What Exactly Are InfoStealers?
InfoStealers are a type of malware specifically designed to extract sensitive information from infected systems. According to Mandiant, they categorize these malicious tools as a broad class of malware capable of stealing confidential data. However, they make a distinction by excluding those malware variants intended solely for mass data collection or basic system information retrieval. Essentially, while not all malware that gathers data qualifies, infoStealers are focused on targeted theft of valuable information.
Although the phenomenon isn’t new, recent reports suggest that infoStealers are experiencing a resurgence. This trend is highlighted by the cybersecurity company’s recent incident response activities in 2024. The increased frequency indicates that threat actors are revisiting and intensifying their use of these tools, making them a significant concern for organizations worldwide.
This uptick correlates with a rise in the use of stolen credentials. Notably, these compromised login details served as the initial point of access in 16% of incidents handled last year—a noticeable increase from 10% in 2023 and 14% in 2022. These breaches often tend to be short-lived but tend to cause considerable damage during their brief window of activity.
The Snowflake Incident: A Prime Example of InfoStealer Usage
Mandiant has identified a hacking operation, designated UNC5537, that exemplifies the capabilities of modern infoStealers. Starting from April 2024, this group orchestrated multiple breaches by gaining access to Snowflake cloud platforms. They achieved this primarily through stolen login credentials sourced from various infoStealer malware families, including Lumma, Metastealer, Raccoon Stealer, Redline, Risepro, and Vidar. These malware variants were deployed on employees’ or contractors’ devices within targeted organizations, enabling the attackers to infiltrate corporate cloud instances.
The threat actors then attempted to extort some victims directly and also sold stolen data and access credentials on cybercriminal forums. The oldest compromised credential traced back to a breach in November 2020, highlighting how long these stolen data can be exploited for malicious ends.
In the realm of infoStealer operations, Mandiant also points to the threat actor known as Triplestrength. Active since 2023, this group engages in cryptocurrency mining within cloud environments by utilizing stolen credentials and session cookies. Their focus on exploiting cloud resources underscores the diversity of threats posed by infoStealers, which extend beyond data theft to include resource hijacking and other malicious activities.
Stolen credentials continue to be the most common initial access vector, involved in 16% of incidents last year—up by six points from the previous year. Phishing attacks account for 14%, although this method experienced a decline of three points. Exploits remain the dominant entry method, representing 33% of incidents, despite decreasing by five points. Internal threats are still relatively minor, at around 5%, but are becoming more frequent, especially due to campaigns by North Korea aiming to recruit citizens into the cybersecurity teams of Western companies.
In the EMEA (Europe, Middle East, Africa) region, the usage of stolen credentials is less prevalent as the initial intrusion method. Instead, brute-force attacks are more common at 10%, with phishing accounting for 15% and exploits for 39%. These regional differences reflect varying attack preferences and threat landscapes across different parts of the world.
