Infostealers: What they are, how they spread and how to stop them

Think about all the information stored on your computer. Your passwords. Your credit card details. Your browser history.

Now, imagine someone (or something) trawling through all that information and extracting the most valuable data.

That’s an infostealer. An infostealer is a type of malicious software that tries to steal your sensitive information, which threat attacks can sell on the black market or use to launch additional cyberattacks.

In this blog post, we’ve rounded up everything you need to know about infostealers, including what they are, how they spread, and how to stop them.

What is an infostealer?

As the name implies, an infostealer is a type of malware designed to harvest sensitive data from a compromised system. The stolen data is sent to an attacker-controlled server and often sold on the black market to other threat actors, who may use the information to commit fraud or gain unauthorized access to various resources and assets.

Infostealers can extract a wide range of data from an infected machine, including:

Infostealers usually operate as malware-as-a-service (MaaS), a business model in which the developers of malicious software lease their malware to others for a fee. This arrangement allows almost anyone to deploy an infostealer, regardless of their technical aptitude.

Infostealers can vary in functionality and use different methods to extract data. Some focus exclusively on harvesting data, while others provide remote functionality that allows threat actors to drop and execute additional malware on the compromised system.

Why do threat actors use infostealers?

Infostealer attacks are typically financially motivated. The stolen data is analyzed and any valuable information is collated and organized into a database, which can then be sold on the dark web or through private Telegram channels. Buyers may use the information to commit various types of fraud, such as applying for bank loans or credit cards, purchasing items online, or making fraudulent health insurance claims. Buyers may also use compromised login credentials to gain entry to corporate accounts and remote services. Once access has been obtained, threat actors can easily use the hacked account’s privileges as a starting point to initiate further malicious activity.

Infostealers are also commonly deployed in ransomware campaigns. It has become increasingly common for ransomware operators to spend significant amounts of time in the target environment before deploying the final ransomware payload. During this time, they may use a variety of techniques to gain a firmer foothold, which often includes the deployment of infostealers. Harvesting credentials may enable threat actors to move laterally and escalate permissions, while stealing machine-specific data – IP addresses, country, ISP, operating system, browser information, and so on – can help them tailor the attack to the environment to inflict maximum damage.

How do you get infected with an infostealer?

Threat actors may use a variety of attack vectors to distribute infostealers. Some of the most common infection methods include:

How to protect your system from infostealers

The following practices may help reduce the risk of getting infected with an infostealer.

There are many different infostealer families. Below are some of the most popular.

RedLine Stealer

RedLine is one of the most popular infostealers in the world. First observed in 2020, RedLine targets the Windows operating system and is typically distributed on underground Russian malware forums, where it can be purchased as a standalone application or on a subscription basis.

RedLine attempts to exfiltrate a wide range of data from the victim machine, including data from web browsers, FTP clients, instant messaging services, cryptocurrency wallets, VPN services, and gaming clients. Once RedLine has established a connection with its command and control server, it can be used to remotely perform additional functions, including downloading files, running portable executable files, executing requests via CMD.exe, and more.

Raccoon Stealer

First observed in 2019, Racoon Stealer is an infostealer that extracts data relating to crypto wallets, browser cookies, passwords, browser autofill information, and credit cards. It operates as a MaaS and is primarily distributed through phishing campaigns and exploit kits. The Racoon Stealer operation shut down in March 2022, possibly due to one of the lead developers being killed in the Russia-Ukraine conflict. However, in early July 2022, a new variant of the malware was released, this time written in C (unlike the previous versions, which were written in C++).

Interestingly, the new version of Raccoon Stealer sends data each time it steals a new item. This flies in the face of conventional data exfiltration practices: typically, threat actors collect data in bulk and transfer it all at once in order to reduce the risk of detection. This, coupled with the fact that Raccoon Stealer 2.0 uses no anti-analysis or obfuscation techniques, suggests that the developers are more concerned about speed than subtlety.

Vidar Stealer

Vidar is a popular type of infostealer that is capable of stealing a range of sensitive data, including banking information, login credentials, IP addresses, browser history, and crypto-wallets. A fork of the Arkei malware family, Vidar was first identified in 2018 and has remained a popular infostealer thanks to its ease of use, ongoing development, and active support channels. Vidar is customizable, allowing threat actors to specify the kind of data they wish to steal.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial


Infostealers are capable of harvesting a broad range of sensitive information, which threat actors can sell or use to execute additional attacks. They are typically distributed through spam, malvertising, compromised accounts, and pirated software. Being careful with your clicks, keeping your browser up to date, and enabling MFA can help reduce the risk of infection and limit the impact of an attack.

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next