Your passwords and credit cards are their loot: How infostealers work

At ESET’s annual technology conference ETeC 2025, malware researcher Jakub Kaloč explained how cybercriminals run infostealers as a service via a real-life demonstration.

An admin comes to work, opens a dashboard and checks for tasks, notifications, and revenue statistics. You’re thinking of a software as a service company (SaaS), right? Not quite. This scene shows how modern cybercrime focused on data theft looks. And you are its target.

Infostealers are on the rise, threatening both businesses and regular users, as they are easy to both deploy and operate thanks to the growing trend around propagating malware as a service (MaaS). The key requirement is, ease of use. This trend has seen infamous infostealers such as Lumma Stealer used by low-skilled actors to single-handedly compromise hundreds thousands of machines. 

Why are they so popular among threat actors? Because they work! Like Eminem said – you only get one shot, one opportunity – and that’s all these malware families need to harvest a wide range of sensitive information from a compromised machine,” said ESET malware researcher Jakub Kaloč at the ETeC 2025 conference, explaining how cybercriminals run infostealers as a service.

Key points of this article:

• Infostealers are a type of malware developed to steal a variety of information while keeping a low profile.

  
  

• Currently, cybercriminals operate infostealers using a malware-as-a-service model which makes them available on demand to anyone.

  
  

• Infostealers often come with concise dashboards and optimalization tools, and their developers engage in marketing activities to promote their products.

  
  

• ESET solutions can detect and stop infostealers, protecting thousands of devices against this threat every month. ESET has also participated in the disruption of several infamous infostealers.

  
  

What infostealers can do

As the name suggests, infostealers excel at stealing a wide range of information, from the compromised machine’s specifications and browser data to entire files present on the system. Here is a brief list of their infostealing capabilities:

Compromised machine information – Things like username, Windows version, hardware specifications, geolocation, installed antivirus and so on.

Browser data, especially cookies – These can contain session tokens, auto-login credentials or various tracking IDs. Cybercriminals aren’t picky – infostealers can gather data from dozens of commonly-used browsers. They also steal browser history and browser extension data, especially those related to crypto wallets, password managers, and authentication apps.

Clipboard content – Infostealers often monitor clipboard content to grab sensitive data like passwords, bank account details or crypto addresses. Some can even modify clipboards  — for example, replacing a copied crypto wallet address with one the attackers’ control, tricking the user into sending funds to the attacker.

Installed apps data – This includes tokens, saved credentials and email content.

Files – They can also grab any file from the victim’s system and send it to the attacker.

Keylogging – Some infostealers can track keystrokes, thus giving attackers information about almost everything the user is doing on the machine. 

Advanced infostealers can go beyond simple data theft. For example, they can run commands on the compromised machine and give attackers remote access to it. On top of that, they can download and run other malware.

For example, the infamous DanaBot infostealer was used to distribute various ransomware such as LockBit, Buran and Crisis.

Turning data theft into organized crime 

Many notable infostealers are currently distributed as a service, which means cybercriminals don’t need to develop their own malware  — they simply purchase a subscription to access it. Then, it’s up to them to find a way to deliver the infostealer while avoiding antimalware solutions.

Of course, phishing campaign tools such as Telekopye and obfuscation software (cryptors) can be bought too. This means that cybercriminals often purchase multiple tools from different vendors, and they tend to experiment to find out which ones work best.

Within the malware-as-a-service model, there are two main roles: the operator and the affiliate.

The operator acts as the developer – creating, maintaining and updating the malware. This can be an individual or a team, with tasks split between development, marketing and customer support.

Affiliates are the buyers – usually paying via cryptocurrency in a subscription model. They’re the ones who carry out the actual attacks and spread the malware to victims.

Cryptors

Today, the security industry is quite effective at detecting malware. To avoid immediate detection, threat actors rely on cryptors – software encrypting and/or obfuscating malicious code.

In practice, cryptors need frequent updates. Some services refresh them multiple times a day, while premium ones generate unique versions per customer request.

Cryptors have become a crucial part of the infection chain, and without them, many attacks would have virtually no chance for success.

In some cases, cryptor operators set up their own web portals where affiliates can register and log in – just like any regular service platform. After logging in, affiliates can make purchases, extend their subscriptions, check for the latest updates or protect files via the web. They simply upload their payload and download a protected version, ready for deployment.

Managing malware campaigns

In a world of such highly organized cybercrime, modern infostealers come with admin panels with a nice graphical user interface that lets threat actors manage malware and monitor stolen data in real time.

For example, the PureLogs stealer’s panel (below) displays collected logs – each one is a searchable, sortable package of stolen data. On the left, attackers can browse through stolen passwords from apps, browsers and more.

“It’s organized, efficient and built for easy exploitation,” said Jakub Kaloč.

Other infostealers have also come up with panels that give a complex overview of stolen data and detailed statistics about the malware’s reach and impact, such as how many machines were infected in statistics broken down by country. 

Many of these panels also come with account management features displaying current balance, subscription status, or pricing plans needed to keep the panel active. They also support multiple languages – most commonly Russian and English.

Some infostealers, such as PureCrypter, also come with builders – applications tied to customers’ licenses and hardware IDs allowing them various configurations. In the case of PureCrypter, these configurations include setting the URL from which the final malware payload should be downloaded, which process the payload should be injected into, malware installation method, or various obfuscation techniques.      

These options give affiliates flexibility in how they deploy the malware. 

