Infostealers: The silent doorway to identity attacks — and why proactive defense matters

Credential theft isn't just an inconvenience. It's often the first move in a chain reaction that ends in full-scale compromise.

Beyond the dreaded password reset process, information stealers, as shown in several recent cyberattacks, can have far more consequential follow-on effects.

For many small and mid-sized organizations, a single stolen identity can lead to days of downtime and costly recovery.

These effects are multiplied when placed in a business context, where stolen credentials and impersonated digital identities can lead to business email compromise, ransomware, and more, costing companies critical downtime and recovery.

An information stealer, or "infostealer," is a type of malware that silently collects sensitive data from a victim's device and transmits it to threat actors. This malware can steal personal information such as usernames and passwords, financial details, browser history, and other data on a targeted system.

This type of malware is typically compact and has limited functionality compared to other headline-stealing threats like ransomware. Creators of infostealers typically design them to execute quickly, steal data, and self-delete before detection.

Infostealers are easily available to any motivated threat actor, putting industrial-grade capability into the hands of entry-level attackers. Access to a stealer command and control (C2) server operated by the developer can cost as low as $50 a month, according to previous researchfrom the Sophos X-Ops Counter Threat Unit.

What happens to those credentials once they're stolen, though? Once credentials leave your network, they rarely stay unused.

Threat actors can use them in a variety of ways, including extortion, future ransomware deployment, business email compromise (BEC), and other costly cyber attacks.

Extortion

Just like when threat actors steal files in a ransomware attack, they can extort infostealer victims into paying a ransom in exchange for not leaking those stolen credentials or personal information on deep and dark web forums.

In the case of the infamous Snowflake supply chain attack, financially motivated threat actors stole login credentials from hundreds of businesses and individually extorted them. Some of the credentials had been stolen four years prior, with organizations completely unaware of this threat.

If the extorted companies didn't pay up, the threat actors behind the attack threatened to leak the credentials or sell them to other threat actors. The consequent extortion of affected companies led to direct financial losses and illicit gain upwards of $2 million, according to the Cloud Security Alliance.

For many victims, these shakedowns land without warning, often years after an initial infection.

Ransomware attacks

Often, infostealers are only the first stage in a longer attack that ends with ransomware.

Stolen credentials from infostealers are packaged into "logs" and sold on dark web marketplaces or shared via messaging platforms like Telegram. Then, initial access brokerspurchase these logs, validate the credentials, and resell that access to ransomware operators.

With the valid credentials in hand, bad actors can bypass traditional defenses like phishing filters or vulnerability scans. If multi-factor authentication (MFA) isn't enforced, the stolen cookies can even grant full access. Once inside, ransomware affiliates move laterally, exfiltrate sensitive data, and deploy encryption payloads - locking down systems and demanding payment.

This criminal ecosystem - from infostealers to access brokers to ransomware operators - functions like a supply chain, with each player specializing in a different stage of the attack. This makes it easier, faster, and more profitable to compromise organizations. In fact, compromised credentials were the second most common root cause of ransomware attacks, according to the 2025 Sophos State of Ransomware report.

Business email compromise

Beyond ransomware, malicious actors often exploit stolen credentials in follow-on scams like business email compromise (BEC), regardless of whether they were the original thieves.

BEC occurs whenever an adversary is successfully able to impersonate a target business or an employee for that organization, to trick targets into believing the emails they receive are legitimate.

In 2023, Sophos X-Ops' Counter Threat Unit (CTU) observed threat actors targeting hotels with phishing campaignsdesigned to deliver infostealers and compromise their systems. Once infected, the threat actors behind the attack harvested credentials for the hotels' Booking.com property accounts.

With direct access to these accounts, the threat actors used legitimate Booking.com messaging channels to contact guests with upcoming reservations. They sent convincing phishing messages related to real bookings, often requesting fraudulent payments. Because the messages came from trusted sources and referenced actual reservations, victims were more likely to comply with them.

There was a booming secondary market for these credentials, too. CTU researchers observed a high demand on underground forums for Booking.com property credentials, and other threat actors requested infostealer logs that include credentials for the admin[.]Booking[.]com property management portal, which, when logged into, allowed the actors to view any upcoming reservation for a guest, leveraging that information in malicious emails.

How to protect your credentials with Sophos

Identity has become the control plane for modern cyberattacks. Cybercriminals are increasingly deploying sophisticated attacks that leverage compromised identities to gain unauthorized access to sensitive data and systems. Ninety percent of organizations experienced at least one identity-related breach within the last year, according to a 2024 Identity Defined Security Alliance (IDSA) study.

Sophos Identity Threat Detection and Response (ITDR)is purpose-built to stop identity-based attacks in real time. It continuously monitors your environment for identity risks and misconfigurations, while leveraging dark web intelligence to uncover compromised credentials - even before they're weaponized.

Organizations can strengthen defenses by taking a proactive stance. Preventative measures, such as maintaining good security hygiene and strengthening identity security posture before an attack occurs, are equally important as detection and response efforts, which involve monitoring for attacks and stopping them once they are underway.

But to ensure your credentials and sensitive data are safe, Sophos ITDR can alert you to any potential stolen or leaked credentials before a threat actor is able to circulate them online to others or use them in any follow-on attacks.

With infostealers fueling a growing underground economy of stolen access, organizations need to act before credentials are weaponized. Sophos ITDR empowers you to take control, detect threats early, and respond with confidence. Don't wait for the next suspicious login or inbox surprise. Take a proactive step toward stronger identity protection - start your free Sophos ITDR trial today.