Current Malware Trends: What Security Teams Need to Know

Learn how infostealer malware has become the dominant threat vector and what security teams must do to detect exposed credentials.

In 79% of breaches last year, attackers didn’t use malware at all. They just logged in with stolen credentials.

That’s up from 40% in 2019. The shift is clear: why deploy malware when you can walk through the front door?

That’s where infostealers come in. They steal the credentials that make those ‘malware-free’ attacks possible.

In this post, we’ll cover the malware trends security teams need to watch and how to detect when your credentials end up on the dark web.

What Are the Biggest Malware Trends Right Now?

The malware landscape has fundamentally shifted.

Traditional malware that drops payloads and triggers antivirus alerts is becoming less common. Instead, attackers focus on stealing credentials first and using legitimate access to move through networks.

According to CrowdStrike’s 2025 Global Threat Report, 79% of detected intrusions in 2024 were “malware-free.” That’s up from 40% in 2019.

What does “malware-free” mean? Attackers didn’t need to deploy malware because they had stolen credentials. They just logged in like legitimate employees using valid usernames and passwords. No malicious payload required.

The malware that does get deployed increasingly serves one purpose: stealing credentials.

IBM X-Force’s 2025 Threat Intelligence Index found an 84% increase in infostealers delivered via phishing emails compared to the previous year. These aren’t zero-day exploits. They’re emails with malicious attachments that harvest credentials within minutes.

Why Are Infostealers Dominating the Threat Landscape?

Two factors drive the infostealer explosion: low barriers to entry and high returns for attackers.

The Rise of Malware-as-a-Service

Infostealers operate on a Malware-as-a-Service (MaaS) model. Anyone with cryptocurrency can rent access to credential-stealing infrastructure.

IBM X-Force tracked the top infostealers by dark web listings in 2024:

• Lumma: 3.79 million credential listings
• RisePro: 1.35 million credential listings
• Vidar: 960,000 credential listings
• Stealc: 900,000 credential listings
• RedLine: 570,000 credential listings

These aren’t state-sponsored tools. They’re commercial products marketed to low-skill threat actors who buy access to stealer infrastructure and spam phishing emails until something works.

The same report found a 12% increase in infostealer credentials for sale on dark web marketplaces. Supply is growing because demand is high. Stolen credentials sell quickly because they work.

How Infostealers Spread

Phishing emails remain the primary delivery method, but infostealers reach victims through multiple channels.

Malvertising places malicious ads on legitimate websites. When users click what looks like a software download or product ad, they get an infostealer instead. Google Ads has been particularly targeted. Attackers bid on keywords for popular software and redirect victims to fake download pages.

Cracked software and game mods bundle infostealers with pirated applications. Employees downloading “free” versions of expensive software often infect their devices. The same applies to game modifications and cheats.

Fake software updates trick users into installing malware. Pop-ups claiming your browser needs updating actually install credential stealers. These attacks target both personal and corporate devices.

SEO poisoning manipulates search results to rank malicious sites for common queries. Users searching for software downloads or troubleshooting guides end up on attacker-controlled pages that push infostealers.

The common thread: users willingly execute the malware because they think it’s legitimate software. This bypasses many security controls that would catch traditional malware delivery.

How Infostealers Enable Ransomware Attacks

Here’s the connection most organizations miss: infostealers are the front door for ransomware.

The 2025 Verizon Data Breach Investigations Report found that 54% of ransomware victims had corporate credentials appearing in stealer logs before the attack. Threat actors buy these credentials from initial access brokers who specialize in harvesting and selling corporate logins.

The attack chain works like this:

1. An employee device gets infected with an infostealer (often through phishing)
2. The malware harvests saved passwords and captures typed credentials. It also steals session cookies.
3. Credentials appear in stealer logs on dark web channels within hours
4. Initial access brokers buy the logs and identify valuable corporate targets
5. Ransomware operators purchase access and deploy their payload

By the time ransomware hits, the initial infostealer infection happened weeks or months earlier. Traditional incident response focuses on the ransomware. Smart security teams trace the attack back to the initial credential theft.

Real-World Infostealer Attacks

These attack patterns aren’t theoretical. Major breaches in recent years trace back to credential theft.

Uber (2022): An attacker purchased stolen credentials from a dark web marketplace. The credentials belonged to an Uber contractor whose personal device had been infected with malware. The attacker used these credentials to access Uber’s internal systems, then moved laterally through the network. MFA didn’t stop the attack because the attacker used social engineering to get the contractor to approve the authentication request.

CircleCI (2023): An engineer’s laptop was infected with infostealer malware. The malware captured a valid session token for CircleCI’s internal systems. Because the session was already authenticated, the attacker bypassed MFA entirely. They used that access to steal customer secrets and environment variables from CircleCI’s platform.

Okta (2023): An employee’s personal Google account was compromised. That account had been used to save Okta service account credentials. An attacker used those credentials to access Okta’s customer support system, then downloaded files containing customer session tokens. The initial compromise was a personal device. The impact reached Okta’s enterprise customers.

The pattern repeats itself. Credentials get stolen from an infected device. Those credentials end up on the dark web or in the hands of access brokers. Attackers buy the credentials and use them to break in. The gap between initial infection and exploitation can be weeks or months.

What Credentials Do Infostealers Target?

Infostealers grab everything they can find on an infected device.