Malware marketing

The marketing efforts made by cybercriminals around MaaS infostealers are also becoming increasingly professional. It’s no longer about cryptic messages in hacking forums; some infostealers are openly promoted on common platforms.

For instance, SnakeStealer is being sold through a Telegram channel, where the operator regularly posts updates. Users actively engage in discussions about optimal configurations and cryptor recommendations, and they even share their personal achievements.

Sometimes, operators are bold enough to boast about the quality of their malware by listing research blogs and papers that analyze it.

Reviews are also a very important part of their marketing, just like in the case of many others software companies.

“When you browse those forums, you can see many posts about people asking which products other users recommend,” Jakub Kaloč said.

Many operators appreciate the exposure and recognition that comes with publicity – some are even open to interview requests, eager to share their perspectives through blogs or media.

Deflected infostealer campaign

One of the latest infostealer campaigns discovered by ESET took place this September in Poland, where ESET protected over 300 machines from likely compromise.

It started with a lengthy spear-phishing email impersonating Poczta Polska, the national Polish postal service, issuing an invoice to the recipient.

The email continued with a warning about ongoing cyberattacks being carried out using the name “Poczta Polska”. The warning then stated that recipients may receive fake invoices, and to protect themselves, they should check for signs including senders’ address, email subject, and attachments that should be saved in PDF formats.

At first glance, the email doesn’t raise suspicions, but closer inspection reveals that the displayed sender name is different from the real email address – it belongs to a Greek company that has likely been compromised. 

Additionally, the attachment only appears to be in the well-known PDF format – its filename seems to end with “underscore pdf”; however, after a long string of spaces, the targeted user can find that the actual file extension is .iso, not .pdf.

When double clicked, the .iso file reveals a file with a PDF icon and a name also ending in “underscore pdf” – but this time, the extension is .scr. Although .scr file extensions are typically used for screensaver files, upon clicking it, this one functions just like any other executable.

How to take down infostealers

Despite infostealer campaigns usually employing multiple malware families, cryptors with frequent updates, as well as an abundance of customization possibilities, along with the fact that cybercriminals often test their malware against antivirus software before launching a campaign, ESET is still capable of stopping these threats. On top of that, ESET recently contributed to major disruption operations targeting Lumma Stealer and DanaBot, two prolific malware-as-a-service threats.

On the product and services side, our success in battling infostealers is thanks to ESET AI-powered multi-layered protection for both regular users and businesses that makes it possible to detect even advanced malware designed to keep a low profile. Businesses can also utilize ESET MDR services, which combine AI and human expertise to achieve unmatched threat detection and rapid incident response.  

Furthermore, ESET researchers have proven to be successful in monitoring not only threat groups developing malware, but also their affiliates.

How is this possible? Researchers know that affiliates need their own servers to operate their admin panels and host their payloads. This gives them the opportunity to track affiliates’ command and control (C&C) servers and associated network infrastructure.

“In many cases, infostealer and cryptor operators don’t offer shared infrastructure, as it would be quickly blocked and could expose them to significant risk,” said Jakub Kaloč.

As part of the Lumma Stealer disruption effort, ESET supplied technical analysis and statistical information. Using in-house automated systems, ESET researchers also extracted essential data, such as C&C servers and affiliate identifiers, from tens of thousands of malware samples.

Living in a world of infostealers

Infostealers are popular among cybercriminals so much so that their management, distribution and even their marketing reached a standard business-like level. They target both average Joes and businesses to steal their data and money, and what makes them particularly dangerous is their talent at concealment and their capability to deliver additional malware. 

To defend against this threat, users need to be vigilant against phishing attempts and deploy advanced cybersecurity solutions such as ESET Home Security or ESET Protect for businesses. 

Frequently Asked Questions (FAQs)

1. How can infostealers hurt me or my business?

Infostealers can gather a wide range of data including system information, browser data, clipboard content, installed application data, files from the system and keystrokes via keylogging. This data can be used in identity theft, to steal money from bank accounts, and give cybercriminals initial access into business systems for further attacks.

More complex infostealers can execute commands on the infected machine, allowing attackers remote access or to run additional malware, such as ransomware.

2. What is the malware-as-a-service (MaaS) model in cybercrime?

MaaS is a business model featuring a division of labor between those who develop and sell the malware and those who use it. “Operators” act as developers and vendors, while “affiliates” purchase subscriptions and deploy the malware.

3. How advanced are malicious services?

Modern infostealers are equipped with sophisticated admin panels that allow cybercriminals to configure malware deployment, monitor stolen data in real time, and manage campaigns with ease. Malware-as-a-service platforms now resemble legitimate software businesses, coming with multilingual interfaces, subscription management and active marketing through social media channels like Telegram.

4. How are infostealers distributed?

Infostealers are distributed in multiple ways; perhaps the most common is via phishing. This includes the ever-popular use of malicious attachments in phishing emails. Other attack vectors include visiting exploited websites, downloading cracked (illegally accessed) software, fake mobile apps or social engineering.

5. What can I do to stay protected from infostealers

• Stay vigilant, learn how to recognize phishing and don’t download cracked illegitimate software.

  
  

• Use reputable antimalware products such as ESET Home Security or ESET Protect. 

  
  

• Enable multi-factor authentication (MFA). Even if your credentials are stolen, MFA can prevent unauthorized access.

  
  

• Keep software updated to make sure that attackers will not exploit known vulnerabilities.

  
  

• Use a password manager.