Reading view

The Infostealer Gateway: Uncovering the Latest Methods in Defense Evasion

Threat Intelligence Blog | Flashpoint

By: Flashpoint Intel Team

22 December 2025 at 22:49

Blogs

Blog

The Infostealer Gateway: Uncovering the Latest Methods in Defense Evasion

In this post, we analyze the evolving bypass tactics threat actors are using to neutralize traditional security perimeters and fuel the global surge in infostealer infections.

1. Neutralizing Mark of the Web (MotW) via Drag-and-Drop Lures

Mark of the Web (MotW) is a critical Windows defense feature that tags files downloaded from the internet as “untrusted” by adding a hidden NTFS Alternate Data Stream (ADS) to the file. This tag triggers “Protected View” in Microsoft Office programs and prompts Windows SmartScreen warnings when a user attempts to execute an unknown file.

Flashpoint has observed a new social engineering method to bypass these protections through a simple drag-and-drop lure. Instead of asking a user to open a suspicious attachment directly, which would trigger an immediate MotW warning, threat actors are instead instructing the victim to drag the malicious image or file from a document onto their desktop to view it. This manual interaction is highly effective for two reasons:

Contextual Evasion: By dragging the file out of the document and onto the desktop, the file is executed outside the scope of the Protected View sandbox.
Metadata Stripping: In many instances, the act of dragging and dropping an embedded object from a parent document can cause the operating system to treat the newly created file as a local creation, rather than an internet download. This effectively strips the MotW tag and allows malicious code to run without any security alerts.

2. Executing Payloads via Vulnerabilities and Trusted Processes

Flashpoint analysts uncovered an illicit thread detailing a proof of concept for a client-side remote code execution (RCE) in the Google Web Designer for Windows, which was first discovered by security researcher Bálint Magyar.

Google Web Designer is an application used for creating dynamic ads for the Google Ads platform. Leveraging this vulnerability, attackers would be able to perform remote code execution through an internal API using CSS injection by targeting a configuration file related to ads documents.

Within this thread, threat actors were specifically interested in the execution of the payload using the chrome.exe process. This is because using chrome.exe to fetch and execute a file is likely to bypass several security restrictions as Chrome is already a trusted process. By utilizing specific command-line arguments, such as the –headless flag, threat actors showed how to force a browser to initiate a remote connection in the background without spawning a visible window. This can be used in conjunction with other malicious scripts to silently download additional payloads onto a victim’s systems.

3. Targeting Alternative Softwares as a Path of Least Resistance

As widely-used software becomes more hardened and secure, threat actors are instead pivoting to targeting lesser-known alternatives. These tools often lack robust macro-protections. By targeting vulnerabilities in secondary PDF viewers or Office alternatives, attackers are seeking to trick users into making remote server connections that would otherwise be flagged as suspicious.

Understanding the Identity Attack Surface

Social engineering is one of the driving factors behind the infostealer lifecycle. Once an initial access vector is successful, the malware immediately begins harvesting the logs that fuel today’s identity-based digital attacks.

As detailed in The Proactive Defender’s Guide to Infostealers, the end goal is not just a password. Instead, attackers are prioritizing session cookies, which allow them to perform session hijacking. By importing these stolen cookies into anti-detect browsers, they bypass Multi-Factor Authentication and step directly into corporate environments, appearing as a legitimate, authenticated user.

Understanding how threat actors weaponize stolen data is the first step toward a proactive defense. For a deep dive into the most prolific stealer strains and strategies for managing the identity attack surface, download The Proactive Defender’s Guide to Infostealers today.

Request a demo today.

Get a Demo

Contact Sales

The post The Infostealer Gateway: Uncovering the Latest Methods in Defense Evasion appeared first on Flashpoint.

The Stealka stealer hijacks accounts and steals crypto while masquerading as pirated software | Kaspersky official blog

Kaspersky official blog

By: Artem Ushkov

18 December 2025 at 14:34

In November 2025, Kaspersky experts uncovered a new stealer named Stealka, which targets Windows users’ data. Attackers are using Stealka to hijack accounts, steal cryptocurrency, and install a crypto miner on their victims’ devices. Most frequently, this infostealer disguises itself as game cracks, cheats and mods.

