How Modern Infostealers Work in 2026

An infostealer is a small, focused piece of malware. It does not encrypt files. It does not establish long-term persistence. It does not move laterally across a network. It runs once on the host, harvests every credential, cookie, token, wallet, and configuration file it can read, exfiltrates the package to a command-and-control server, and is usually gone within minutes.

This is not a small threat. The Federal Bureau of Investigation estimated in May 2025 that Lumma Stealer alone had been involved in approximately 10 million infections globally. Microsoft Defender data showed 394,000 infected Windows hosts over a single two-month sample window in early 2025. RedLine and its sister malware META, before their October 2024 takedown, were responsible for over 64% of all infostealer infections in 2024 and had collectively stolen 451 million unique credentials.

The corporate impact lives downstream of these numbers. The 2024 Snowflake customer breaches (treated in detail in our identity attack surface analysis) hinged on credentials that were stolen by infostealers infecting personal devices owned by SaaS administrators, and that sat on a Russian-language Telegram channel for as long as four years before the corporate Snowflake instance they unlocked was finally exploited.

This piece walks the technical chain. How a modern infostealer arrives, what it does on the host, what is visible to defenders during execution, what data leaves the machine, where that data goes after, what the 2025–2026 family landscape looks like after the Lumma takedown, and what the corporate-side enumeration problem actually requires.

The execution chain — RedLine as a worked example

RedLine first appeared on Russian-language cybercrime forums in March 2020. It was sold as malware-as-a-service: monthly subscriptions in the low hundreds of dollars; lifetime licenses in the high hundreds. By 2024 it was the single most-deployed infostealer in the world, and remains a useful case study because its codebase has been reverse-engineered repeatedly by industry researchers.

Stage 1: Delivery. Most RedLine infections began with one of four vectors:

Cracked-software bundles. A user searches for a cracked copy of a paid product (Photoshop, Adobe Premiere, video games), downloads an installer from a SEO-poisoned site or torrent, runs it. The installer drops both the cracked software and the RedLine payload. The user gets the working software they wanted. They do not see the second binary.
Malvertising on search engines. A Google or Bing ad for a popular utility (KeePass, Notepad++, OBS Studio, Slack) leads to a typosquat domain serving a trojanised installer. The installer ships the legitimate software and the stealer side-by-side.
YouTube descriptions for “free download” videos. A YouTube video advertising a game cheat, software keygen, or cracked tool includes a download link in the description. The link leads to a password-protected RAR or ZIP. The password requirement defeats automated URL scanners. Inside is the loader.
Phishing emails with attachments disguised as invoices or shipping notifications, primarily targeting business email addresses.

Once the user runs the dropped binary, RedLine’s actual execution begins.

Stage 2: Loader and packing. The RedLine payload is a .NET assembly written in C#. To defeat static signature detection it is almost never delivered as a raw .NET binary. Distribution typically uses an AutoIt wrapper or a custom packer that decrypts the .NET payload at runtime and loads it into memory. A common observed pattern is an AutoIt-compiled executable containing an encrypted second-stage AutoIt script, which in turn loads the .NET assembly via reflective injection into a legitimate process such as aspnet_compiler.exe or RegSvcs.exe. The payload never touches disk in its decrypted form.

Stage 3: Anti-analysis checks. Before harvesting begins, the payload runs a short sequence of environment checks:

A check for known sandbox processes (VBoxService.exe, vmtoolsd.exe, Wireshark, Procmon).
A check of the host country code (some configurations skip execution if the host is in the Commonwealth of Independent States — Russia, Belarus, Kazakhstan).
A check of the language locale and keyboard layout.
A check for debugger presence via standard Windows API calls.

If any of these fail, the payload terminates without performing the harvest. This is why analyst sandboxes routinely fail to capture full RedLine behaviour without explicit configuration to defeat the checks.

Stage 4: Harvest. Once the environment passes, RedLine begins a structured walk of known credential-storage locations on the host. The harvest is fast — typically under sixty seconds on a modestly-specced laptop — and comprehensive. The next section enumerates what comes back.

Stage 5: Exfiltration. RedLine uses Windows Communication Foundation (WCF) for its command-and-control protocol. WCF is a Microsoft framework normally used by enterprise .NET applications for service-oriented architecture; using it for malware C2 is unusual and gives RedLine a distinctive network signature. Communication is SOAP/XML over non-standard TCP ports, which is the single most reliable detection signal during active exfiltration.

