Infostealer malware has become the foundational layer of modern cybercrime, silently harvesting credentials, session tokens, browser cookies, cryptocurrency wallets, and system fingerprints from millions of compromised endpoints globally. In 2024, Dark Angel identified over 26 million unique stealer log entries containing corporate credentials across monitored underground markets — a 78% increase from 2023. These stolen credentials serve as the primary fuel for initial access brokers, ransomware affiliates, and business email compromise actors, creating a direct supply chain from infostealer infection on a single endpoint to full enterprise compromise. The ecosystem operates at industrial scale: malware-as-a-service subscriptions for leading stealers cost as little as $150-$300 per month, while the resulting credential data generates millions in downstream criminal revenue. This report analyzes the infostealer ecosystem end-to-end, from malware distribution through credential monetization, with specific focus on enterprise detection and risk mitigation strategies.
The Infostealer Ecosystem
Ecosystem Architecture
The infostealer ecosystem operates as a multi-layered supply chain with distinct roles and economic relationships. At the top, malware developers create and maintain infostealer families, selling access through subscription-based malware-as-a-service (MaaS) models on underground forums and Telegram channels. Operators — who may range from individual cybercriminals to organized groups — deploy the malware through various distribution vectors: malvertising (malicious Google and Bing ads), SEO poisoning (fake software download sites), cracked software repositories, phishing campaigns, and YouTube tutorial videos containing malicious links.
Once deployed, infostealers execute on the victim's endpoint for seconds to minutes, harvesting stored browser credentials, autofill data, session cookies (including active MFA-authenticated sessions), cryptocurrency wallet files, VPN client configurations, FTP credentials, email client data, and system information (hardware ID, IP address, installed software). This harvested data is packaged into a "log" — a structured archive — and transmitted to command-and-control infrastructure where it is aggregated, sorted, and either used by the operator directly or sold through specialized marketplaces.
Analysis of stealer logs processed by Dark Angel in Q1 2025 found that 14% contained active enterprise credentials (corporate email, VPN, cloud service logins) — representing direct initial access vectors for ransomware operators and targeted intrusion actors. The median time between credential theft and appearance on underground markets is 48 hours.
Major Infostealer Families
| Stealer | Status | Price (MaaS) | Distribution | Key Capabilities |
|---|---|---|---|---|
| Lumma Stealer | Active, dominant | $250/month |
Malvertising, SEO poisoning, cracked software | Browser data, crypto wallets, 2FA extensions, cloud tokens |
| RedLine | Active | $150/month |
Phishing, fake software updates, YouTube | Browser data, FTP, VPN, Discord tokens, system info |
| Raccoon v2 | Resurgent | $200/month |
Exploit kits, malvertising | Browser data, crypto wallets, email clients, customizable |
| Vidar | Active | $250/month |
Social media, spam campaigns | Browser data, 2FA apps, Telegram, password managers |
| Stealc | Active, growing | $200/month |
Malvertising, loader chains | Modular, customizable grabber, anti-analysis |
| Rhadamanthys | Active | $250/month |
Phishing, malvertising | AI-powered OCR (seed phrase extraction), advanced evasion |
| META Stealer | Active | $125/month |
Email phishing | Browser data, crypto wallets, targets macOS |
Lumma Stealer: The Current Market Leader
Lumma Stealer (also known as LummaC2) has emerged as the dominant infostealer by market share since mid-2024, surpassing RedLine and Raccoon. Written in C, Lumma offers sophisticated evasion capabilities including trigonometric-based anti-sandbox checks that analyze mouse cursor movements for human-like behavior, encrypted C2 communications using domain generation algorithms, and the ability to restore expired Google session cookies — allowing attackers to hijack Google accounts even after the victim's session has theoretically expired. Lumma operates through a tiered subscription model ($250-$1,000/month) with higher tiers offering additional features like custom build generation, residential proxy integration, and priority support.
