.

In November, Europol severely disrupted Rhadamanthys operations – alongside those of the VenomRAT remote access Trojan and Elysium botnet – in a new stage of Operation Endgame.

RisePro

Also available as a malware as as a service (MaaS) offering, RisePro targets Windows operating systems. “It deploys a number of defence evasion techniques to remain undetected, including obfuscating command and control activity to exfiltrate data,” warns Calum Baird, digital forensics and incident response consultant at Systal Technology Solutions.

Kaspersky tracked it as a highly significant driver of infostealer attacks, with its share of total infections rising from 1.4% in 2023 to 23% in 2024.

Vidar

The Vidar infostealer targets personal information and cryptocurrency wallet details stored on devices. In 2022, Check Point Research tracked it as a strain used to target Zoom users and in 2023, attackers were using the malware in a Google Ads malvertising campaign.

It utilizes an “interesting method” for command and control, using social media platforms such as Telegram and Mastodon as infrastructure, according to Baird.

“Vidar samples have also been found to contain null bytes, inflating size in an attempt to evade antivirus detection,” he adds.

StealC

StealC infostealer has been sold since 2023, with version 2 released in March 2025. Additions to the new version include a command and control protocol encrypted with RC4 and updated payload delivery options via MSI packages and PowerShell, says dos Santos.

This update has made StealC “more evasive and adaptable” than previous versions, increasing the threat it poses, Baird adds.

 Gremlin Stealer

One of the biggest threats to watch is Gremlin Stealer, a known variant of Sharp Stealer, according to Anna Chung, principal researcher EMEA, Unit 42 at Palo Alto Networks. “It exfiltrates data from its victims and uploads this information to its dedicated web server for publication, which is part of the purchasable malware infrastructure.”

The malware can bypass modern browser defenses such as Chrome's cookie protection to steal browser data including cookies, passwords, credit cards and autofill forms from Chromium and Gecko-based clients.

But it doesn’t just stop at browsers: Gremlin targets FTP and VPN credentials, Discord tokens, Telegram session data, and popular cryptocurrency wallets, alongside general system information, screenshots and clipboard data.

DarkCloud Stealer

DarkCloud Stealer is primarily distributed through email phishing campaigns, often using obfuscated archive files to evade initial detection, says Chung. Once executed, it can steal a wide range of sensitive data, including host and user details, screenshots, contacts, stored credentials such as usernames and passwords, credit card details, email client credentials and FTP client access data.

“In recent months, we’ve seen the DarkCloud infostealer specifically targeting government organizations, which is concerning given the range of data they possess,” says Chung.

Infostealers in the future

Infostealers are stepping up their game with obfuscation, making them harder to detect and analyze. David Sancho, senior threat researcher at Trend Micro, predicts that infostealers will evolve to use more intelligent methods for collecting data, enabling them to identify which information on a victim’s computer is “most monetizable”.

On the attacker backends, AI-enhanced programs are likely to play “a growing role in analysing the vast amounts of data collected”, Sancho adds. “These systems could sift through stolen information to identify high-value assets, such as domain credentials from large enterprises, rather than less valuable data from personal devices.”

Responding to the threat

Infostealers are a growing threat to all firms but once you are aware of how they operate, steps can be taken to help mitigate them.

It’s important to note that infostealers are “simply a type of malware payload”, and the methods they use to infiltrate corporate networks are “varied and don’t follow a consistent pattern”, says Sancho.

Entry points include phishing emails or compromised websites offering “seemingly harmless” software downloads, he says. While keeping antivirus software up to date can help defend against these threats, the most effective protection is implementing multi-factor authentication (MFA), Sancho advises. “MFA ensures that even if attackers obtain valid credentials, they still require a second form of verification, typically a mobile device, to access corporate systems.”

Sancho also recommends using an external encrypted credentials repository, “so that the infostealer will not find any memorized passwords on the browser”.

Entry points include phishing emails or compromised websites offering “seemingly harmless” software downloads, he says. While keeping antivirus software up to date can help defend against these threats, the most effective protection is implementing multi-factor authentication (MFA), Sancho advises. “MFA ensures that even if attackers obtain valid credentials, they still require a second form of verification, typically a mobile device, to access corporate systems.”

Sancho also recommends using an external encrypted credentials repository, “so that the infostealer will not find any memorized passwords on the browser”.

At the same time, experts recommend conducting regular phishing and security awareness training exercises. “Especially those that train against browser-based attacks, including current social engineering tactics,” says Hutchinson.

One helpful action is to disable some of the common commands used to carry out ClickFix-style attacks – which often lead to Lumma Stealer or other infostealers being downloaded, says Hutchinson.

As part of this, he advises removing the “Run” prompt from the Start Menu using Windows Group Policy Objects and disabling Wscript, using AppLocker or Windows Defender GPO. “Disabling Run for all users is probably the main way to prevent ClickFix – since it tricks the user in to opening up run and pasting in a command copied to their clipboard.”