The payload bundles the harvested data into an in-memory archive, serialises it via WCF, and posts it to one of the C2 endpoints listed in its config. The transfer is typically complete within two minutes of harvest completion. After exfiltration, the payload usually deletes itself and exits.

Stage 6: The next infection. RedLine does not stay on the host. There is no scheduled task, no registry run-key persistence, no service. A single infection produces one log file on the C2 server and the malware is finished. If the same user gets infected again next week, that is a separate transaction.

What gets harvested — the taxonomy

A complete infostealer log from any of the major 2025–2026 families contains roughly the following categories. The list here is composite — drawn from RedLine, Lumma, Vidar, StealC, and Rhadamanthys public reverse-engineering writeups — because the differences between families on harvest scope have narrowed significantly since 2023. Modern stealers all aim for the same set of targets.

Browser data, every supported browser. Saved passwords (decrypted using the local DPAPI key), cookies (including authenticated session tokens for active SaaS sessions — Microsoft 365, Google Workspace, Salesforce, AWS console, GitHub, Slack), autofill history (addresses, payment cards, identity attributes), bookmarks, and full browsing history. Modern stealers support Chrome, Edge, Firefox, Brave, Vivaldi, Opera, Yandex, and a long tail of Chromium derivatives. The Banshee macOS stealer, before its November 2024 source-code leak, supported approximately 100 browser plugins.

Crypto wallets. Browser-extension wallet vaults (MetaMask, Phantom, TronLink, Coinbase Wallet, Trust Wallet) and desktop wallet files (Exodus’s wallet.dat, Atomic Wallet, Electrum, Coinomi, Jaxx). Hardware-wallet seed phrases are not directly extractable, but the stealer captures any text file in common locations whose name or content matches mnemonic-phrase patterns.

Authenticator and 2FA app data. TOTP seed extraction from Authy desktop, Microsoft Authenticator desktop sync, and any browser-extension authenticator. This is the category that breaks “MFA protects you” assumptions when the second factor is a software token rather than a hardware key.

Messaging app session files. Telegram desktop session (allows the attacker to sign in as the user, see all messages, send messages, without ever touching the password), Discord token (same), Pidgin and other XMPP clients, Signal Desktop databases (encrypted but useful when paired with a stolen DPAPI key).

FTP, SSH, and remote-access credentials. FileZilla saved sites and recentservers.xml, WinSCP saved sessions, OpenSSH config and keys (~/.ssh/), WS_FTP saved sites, putty.exe registry-stored sessions.

VPN and tunnelling configs. OpenVPN config files, WireGuard keys, NordVPN/ExpressVPN tokens, Cisco AnyConnect profiles.

Cloud CLI credentials. AWS ~/.aws/credentials, Azure CLI tokens, Google Cloud SDK config, kubeconfig files. These are the highest-value items in any corporate-context log because they typically grant programmatic access to production infrastructure with no user interaction required.

System fingerprint. Hostname, username, OS version, installed software list, running processes, screen resolution, hardware fingerprint, public IP address, ISP, geolocation derived from IP, current local time and time zone.

A screenshot. A single PNG of the desktop at the moment of infection. Included in every log from every major family. Used by purchasers to verify the log is “fresh” and to assess whether the victim is high-value (visible corporate VPN icon, visible IDE running with company-named project, visible CRM tab).

A complete log typically weighs between 2 and 50 megabytes depending on browser-history size.

The network signature — what is visible during exfiltration

The good news for defenders is that infostealer execution is loud during the exfiltration window. The bad news is the window is short.

RedLine’s WCF/SOAP traffic is the textbook example. Outbound TCP connections to non-standard ports (commonly 80, 443, 8080, but also high-numbered ports such as 32768 and above), carrying SOAP-XML envelopes whose body is a base64-encoded archive, are highly anomalous in a normal corporate network. SIEM rules that flag SOAP-over-non-standard-port outbound traffic capture a substantial fraction of RedLine exfiltration.

Lumma Stealer moved to encrypted HTTPS POST traffic to attacker-controlled domains. The traffic itself looks indistinguishable from any other HTTPS upload, which is why detection has to happen at the destination layer rather than the protocol layer. Microsoft’s takedown of Lumma in May 2025 succeeded by seizing approximately 2,300 C2 domains identified through threat-intel correlation. Defenders without a current Lumma C2 domain feed cannot reliably detect Lumma exfiltration on the wire.

