From Browser to Breach: The Infostealer Epidemic Enabling Scattered Spider

In 2024, infostealer malware quietly fueled some of the most devastating breaches in cybersecurity—including attacks on Snowflake and MGM Resorts—rendering multimillion-dollar identity investments nearly useless within minutes. Over 4.3 million devices were infected, and 2.1 billion credentials were stolen, giving threat actors budget-friendly dark web access to critical corporate environments and bypassing even MFA protections.

Executive Summary

Infostealers represent a seismic shift: unlike ransomware, these malicious tools operate silently, harvesting credentials, cookies, and personal data from everyday browser sessions.

For CISOs, the implications are urgent. Infostealers don't just precede ransomware—they enable it, providing attackers with frictionless access to business applications and financial systems. Traditional security controls (endpoint protection, MFA, identity governance) are failing to detect and block these threats.

This post—the first in a three-part series—offers a critical overview of the infostealer epidemic, why current defenses fall short, and immediate actions security leaders can take to mitigate the risk. Future installments will dive deeper into the access trust gaps and solutions to strengthen workforce and browser security. To dive into a custom assessment of your environment’s ability to see and block infostealers, connect with our team at Neon Cyber.

The Infostealer Epidemic

A CISO’s nightmare scenario isn't a zero-day. It’s the realization that their company’s $10 million investment in multifactor authentication (MFA) and identity governance is being rendered moot by a $100 piece of malware.

The impact of Snowflake’s 2024 breach exemplifies this risk: more than 165 organizations compromised from this single campaign. This attack began not with sophisticated zero-days or nation-state exploits, but with stolen credentials quietly harvested by infostealer malware.

While headlines have pushed security teams to focus on ransomware defenses, zero-trust architecture, and the latest compliance frameworks, a silent epidemic is undermining most security controls. Kela Security’s research showed that infostealer malware infected 4.3 million devices, stole 2.1 billion credentials, and enabled 24% of all cyber incidents—including the most high-profile attacks over the last two years.

Here's the uncomfortable truth: Your employees' credentials are likely already circulating on dark web marketplaces. For just a couple hundred dollars, threat actors from opportunistic amateurs to more organized cybercriminals like Scattered Spider can purchase authenticated access to your environment—bypassing every authentication control you've invested in.

The statistics are staggering:

2.1 billion credentials stolen in 2024 alone, which accounted for 75% of all stolen credentials (Flashpoint)
54% of ransomware victims had domains in infostealer credential dumps 16 weeks before the attack (IBM X-Force)
24% of all cyber incidents now involve infostealers as the initial access vector (Huntress 2025 Cyber Threat Report)
70% of infections occur on personal devices that employees also use for work (Checkpoint State of Cyber Security 2025)

This is the grim reality of the Infostealer Epidemic. Malware is no longer just looking for files to encrypt or exfiltrate; it’s looking for the “digital keys” to your kingdom, and threat actors know that they can get access via the one tool every employee uses every day: the browser.

This is the first blog post in a three-part series examining how the infostealer attack chain works, why traditional security controls are failing to stop it, and what organizations can do differently.

The Business Model Behind the Infostealer Epidemic

The Economics of Democratized Cybercrime

Traditional ransomware required operational sophistication. Attackers needed technical skills, infrastructure, and the ability to execute complex, targeted campaigns. It was high-touch, resource-intensive, and limited to skilled threat actors.

Then Ransomware-as-a-Service (RaaS) came onto the scene in the 2010s and enabled non-sophisticated or amateur threat actors to deploy ransomware. Affiliate programs and threat actor support/help desks only drove further adoption of RaaS and, subsequently, successful ransomware attacks.

Infostealer malware is the next step in this evolution to democratize cybercrime. Unlike ransomware, infostealer malware is not intended to exfiltrate and encrypt data for payment. For the most part, infostealer malware is intended to be quiet, quick, and focused on stealing identity attributes (e.g., credentials, session tokens, etc.)

The infostealer ecosystem today operates on volume and velocity. Malware-as-a-Service (MaaS) platforms sell sophisticated credential theft tools for $250-300 per month. Attackers deploy them broadly through phishing, malvertising, and software supply chain compromises. Within minutes of infection, stolen data gets packaged as "logs" and distributed across dark web marketplaces.

The marketplace is staggering. Logs containing corporate credentials sell for $3-10. Premium logs—those with clear indicators of admin access, financial system credentials, or Fortune 500 domains—command higher prices but remain accessible to virtually any attacker with a modest budget. These marketplaces feature searchable databases organized by company, industry, and role. And they update daily with fresh infections.

