Update, Feb. 24, 2025: This story, originally published Feb. 22, has been updated with a stark example of a real-world infostealer malware attack campaign targeting the U.S. military, as well as a new warning from the head of engineering at NordPass about how AI is coming for your passwords next and how to protect against the threat.
Considering just how many infostealer malware warnings have been issued recently, from macOS-specific threats, to those targeting a broad sweep of Gmail and Outlook email users, there can be little doubting that cybercrime actors are coming for your passwords. Now the true reach of the infostealer malware threat has been laid bare by a threat intelligence agency which specializes in leveraging dark web data, and the picture it paints is a scary one. Here’s what you need to know.
Infostealers Behind 3.9 Billion Stolen Passwords Shared By Hackers
More than 4.3 million machines were infected by infostealer malware across 2024 according to the latest KELA state of cybercrime report, published Feb. 20. The threat intelligence analysts also said they had observed 3.9 billion passwords “shared in the form of credentials lists that appear to be sourced from infostealer logs.” Just three strains of this insidious malware threat, Lumma, StealC, and Redline, were responsible for 75% of all infected systems. “Underground economies, from malware-as-a-service to stolen credential marketplaces, contributed to a powerful infrastructure supporting a range of malicious activities,” David Carmiel, CEO at threat intelligence analysts KELA, said.
Malicious activity that includes the likes of both ransomware attacks and espionage campaigns. “Infostealers’ appeal,” the report suggested, “lies in their efficiency and scalability, enabling attackers to compromise large volumes of accounts, both personal and corporate.” By doing so, this particular malware menace becomes something of a self-fulfilling password theft prophecy, with lists of compromised credentials being sold on underground criminal marketplaces that are used to aid further attack campaigns and garner more credentials that can be sold and so on. Almost 40% of the infected machines to be found within KELA’s “data lake” included credentials for sensitive corporate systems such as content management systems, email, Active Directory
Federation Services, and remote desktop. In all, accounting for nearly 1.7 million bots and 7.5 million compromised credentials. “Based on KELA’s analysis,” the report stated, “the dataset primarily (almost 65%) contained personal computers that had corporate credentials saved on them and thus obtained by infostealer malware.”
To help mitigate the threat from infostealer malware, KELA recommended that multi-factor authentication be implemented across all accounts, critical systems isolated to limit the opportunity for lateral movement by attackers, and advanced email filtering solutions deployed to prevent phishing attempts. If you value your accounts and your data, then you better take action sooner rather than later. The threat actors certainly aren’t waiting and KELA analysts only expect the infostealer threat to your passwords to increase during 2025.
Passwords And Beyond: The Very Real-World Infostealer Malware Threat
Alon Gal, the co-founder of threat intelligence experts Hudson Rock, has warned that employees at major U.S. defense contractors, U.S. Army and Navy personnel and “even the FBI and Government Accountability Office have active infections, exposing investigative and cybersecurity personnel.” The infections Gal is talking about being infostealer malware. What’s more, the analysis by Hudson Rock claimed that such attacks can be carried out for as little as $10 per target computer. “At some point, these employees downloaded malware on a device they used for work, exposing not just their credentials, but potentially their entire digital footprint: browsing history, autofill data, internal documents, and session cookies for sensitive applications,” Gal said.
The cost-effectiveness of such attacks is not the only reason that infostealers have become so popular in the cybercriminal world; there’s also the small matter of how they work. “Unlike traditional hacking,” Gal explained, “infostealers don’t brute-force their way into networks. Instead, they wait for an employee to slip up — download a game mod, a pirated software crack, or an infected PDF — and then exfiltrate everything.” And by everything, Gal gave examples such as:
VPN credentials to military and contractor networks.
Multi-factor authentication session cookies.
Email logins to government and defense agencies.
Internal development tools (GitHub, Jira, Confluence.)
Stored documents, browser autofill data, and history.
Infostealer intelligence isn’t just about detecting who’s infected , Gal concluded; it’s also about understanding the entire network of compromised credentials and third-party risks. “If infostealers can infiltrate the military-industrial complex,” Gal said, “what else is already inside?”
“The infostealer is a secondary problem,” Roger Grimes, a data-driven Defence Evangelist at KnowBe4, said; The real program and question is how the infostealers are getting on military computers in the first place.” Was it social engineering, unpatched software, firmware or something else? Whatever, Grimes warned that “if the involved department doesn’t take care of how the infostealer is gaining initial access, they are going to have far greater problems than just stolen passwords.”
The AI Threat To Your Passwords
Ever since a story about an AI-powered hack targeting Gmail users that was published here at forbes.com Oct. 13, 2024, went viral, there has been no doubting the real-world threat that AI poses to your passwords. Now, Ignas Valancius, the head of engineering at password manager NordPass, has warned that while weak passwords can be cracked in just a matter of seconds, AI can “crack even stronger ones in the same amount of time.” Large language models can and will, Valancius said in an email conversation, “be used to brute force passwords and organize dictionary attacks more often.”
Advising that we should all be mindful that the time it takes to guess, socially engineer, or just go nuclear and brute force passwords is going to drop dramatically across 2025 due to the use of AI tools, Valancius said, “I’m not saying that super long, random 18-character passwords are at immediate risk. But shorter ones – they could be in danger. This is why it’s vital to make sure you look after your passwords properly, and that includes everything from their creation to their management and use.
Valancius recommended the following when it comes to password hygiene:
The longer it is, the better. Just be sure not to use your name or other personal information.
Since long random passwords are very hard to remember, creating a passphrase might be a good workaround.
Use different passwords for different accounts and never reuse them.
Another option is switching to passkeys. They combine biometric verification with cryptographic keys, offering a safer and more convenient alternative to passwords.