Vidar, which became the dominant stealer in November 2025 after Lumma’s takedown, uses Telegram and Steam community profiles as dead-drop resolvers. The infected host fetches a Steam community page or Telegram profile bio, parses the C2 address out of the bio text, and then communicates with the actual C2. This makes initial detection difficult — the Steam or Telegram requests look entirely benign — and means simple domain-blocklists are useless against current-generation Vidar.

Rhadamanthys uses HTTPS with TLS-pinned certificates and falls back to Tor when the primary C2 is unavailable.

Banshee (macOS, source code leaked November 23 2024 after which the operator shut down service the following day) used Apple’s own XProtect string-encryption algorithm to obscure its on-disk strings. The encryption defeated VirusTotal scanning for over two months — Check Point researchers observed Banshee samples that were completely undetected by every major macOS antivirus engine despite being analysed and uploaded.

The general detection rule for 2025–2026 infostealer traffic: short-duration, high-payload outbound connection to a domain registered within the last 30 days, often with a randomised subdomain and CDN-fronted hosting. The domain reputation feeds maintained by Microsoft, Google Safe Browsing, and the major commercial threat-intel vendors are the practical defence; the protocol-level signatures alone are not sufficient.

The 2025–2026 family map

The infostealer market in 2026 looks substantially different from 2024. Two waves of law-enforcement action restructured it.

October 28, 2024 — Operation Magnus (RedLine + META). A multi-jurisdictional action led by the Dutch National Police, supported by the FBI, IRS Criminal Investigation, Eurojust, Europol, and Belgian, Portuguese, UK, and Australian authorities. Three servers in the Netherlands were seized, two domains were taken down, two arrests were made in Belgium, and US charges were unsealed against Maxim Rudometov, a RedLine developer — access device fraud, conspiracy, money laundering, maximum 35 years. Source code, license servers, API services, panels, and Telegram accounts were confiscated.

The operation ended RedLine and META as commercial MaaS products. Within weeks, however, RedLine variants compiled from leaked source code were observed in the wild. The brand died; the codebase did not.

May 13–21, 2025 — Lumma Stealer takedown. Microsoft’s Digital Crimes Unit obtained a US court order to seize 2,300 Lumma C2 domains. The DOJ and FBI knocked out two key administration domains on May 19. Lumma’s operators spun up three replacement domains on May 20; those were seized within 24 hours. Microsoft sinkholed approximately 394,000 infected hosts over the 60-day sample window.

Lumma did not stop. By June 2025, threat-intel feeds were tracking new Lumma C2 infrastructure registered under different DNS providers. By November 2025, Lumma was back at scale — though no longer dominant. Vidar took the top spot in the post-takedown reorganisation.

The current top-five families by infected-host count (as of early 2026):

Vidar — the new market leader since November 2025. Uses Telegram and Steam dead-drop C2 resolution. Mature codebase, active development.
Lumma — recovered from the May 2025 takedown but no longer dominant.
Acreed — newer family that surged in late 2025 to fill post-Lumma demand.
Rhadamanthys — persistent through both takedowns; HTTPS + Tor fallback.
StealC — favoured in environments with EDR deployed because of a measurably lower telemetry footprint than the noisier families.

Banshee Stealer (macOS) operated as a separate market segment. The November 2024 source code leak collapsed the original commercial operation. A January 2025 variant targeting Russian-speaking macOS users was observed, suggesting the leaked source code is now being recompiled and redistributed by smaller actors. macOS infostealer activity is structurally smaller than Windows but grew substantially across 2024 and 2025.

The structural lesson from both takedowns: the infrastructure of any individual family is fragile, but the market is resilient. Demand from initial-access brokers and ransomware affiliates does not disappear because one MaaS panel goes offline. The next family scales up to fill the gap within weeks.

Five-column comparison of 2026 infostealer market families: Vidar (current leader), Lumma (recovered post-takedown), Acreed (rising), Rhadamanthys (persistent), StealC (low-footprint), by C2 protocol, market position, and distinctive trait

The aggregation economy

A stolen credential is worth nothing on the infected host. It becomes valuable when it reaches a buyer who can use it. The economy that connects the two is mature, professional, and fast.

Russian Market is the dominant credential-log marketplace in 2026. Tens of thousands of active customers; millions of listings. Listings are organised by victim country, by target service (Amazon, PayPal, banking, corporate VPN, RDP, SSH), and by freshness. Pricing ranges from approximately $1 for basic credentials to $500 or more for logs containing corporate VPN access or active session cookies for high-value SaaS tenants. Logs containing fresh, unexpired session cookies sell at the highest premium because they bypass MFA — the buyer can replay the cookie and log in as the user without ever needing the password.