With 4.3 million devices were infected in 2024, even if only 0.1% of those infections provided enterprise access, that's 4,300 potential entry points flooding the criminal marketplace every month.

Why Infostealers Are Fundamentally Different

Infostealers are invisible to users. There's no ransomware note, no locked files, no obvious indicator that anything happened. Employees continue working normally while their browser data—passwords, cookies, session tokens, autofill information—gets silently exfiltrated.

Infostealers are invisible to traditional security like AV and EDR/XDR—and thus, also invisible to security teams. Research from SpyCloud confirmed that 54% of devices infected with infostealers had antivirus or EDR installed and active during the infection. Traditional endpoint security simply can’t detect these threats because infostealers use legitimate browser processes, execute in under 60 seconds, and exfiltrate data through encrypted channels that appear as normal web traffic. This also makes infostealers invisible to security teams.

Infostealers don’t need to persist—they’ve already gotten what they want. Unlike ransomware, the malware doesn’t need to persist in your environment. Even after you’ve detected and cleaned an infection, credentials have already been harvested, sold, resold, and potentially tested against your systems.

Infostealers enable everything else. Infostealers are one step towards a larger objective—they're the supply chain feeding ransomware operations, business email compromise (BEC), data exfiltration campaigns, and account takeover attacks. They're taking advantage of that initial access to make everything else possible.

How Browsers Became Ground Zero

So how did we get to this point? It started with the explosion of cloud and SaaS in the 2000s, which, in many ways, forced the browser to evolve. Browsers moved from being a simple tool for viewing web pages into the primary interface for modern work. And that makes it the richest target in enterprise security.

In the past 10-15 years, browsers have rapidly developed beyond a mere interface to the internet. They now have their own native languages and protocols to enable complex SaaS applications (just think of Microsoft O365, where you can use Word or Excel online versus running a program on your computer.)

Browsers have also added features to store critical information for usability, including:

Password managers: Users typically save dozens to hundreds of credentials in the browser for both work and personal applications.
Authentication cookies: Browsers store session tokens that help maintain logged-in states across applications—including the post-MFA authenticated session.
Autofill data: Users will save personal identifiable information, payment cards, addresses, phone numbers to enable easier form fills.
Browser profiles: Users can save settings, preferences, and data to sync across personal and work devices.
File downloads: Users save documents, spreadsheets, and files to default download folders via the browser.

According to SpyCloud, the average infostealer infection yields 1,861 cookies, 40+ saved passwords, and session tokens for cloud services. Infostealers do more than harvest credentials—they steal data used to produce a comprehensive profile of someone's digital identity.

Hybrid and remote workforces, along with Bring-Your-Own-Device (BYOD) makes this worse. Research shows 70% of infostealer infections occur on personal devices that employees also use for work access. When users enable browser sync, infostealers can spread seamlessly between personal and corporate environments. An infection from clicking on a phishing link on a personal laptop at home can expose corporate SaaS credentials accessed from that same browser.

When the browser follows users everywhere, stores their most sensitive credentials, and has become the primary interface for access to business applications, it’s also easy to see why it would become a critical target for threat actors.

Unfortunately, traditional security boundaries—the network perimeter, managed devices, VPN access—were developed to tackle cybersecurity challenges before the browser became such a powerful, ubiquitous tool. That’s also why these security solutions cannot detect or block against infostealers.

How Infostealers Work: From Stolen Credentials to Ransomware

Understanding how infostealers enable both simple and sophisticated attacks requires looking at the complete chain—from initial infection through enterprise breach. At each phase, we’ll reveal critical gaps in traditional security controls.

Phase 1: Initial Infection and Credential Harvesting

Infostealers are delivered via mechanisms that bypass traditional security, such as social engineering and email (e.g., phishing):

Phishing saw an 84% increase in infostealer delivery in 2024. (IBM X-Force) Modern infostealer phishing uses legitimate file-sharing platforms (Dropbox, WeTransfer, Google Drive), and realistic branding to convince even security-aware employees to click.
Malvertising and SEO poisoning targets employees searching for legitimate software. When employees search for "zoom download" or "chrome browser," malicious ads and SEO-optimized fake sites now appear as top results. The downloads are real applications, but they come bundled with infostealers—so the programs work as expected but the malware is hidden.
ClickFix and fake verification techniques trick users into manually executing malware. Fake CAPTCHA pages on sites designed to look legitimate will instruct users to "press Windows + R” and “copy and paste this code to verify you're human." Because users initiated the action, behavioral security tools see this as "legitimate user activity."