The Raccoon Stealer Saga
Raccoon Stealer's trajectory illustrates the resilience of the MaaS ecosystem. After the arrest of Ukrainian national Mark Sokolovsky in March 2022 and the takedown of Raccoon v1 infrastructure, many anticipated the stealer's permanent demise. Instead, Raccoon v2 launched within months — rebuilt from the ground up in C/C++ with improved data collection capabilities, faster execution, and enhanced evasion. The v2 panel introduced a Telegram-based data delivery mechanism and an API for automated log processing, demonstrating the ecosystem's ability to rapidly reconstitute after law enforcement action.
Stealer Log Markets and Distribution
Market Infrastructure
Stolen credentials flow through several distinct market channels, each serving different buyer profiles:
Russian Market: The largest automated stealer log marketplace, operating as a searchable database where buyers can query by domain, URL pattern, or geographic location. Logs containing corporate credentials for specific organizations are priced between $5 and $50 per log, while logs containing financial institution credentials or cryptocurrency exchange access command premium prices of $50-$500. Russian Market processed an estimated 5 million new logs per month in 2024.
Genesis Market (successor operations): Although the original Genesis Market was seized by the FBI in April 2023, successor operations have emerged offering similar "bot" access — persistent browser fingerprints that allow buyers to impersonate the victim's browser session, bypassing device-based authentication and reducing detection risk.
Telegram channels: An increasingly significant distribution channel, with dedicated Telegram groups offering "cloud of logs" — bulk access to stealer log archives hosted on cloud storage. Free or low-cost channels distribute older logs (30+ days), while premium channels offer fresh logs (0-24 hours old) for $50-$200 per subscription. Dark Angel monitors over 340 Telegram channels distributing stealer log data.
"A single stealer log containing valid corporate VPN credentials costs as little as $10 on Russian Market. That same credential, in the hands of a ransomware affiliate, can enable an intrusion resulting in millions of dollars of damage."
— Dark Angel Research, Exposure Intelligence AnalysisFrom Stolen Credential to Enterprise Compromise
The Credential-to-Ransomware Pipeline
The supply chain from infostealer infection to enterprise compromise follows a well-established pattern that ransomware ecosystems have industrialized:
- Endpoint infection — An employee's personal device, BYOD laptop, or home computer is infected with an infostealer through a malicious ad, fake software download, or phishing email. The infection may last only seconds, making endpoint detection challenging.
- Credential harvesting — The stealer extracts stored browser passwords, including corporate email, VPN, and cloud service credentials that the employee has saved for convenience. Session cookies for active authenticated sessions are also captured.
- Log aggregation and sale — The operator packages the harvested data and lists it on Russian Market, a Telegram channel, or sells it in bulk to an initial access broker (IAB).
- IAB purchases and validates — An initial access broker purchases logs containing corporate credentials, validates them against the target organization's external-facing services (VPN, Citrix, Microsoft 365, Okta), and confirms the level of access obtainable.
- Access sold to ransomware affiliate — The validated access is listed on RAMP, XSS, or Exploit forums, typically priced between $1,000 and $20,000 depending on the target organization's size, sector, and the level of access achieved.
- Ransomware deployment — The affiliate uses the purchased access to establish a foothold, conduct reconnaissance, escalate privileges, exfiltrate data, and deploy ransomware.
In a 2024 incident investigated by Dark Angel, a stealer log containing a European manufacturing company's VPN credentials appeared on Russian Market on Day 0. An IAB purchased the log on Day 3, validated access on Day 4, and listed the access on RAMP on Day 7. A LockBit affiliate purchased the access on Day 12. Data exfiltration began on Day 16, and ransomware was deployed on Day 21. Total time from credential theft to encryption: 21 days. The initial stealer log sold for $12.