Browser credentials are the primary target. Infostealers grab saved passwords from browsers, but they also capture credentials as employees type them by hooking into the browser process before encryption. Both saved and typed passwords get stolen.

Session tokens and authentication cookies bypass passwords entirely. Even with MFA enabled, a stolen session cookie lets attackers log in without authentication. The browser thinks it’s the same session.

This is called session hijacking, and it’s why MFA alone doesn’t stop infostealer attacks. When malware captures an active session cookie, the attacker inherits that authenticated session. They don’t need the password. They don’t need the MFA code. They already have a valid, authenticated connection to your systems.

Stolen session tokens are particularly dangerous for cloud services. An attacker with a stolen Okta or Microsoft 365 session cookie can access email and internal applications. Some session tokens remain valid for days or weeks, giving attackers extended access windows.

Cryptocurrency wallets are high-value targets. Wallet files and seed phrases get exfiltrated for immediate financial theft.

Corporate VPN and SSO credentials are the jackpot for access brokers. One set of Okta or Azure AD credentials can unlock an entire corporate environment. This is why compromised credential monitoring has become essential for security teams.

The 2025 Verizon DBIR found that 30% of systems compromised by infostealers were enterprise-managed devices. That means corporate endpoints with security software installed.

Even more concerning: 46% of infected enterprise devices were non-managed (BYOD). Employees accessing corporate resources from personal devices create exposure that IT never sees.

How Do Security Teams Detect Infostealer Exposure?

Traditional security tools struggle with infostealers. Here’s why.

The Detection Gap

SpyCloud research found that 66% of malware infections occur on devices with endpoint security software installed. Endpoint security helps, but it doesn’t catch everything.

The real problem is what happens after infection. Attackers might not use stolen credentials for weeks or months. When the breach finally happens, the connection to the original infection is lost.

Traditional detection focuses on malware presence. But once the malware executes, the credentials are already stolen. At that point, you need to detect where those credentials end up.

Dark Web Credential Monitoring

The solution is dark web credential monitoring: tracking dark web marketplaces and Telegram channels for your exposed credentials.

When an employee’s credentials appear in a stealer log, you have a window to act before attackers use them. Reset the password. Revoke session tokens. Clean up the infected device.

This requires continuous monitoring of:

• Stealer log channels on Telegram and criminal forums
• Dark web marketplaces where credentials are sold
• Access broker listings selling network access
• Combo lists compiled from multiple breach sources

The goal is detecting the leaked credentials before they’re exploited. When you find credentials in a stealer log, assume the device is compromised. Reset all associated passwords and investigate how the infection happened.

What Industries Are Most Targeted by Credential-Stealing Malware?

Infostealers target everyone, but some industries see heavier focus.

Healthcare leads in incident volume. Bitsight research found that 93% of healthcare organizations experienced at least one security incident in the past year. Medical records have high value on dark web markets, and healthcare IT often lacks resources for proper security.

Finance sees aggressive targeting. The same Bitsight report found a 47% year-over-year increase in attacks against financial institutions. Banking credentials and financial system access command premium prices from access brokers.

Technology gets exposed through vendor breaches. Technology companies frequently appear in third-party breaches, with 46.75% of incidents involving vendor compromises that exposed tech company data.

Manufacturing leads in ransomware cases. IBM X-Force identified manufacturing as the most common ransomware target, likely because operational disruption creates pressure to pay quickly.

While the industries differ, the attack method is consistent: steal credentials first, deploy ransomware later.

How Can Organizations Protect Against Infostealer Threats?

Defense requires both prevention and detection. You can’t stop every infection, so you need to detect exposure quickly.

Prevention Strategies

Employee security awareness remains critical. Infostealers typically arrive via phishing emails with malicious attachments. Training employees to recognize phishing reduces infection rates.

Browser security policies limit credential exposure. Use a dedicated password manager instead of browser-saved passwords. This protects the vault, though typed credentials can still be captured.

BYOD policies need teeth. 46% of infected enterprise devices are personal, not managed. When employees use personal devices for work, you can’t see when they’re infected. Require company-issued devices for work, or limit what personal devices can access.

Detection and Response

Credential monitoring catches exposure early. Monitor dark web sources for employee credentials appearing in stealer logs. When credentials appear, treat it as a confirmed incident requiring an immediate password reset.

Automated response workflows reduce exposure time. When compromised credentials are detected, automated systems can force password resets and revoke active sessions without waiting for manual intervention.

Session token revocation matters as much as password resets. Stolen session cookies let attackers in without credentials. When you detect an infostealer exposure, revoke all active sessions for the affected accounts. A password reset alone won’t stop an attacker with a valid session.

Conclusion

The malware landscape has shifted from payload delivery to credential theft.

Infostealers now dominate because they enable everything else. With valid credentials, attackers don’t need malware. They log in like legitimate users and move through networks undetected.

For security teams, this means changing focus. Traditional malware detection remains important, but it’s not enough. You need visibility into where credentials end up after they’re stolen.

Monitor dark web marketplaces and Telegram channels where stolen credentials appear. Find leaked credentials and reset them before attackers exploit them.

The 84% increase in infostealer delivery isn’t slowing down. Neither should your detection capabilities.

Ready to see if your credentials are already exposed? Check your company’s dark web exposure to find out what threat actors already know about your organization.