Once executed, infostealers can harvest everything in minutes:

Browser-stored passwords and autofill data
Authentication cookies and session tokens (the keys to MFA bypass)
Cryptocurrency wallets, 2FA recovery codes, SSH keys
Specific files from desktop folders

Data exfiltration happens immediately over encrypted channels, and the total execution time ranges from 30 to 90 seconds for many variants.

How does traditional security fail to detect this exfiltration? Because legitimate browser processes are accessing their own data stores, and any encrypted traffic (HTTPS) goes to seemingly legitimate domains. With short execution windows, behavioral analytics never trigger an alert.

Phase 2: Credential Marketplace Distribution

The commoditization of access happens fast.

Within days of infection, stolen credentials hit dark web marketplaces. These aren't hidden, hard-to-access forums—they're searchable e-commerce platforms with customer support, rating systems, and inventory management. Want credentials for healthcare organizations in the Northeast? Pharmaceutical companies with VPN access? The marketplace makes it easy to find credentials.

Buyers range from the opportunistic to highly sophisticated:

Amateurs or script kiddies testing credentials against popular SaaS applications
Access brokers purchasing enterprise credentials to resell to ransomware operators
BEC specialists focused on interrupting standard business processes for financial gain
Known threat actors like Scattered Spider searching for specific target companies

The reality is your employee's laptop gets infected on Monday. By the following Tuesday, if not sooner, their credentials are listed for sale. By Friday, three different attackers have purchased access and are testing those credentials against your O365, AWS, and Salesforce environments.

Phase 3: Access Validation and Session Hijacking

Here's where infostealers provide their most powerful advantage: session hijacking via stolen cookies.

Understanding the authentication bypass:

Normal flow: Username → Password → MFA challenge → Session cookie
Infostealer shortcut: Import stolen session cookie → Instant authenticated access, MFA bypass/MFA defeated

Your MFA investment provides zero protection against stolen cookies. The attacker never sees the MFA prompt because they're not authenticating—they're replaying an already-authenticated session.

This is how the Snowflake breaches succeeded despite MFA being available. Attackers used stolen session tokens from infostealer logs to access Snowflake accounts, bypassing authentication entirely. They then leveraged that access to compromise 165 organizations.

Here’s the most dangerous aspect of this phase. By using legitimate credentials, there’s no malware to detect. When attackers use valid session cookies, they appear in logs as a legitimate employee or user. Security tools see normal login patterns, familiar applications being accessed, standard API calls. And because behavioral analytics struggle to differentiate between "employee working remotely" and "attacker accessing data with stolen credentials," this event barely gets a second look.

Phase 4: Entry, Lateral Movement, and Objective Execution

A quick look at the Scattered Spider playbook illustrates how credential theft can easily become a major enterprise breach:

They purchase initial access from infostealer marketplaces like Russian Market
Then they test stolen session cookies against cloud infrastructure portals for immediate authenticated access
Once they’ve gotten the access they want, they’ll register additional MFA devices using admin-level access
Next, they work to establish persistence through legitimate identity infrastructure
Finally, after exfiltrating data (to back their threats or for double extortion), they will deploy ransomware and encrypt machines

The 2023 MGM Resorts hack, which cost millions of dollars, used this exact pattern. Scattered Spider purchased stolen employee information, leveraged social engineering to impersonate an employee by providing correct personal information for that employee, then used access that seemed legitimate to gain admin privileges before deploying ransomware.

The connection between infostealers and a prolific group like Scattered Spider is important, because defending against Scattered Spider isn't about blocking specific attack signatures. Organizations need to be defending against the infostealer supply chain that enables them.

When MGM's CISO testified that the breach started with stolen credentials, they were describing the output of the infostealer ecosystem. When Snowflake disclosed that 165 organizations were compromised through credential-based attacks, they were describing the scale of the infostealer supply chain.

The infostealer attack chain reveals a new security reality. While many enterprises have built impressive defenses against malicious behavior, these defenses are blind to malicious actors using legitimate credentials and previously authenticated sessions.

Current State: Infostealers You Need to Know

Infostealers are a current, active, and evolving threat. Here’s a few major infostealers you should know about.

Lumma Stealer: The New Market Leader

Lumma Stealer overtook RedLine as the most prevalent infostealer in late 2024 and continues to dominate in 2025. It’s distributed via a Malware-as-a-Service model and sold on Russian forums for $250-300/month. This enables thousands of lower-skilled operators to deploy highly effective attacks. To date, Lumma has been responsible for infections across all industries but have focused in on financial services, technology, and retail.