Enterprise Exposure Assessment
Measuring Organizational Risk
Dark Angel's Exposure Intelligence module continuously monitors stealer log markets for corporate credential exposure. Key metrics that determine enterprise risk include the volume of exposed credentials associated with the organization's email domains, the recency of credential exposure (logs from the last 48 hours represent highest risk), whether exposed credentials include VPN, cloud admin, or privileged access accounts, the presence of valid session cookies that could bypass MFA, and whether exposed credentials have been observed in IAB listings or ransomware affiliate purchase patterns.
Analysis of Dark Angel's enterprise client base reveals that the average organization has 247 employee credentials appearing in stealer logs at any given time. Of these, approximately 34% represent active credentials that have not been rotated since exposure, 12% include VPN or remote access credentials, and 8% include cloud service administrator accounts.
Detection and Monitoring Strategies
External Monitoring
Effective infostealer risk management requires continuous monitoring of external credential exposure sources. Organizations should monitor stealer log marketplaces (Russian Market, 2easy, and successor Genesis operations) for credentials associated with corporate email domains, Telegram channels distributing stealer logs for corporate credential mentions, initial access broker forums for listings that may reference the organization, and paste sites and dark web forums for bulk credential dumps containing corporate data.
Internal Detection
On the endpoint and network side, indicators of infostealer compromise include anomalous browser data access patterns (rapid sequential reading of credential stores), unusual outbound data transfers from endpoints (stealer logs are typically 10-100MB), connections to known stealer C2 infrastructure, and authentication from unusual locations or devices following credential exposure. Session token reuse is particularly important to monitor — if a valid session cookie is stolen, the attacker can bypass MFA entirely, and the only detection opportunity may be simultaneous use of the session from geographically disparate locations.
Defensive Recommendations
- Deploy continuous credential exposure monitoring — Implement automated monitoring for corporate credentials in stealer log markets, Telegram channels, and paste sites. Integrate exposure alerts with identity management systems for rapid credential rotation.
- Enforce phishing-resistant MFA — Deploy FIDO2/WebAuthn hardware security keys or platform authenticators for critical systems. Traditional TOTP and push-based MFA can be bypassed through stolen session cookies.
- Implement conditional access policies — Require device compliance checks, restrict access from unmanaged devices, enforce geographic access controls, and implement continuous session validation that detects token replay from anomalous locations.
- Reduce browser credential storage — Deploy enterprise password managers and implement policies discouraging or technically preventing browser-based password storage. Educate employees about the risk of saving corporate credentials in personal browser profiles.
- Monitor for session token abuse — Implement detection for concurrent session use from different locations, anomalous session duration patterns, and session cookie replay attempts. Consider implementing token binding where supported.
- Conduct stealer log impact assessments — When corporate credentials are identified in stealer logs, investigate beyond simple password reset: assess what data the infected endpoint had access to, whether the compromised session was used for unauthorized access, and whether lateral movement occurred.
- Address BYOD and personal device risk — Develop security policies for employees accessing corporate resources from personal devices, including MDM requirements, containerization, and prohibition of corporate credential storage on unmanaged endpoints.
- Integrate with threat intelligence feeds — Ensure security operations teams receive timely intelligence on new infostealer variants, evolving distribution techniques, and changes in stealer log market dynamics.
Methodology
This report draws on Dark Angel's continuous monitoring of the infostealer ecosystem. Data sources include automated collection from stealer log marketplaces (Russian Market, 2easy, and Genesis Market successors), monitoring of 340+ Telegram channels distributing stealer logs and MaaS subscriptions, analysis of 26+ million stealer log entries processed in 2024, reverse engineering of major infostealer families, and incident response data from Dark Angel client engagements where stealer-sourced credentials enabled initial access. Malware family analysis is based on samples obtained from public and private malware repositories. Market pricing data reflects observed listings on multiple platforms across Q4 2024 and Q1 2025.
Monitor Your Credential Exposure
Dark Angel's Exposure Intelligence module provides real-time monitoring of stealer log markets and dark web sources for your organization's compromised credentials.
Request a Demo