2easy Market specialises in RedLine-, Raccoon-, and Vidar-family logs and operates with a similar listing structure to Russian Market.

Telegram channels have absorbed a substantial fraction of stealer-log distribution that used to live on dark-web forums. By 2026, more than 90% of observed stealer logs appear on Telegram at some point in their distribution chain — either as the primary marketplace, as advertisement for a paid marketplace, or as low-value bulk drops giving smaller actors free access to recycled logs. Telegram’s combination of channel ease-of-access, end-to-end encryption for private chats, and limited cooperation with takedown requests has made it the lowest-friction distribution layer in the ecosystem.

The exploitation window is short. Industry telemetry suggests the median time between a credential appearing on a marketplace and a credential-stuffing or session-replay attempt against the relevant service is 24 to 72 hours. Fresh logs are perishable — session cookies expire, passwords get rotated, MFA gets reconfigured — so the market prices speed.

Initial Access Brokers (IABs) sit one layer downstream. An IAB buys filtered stealer logs in bulk, runs them against corporate authentication endpoints, and sells the resulting working access to ransomware affiliates as a packaged product. A single Snowflake-tenant credential pair, bought for $10 from a stealer log, that opens a working Snowflake instance for a Fortune 500 company, can be resold to a ransomware affiliate for $5,000 to $50,000 depending on the victim’s revenue profile. The Snowflake breaches of 2024 (UNC5537) followed this model end-to-end.

The vintage problem

The most important characteristic of the stealer-log economy is that logs do not expire when the credentials in them get rotated. A log harvested in 2020 sits in marketplaces forever. The credentials inside may have been changed; the cookies have certainly expired; the screenshot is years old. But if an organisation onboards a new SaaS service in 2024 and an employee uses the same password they were using in 2020, that 2020 log is now a working corporate credential against the 2024 service.

This is the structural reason the Snowflake breaches happened in 2024 from infections that, in some cases, predated 2021. Mandiant’s investigation of UNC5537 found credential pairs in active use whose infostealer-collection date was as much as four years before the eventual Snowflake breach. There is no time decay on a log; there is only time decay on the specific credentials inside the log, and password reuse means a single old log can re-light any time the same password is reused on a new service.

The corporate implication is that infostealer exposure is a state, not an event. An organisation does not “have” or “not have” infostealer-leaked credentials. It has employees whose personal devices may have been infected at any point in the last five years, whose resulting logs may sit in marketplaces today, and whose contained credentials may or may not authenticate against current corporate systems depending on the password-reuse and MFA-coverage state of those systems.

The corporate enumeration problem

The ASM, EAP, and identity-protection platforms covered in our earlier piece on the identity attack surface all sit on the corporate side of the perimeter. They observe corporate-issued endpoints, corporate-managed identities, corporate-controlled SaaS tenants. They do not observe — and structurally cannot observe — what happens on an employee’s personal laptop, on a contractor’s home machine, on a board member’s spouse’s iPad, or in the stealer-log marketplaces that aggregate the harvest of those personal-side infections.

The enumeration that does answer the corporate exposure question is performed against the marketplaces themselves. The major commercial offerings in this space — Hudson Rock’s Cavalier, SpyCloud’s Enterprise tier, IntelX, Flare, KELA, DarkOwl, Constella’s identity intelligence platform — all maintain ingestion pipelines into the major Telegram channels and the underground marketplaces, normalise the resulting logs against customer-supplied seeds (corporate email domains, executive personal email addresses, known service hostnames), and surface matches.

A complete corporate enumeration covers, at minimum:

All employee corporate email addresses, against breach corpora and stealer-log marketplaces.
All employee personal email addresses where known, for the same — because a personal-address infection that captured a corporate-credential autofill is the most common cross-contamination path.
All known corporate hostnames and SaaS-tenant subdomains, for indirect appearances inside logs (the corporate Snowflake URL appears in the browser-history portion of an infected employee’s log even if no corporate credential is captured).
All known executive aliases, family member emails, and personal device fingerprints where appropriate.

The deliverable is a per-individual exposure inventory annotated with credential vintage, marketplace appearance date, and current usability assessment. It is the same shape of inventory described in section 5 of the identity-attack-surface piece — a per-person record, not a per-asset record.

The technical chain we walked above — delivery, harvest, exfiltration, marketplace, IAB, breach — is the chain that produces the items inside that inventory. Closing it requires both: knowing the technical mechanics so the inventory makes sense, and knowing where to look so the items get found.