Here are some of the technical aspects that set Lumma apart:

Has AI-powered features for enhanced detection evasion
Can target 50+ applications beyond browsers: Discord, Telegram, crypto wallets, email clients
Modular design allows operators to customize data targeting

StealC: The Budget Option Driving Volume

StealC is a cost-effective infostealer creating massive infection volumes through accessibility. This yields a few benefits: Because it’s lightweight and fast, it is optimized for speed over sophistication ("good enough" functionality meets most attackers’ needs). It executes in 30-60 seconds and exits before most security tools notice. Additionally, because it’s cheaper, it sees broader deployment, oftentimes targeting personal devices of younger employees to pivot into corporate access via browser profile syncing.

It's often distributed with/via pirated software, gaming cheats, and cracked productivity tools. A recent FileFix campaign leveraging StealC was reported in the media just last month.

Vidar: The Persistent Veteran

Vidar has been active since 2018, surviving through multiple law enforcement actions by continuously evolving and demonstrating highly effective operational security. Because of this longevity, they have proven to the market that their infrastructure is solid, and their operations are reliable. Vidar operators maintain consistent quality, making their logs highly valued.

Vidar identifies and prioritizes corporate credentials by using heuristics to detect business email addresses, VPN configurations, and enterprise application access.

Technical capabilities include:

Extensive application targeting across browsers, email clients, 2FA apps, VPN clients
System reconnaissance before exfiltration to profile the victim’s environment
Cryptocurrency wallet focus with dedicated extraction modules
Configurable exfiltration for specific file types

EDDIESTEALER: The Chrome Security Bypass

In May 2025, EDDIESTEALER bypassed Chrome's App-Bound Encryption within 45 days of the security feature's release. Google invested significant engineering effort into App-Bound Encryption specifically to stop infostealers. But within weeks, malware authors found a bypass.

These aren't hypothetical threats. They're commodity software, available via monthly subscription, actively infecting thousands of devices daily, feeding credentials into marketplaces, and enabling everything from opportunistic account takeovers to multi-million-dollar ransomware campaigns.

What This Means for Your Security Strategy

Traditional security controls were designed for a different threat model from a dated technological environment. They excel at preventing malicious software and detecting network intrusions—but struggle with malicious actors using legitimate credentials and authenticated sessions.

The gap between when credentials are stolen and when organizations detect the breach creates an enormous window of opportunity for attackers.

In Part 2 of this series, we'll examine exactly why your current security investments—endpoint protection, MFA, perimeter security, IAM, and security awareness training—aren't stopping these attacks. We'll explore the specific blind spots in each layer of traditional security and introduce a concept from GigaOm CEO Howard Holton called the "Access-Trust Gap" that perfectly captures where modern security is failing.

And in Part 3, we'll discuss what's working: a new approach to workforce-focused browser security that provides visibility where threats actually operate, detects credential abuse in real-time, and closes the gaps that enable the infostealer-to-ransomware pipeline.

What You Can Do Right Now

But while you wait for Parts 2 and 3 of this series, here are immediate actions you can take:

1. Assess Your Exposure:

Leverage dark web monitoring services (free options include Have I Been Pwned, SpyCloud's CheckUp) to check if your corporate domain appears in credential dumps
Search for executive and privileged account credentials in breach databases
Document the scope of exposure to inform risk assessment

2. Review your MFA coverage:

Identify applications with session timeout policies
Implement aggressive session timeouts on high-risk applications: financial systems, admin tools, and cloud infrastructure
Identify and document applications without MFA support

3. Understand your BYOD risk:

Identify which applications are accessed outside your managed device fleet
Survey what percentage of employees access corporate applications from personal devices
If possible, assess where browser sync is enabled across personal/work devices

Do you have more questions about infostealer threats? Connect with our security experts on LinkedIn or reach out directly at info@neoncyber.com.

Coming Next Week

Part 2: "Why Your $10M Security Stack Has a Browser-Sized Blind Spot"

We'll dive deep into why traditional security controls—endpoint protection, MFA, perimeter security, IAM, and security awareness—aren't stopping infostealers. You'll learn:

Why 54% of infections bypass endpoint security
How session hijacking makes MFA irrelevant
What the "Access-Trust Gap" reveals about modern security architecture
The specific limitations in each layer of your security stack

Subscribe to get notified when Part 2 publishes.