Endolum Academy · · 3 min read

Infostealer Malware: How Your Credentials End Up For Sale

Infostealers harvest browser passwords, session tokens, and crypto wallets. Here is how they work, what they target, and how to detect them.

malwarethreat-intelinfostealers

You can have the strongest password in the world. It does not matter if malware extracts it directly from your browser.

Infostealer malware is a booming market. Variants like RedLine, Raccoon, Vidar, and Lumma harvest credentials at industrial scale. The stolen data feeds into initial access markets, enabling everything from account takeover to ransomware deployment.

Let us understand how these things work.

What Gets Stolen

Modern infostealers target:

Browser data

  • Saved passwords (Chrome, Firefox, Edge, Brave)
  • Cookies and session tokens
  • Autofill data (addresses, credit cards)
  • Browser history

Cryptocurrency

  • Wallet files (Exodus, Electrum, Atomic)
  • Browser extension wallets (MetaMask, Phantom)
  • Private keys stored in files

Application credentials

  • Discord tokens
  • Telegram sessions
  • VPN configurations
  • FTP clients (FileZilla)
  • Email clients

System information

  • Screenshots
  • Running processes
  • Installed software
  • Hardware identifiers

All of this gets packaged into a “log” and sent to the attacker. Logs then sell on marketplaces for anywhere from $10 to $1000+ depending on what credentials they contain.

Technical Breakdown

Credential Extraction

Chrome stores passwords in a SQLite database, encrypted with DPAPI (Data Protection API). The encryption key is tied to the Windows user account.

Malware running as that user can decrypt credentials trivially:

%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data

The malware copies this file, queries the SQLite database, and decrypts each password using Windows APIs. Same process works for Edge, Brave, and other Chromium browsers.

Firefox uses a different approach (NSS libraries) but the result is the same: malware with user-level access can extract saved passwords.

Session Hijacking

Cookies are often more valuable than passwords. A stolen session cookie bypasses MFA entirely. The attacker does not need your password or your authenticator app. They have your authenticated session.

This is why “remember this device” is dangerous on sensitive accounts. That cookie might end up in an attacker’s browser.

Exfiltration

Data typically exfils via:

  • Direct HTTP POST to attacker infrastructure
  • Telegram bot API (common with Raccoon, Vidar)
  • Discord webhooks
  • Encrypted file upload to file hosting services

Telegram is popular because it is encrypted, allows automation, and rarely gets blocked by corporate firewalls.

Delivery Mechanisms

Infostealers reach victims through:

Cracked software. That free download of expensive software is not free. The crack often bundles an infostealer. Gaming cheats and cracks are particularly common vectors.

Malvertising. Ads leading to fake download pages. Search for “OBS download” and the top ad might be a lookalike site serving malware.

Phishing. Email attachments, especially OneNote files (now patched) and ISO/IMG files containing executables.

YouTube tutorials. “Free Photoshop 2026 download” videos with malicious links in descriptions.

Detection Opportunities

Process behavior. Legitimate applications do not read browser credential files. Monitor for processes accessing:

  • Login Data (Chrome passwords)
  • cookies.sqlite (Firefox)
  • Wallet directories for crypto applications

Network indicators. Infostealers beacon to C2 infrastructure. While domains rotate quickly, patterns persist:

  • Connections to Telegram API from non-Telegram processes
  • HTTP POST requests with large bodies to new/unusual domains
  • Communication to bulletproof hosting providers

File system activity. Look for:

  • Rapid sequential access to browser profile directories
  • Creation of archive files in temp directories
  • Copying of wallet files

Example Sigma rule concept:

title: Browser Credential Store Access
detection:
    selection:
        TargetFilename|contains:
            - '\Login Data'
            - '\Cookies'
            - 'cookies.sqlite'
    filter:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
    condition: selection and not filter

Protection

Do not save passwords in browsers. Use a dedicated password manager. Yes, they can also be targeted, but they offer better protection than browser storage.

Hardware MFA where possible. FIDO2/WebAuthn tokens cannot be stolen remotely. Session cookies can still be hijacked, but the barrier is higher.

Endpoint detection. Modern EDR solutions detect known infostealer families. Keep signatures updated and enable behavioral detection.

Assume compromise. If you suspect infostealer infection, assume all credentials stored on that system are compromised. Reset everything. Check for unauthorized access to accounts.

Network segmentation. Infostealers running on a user workstation should not have paths to critical infrastructure. If they do, you have bigger problems.

Current Threat: Lumma Stealer

Lumma is currently one of the most active infostealers. It sells as malware-as-a-service for approximately $250/month.

Recent campaigns distribute it through:

  • Fake CAPTCHA pages (click to verify you are human, download malware instead)
  • Cracked software on torrent sites
  • Discord DMs with malicious attachments

Its capabilities include standard credential theft plus clipboard monitoring for cryptocurrency addresses. If you copy a wallet address, Lumma can replace it with the attacker’s address.

Understanding malware internals helps you build better defenses. The Digital Forensics course on Endolum Academy covers malware analysis, memory forensics, and incident investigation techniques.