Here’s how the attackers are spreading the stealer, and how you can protect yourself.

How Stealka spreads

A stealer is a type of malware that collects confidential information stored on the victim’s device and sends it to the attackers’ server. Stealka is primarily distributed via popular platforms like GitHub, SourceForge, Softpedia, sites.google.com, and others, disguised as cracks for popular software, or cheats and mods for games. For the malware to be activated, the user must run the file manually.

Here’s an example: a malicious Roblox mod published on SourceForge.

Attackers exploited SourceForge, a legitimate website, to upload a mod containing Stealka

And here’s one on GitHub posing as a crack for Microsoft Visio.

A pirated version of Microsoft Visio containing the stealer, hosted on GitHub

Sometimes, however, attackers go a step further (and possibly use AI tools) to create entire fake websites that look quite professional. Without the help of a robust antivirus, the average user is unlikely to realize anything is amiss.

A fake website pretending to offer Roblox scripts

Admittedly, the cracks and software advertised on these fake sites can sometimes look a bit off. For example, here the attackers are offering a download for Half-Life 3, while at the same time claiming it’s not actually a game but some kind of “professional software solution designed for Windows”.

Malware disguised as Half-Life 3, which is also somehow “a professional software solution designed for Windows”. A lot of professionals clearly spent their best years on this software…

The truth is that both the page title and the filename are just bait. The attackers simply use popular search terms to lure users into downloading the malware. The actual file content has nothing to do with what’s advertised — inside, it’s always the same infostealer.

The site also claimed that all hosted files were scanned for viruses. When the user decides to download, say, a pirated game, the site displays a banner saying the file is being scanned by various antivirus engines. Of course, no such scanning actually takes place; the attackers are merely trying to create an illusion of trustworthiness.

The pirated file pretends to be scanned by a dozen antivirus tools

What makes Stealka dangerous

Stealka has a fairly extensive arsenal of capabilities, but its prime target is data from browsers built on the Chromium and Gecko engines. This puts over a hundred different browsers at risk, including popular ones like Chrome, Firefox, Opera, Yandex Browser, Edge, Brave, as well as many, many others.

Browsers store a huge amount of sensitive information, which attackers use to hijack accounts and continue their attacks. The main targets are autofill data, such as sign-in credentials, addresses, and payment card details. We’ve warned repeatedly that saving passwords in your browser is risky — attackers can extract them in seconds. Cookies and session tokens are perhaps even more valuable to hackers, as they can allow criminals to bypass two-factor authentication and hijack accounts without entering the password.

The story doesn’t end with the account hack. Attackers use these compromised accounts to spread the malware further. For example, we discovered the stealer in a GTAV mod posted on a dedicated site by an account that had previously been compromised.

Beyond stealing browser data, Stealka also targets the settings and databases of 115 browser extensions for crypto wallets, password managers, and 2FA services. Here are some of the most popular extensions now at risk:

Crypto wallets: Binance, Coinbase, Crypto.com, SafePal, Trust Wallet, MetaMask, Ton, Phantom, Exodus
Two-factor authentication: Authy, Google Authenticator, Bitwarden
Password management: 1Password, Bitwarden, LastPass, KeePassXC, NordPass

Finally, the stealer also downloads local settings, account data, and service files from a wide variety of applications:

Crypto wallets. Wallet configurations may contain encrypted private keys, seed-phrase data, wallet file paths, and encryption parameters. That’s enough to at least make an attempt at stealing your cryptocurrency. At risk are 80 wallet applications, including Binance, Bitcoin, BitcoinABC, Dogecoin, Ethereum, Exodus, Mincoin, MyCrypto, MyMonero, Monero, Nexus, Novacoin, Solar, and many others.
Messaging apps. Messaging app service files store account data, device identifiers, authentication tokens, and the encryption parameters for your conversations. In theory, a malicious actor could gain access to your account and read your chats. At risk are Discord, Telegram, Unigram, Pidgin, Tox, and others.
Password managers. Even if the passwords themselves are encrypted, the configuration files often contain information that makes cracking the vault significantly easier: encryption parameters, synchronization tokens, and details about the vault version and structure. At risk are 1Password, Authy, Bitwarden, KeePass, LastPass, and NordPass.
Email clients. These are where your account credentials, mail server connection settings, authentication tokens, and local copies of your emails can be found. With access to your email, an attacker will almost certainly attempt to reset passwords for your other services. At risk are Gmail Notifier Pro, Claws, Mailbird, Outlook, Postbox, The Bat!, Thunderbird, and TrulyMail.
Note-taking apps. Instead of shopping lists or late-night poetry, some users store information in their notes that has no business being there, like seed phrases or passwords. At risk are NoteFly, Notezilla, SimpleStickyNotes, and Microsoft StickyNotes.
Gaming services and clients. The local files of gaming platforms and launchers store account data, linked service information, and authentication tokens. At risk are Steam, Roblox, Intent Launcher, Lunar Client, TLauncher, Feather Client, Meteor Client, Impact Client, Badlion Client, and WinAuth for battle.net.
VPN clients. By gaining access to configuration files, attackers can hijack the victim’s VPN account to mask their own malicious activities. At risk are AzireVPN, OpenVPN, ProtonVPN, Surfshark, and WindscribeVPN.

That’s an extensive list — and we haven’t even named all of them! In addition to local files, this infostealer also harvests general system data: a list of installed programs, the OS version and language, username, computer hardware information, and miscellaneous settings. And as if that weren’t enough, the malware also takes screenshots.

How to protect yourself from Stealka and other infostealers

Secure your device with reliable antivirus software. Even downloading files from legitimate websites is no guarantee of safety — attackers leverage trusted platforms to distribute stealers all the time. Kaspersky Premium detects malware on your computer in time and alerts you to the threat.
Don’t store sensitive information in browsers. It’s handy — no one can argue with that. But unfortunately browsers aren’t the most secure environment for your data. Sign-in credentials, bank card details, secret notes, and other confidential information are better kept in a securely encrypted format in Kaspersky Password Manager, which is immune to the exploits used by Stealka.
Be careful with game cheats, mods, and especially pirated software. It’s better to pay up for official software than to chase the false savings offered by software cracks, and end up losing all your money.
Enable two-factor authentication or use backup codes wherever possible. Two-factor authentication (2FA) makes life much harder for attackers, while backup codes help you regain access to your critical accounts if compromised. Just be sure not to store backup codes in text documents, notes, or your browser. For all your backup codes and 2FA tokens, use a reliable password manager.

Curious what other stealers are out there, and what they’re capable of? Read more in our other posts:

Beware of stealers disguised as… wedding invitations

AMOS infostealer distributed via ChatGPT chat-sharing feature

Banshee: A stealer targeting macOS users

Arcane stealer instead of Minecraft cheats

Efimer Trojan using hacked websites to steal cryptocurrency

Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor

Threat Intelligence Blog | Flashpoint

By: Flashpoint Intel Team

10 December 2025 at 19:59

Blogs

Blog

Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor

In this post Flashpoint reveals how an infostealer infection on a North Korean threat actor’s machine exposed their digital operational security failures and reliance on AI. Leveraging Flashpoint intelligence, we pivot from a single persona to a network of fake identities and companies targeting the Web3 and crypto industry.

Finding Trevor Greer

Flashpoint analysts have been tracking the Trevor Greer email address since December 2024 in relation to the “Contagious Interview” campaign, in which threat actors operated as LinkedIn recruiters to target Web3 developers, resulting in the deployment of multiple stealers compromising developer Web3 wallets. Flashpoint also identified the specific persona’s involvement in a campaign in which North Korean threat actors posed as IT freelance workers and applied for jobs at legitimate companies before compromising the organizations internally.

ByBit Compromise

The ByBit compromise in late February 2025 further fueled Flashpoint’s investigations into the Trevor Greer email address. Bybit, a cryptocurrency exchange, suffered a critical incident resulting in North Korean actors extorting US $1.5 billion worth of cryptocurrency. In the aftermath, Silent Push researchers identified the persona “Trevor Greer” associated with the email address trevorgreer9312@gmail[.]com, which registered the domain “Bybit-assessment[.]com” prior to the Bybit compromise.

A later report claimed that the domain “getstockprice[.]com” was involved in the compromise. Despite these domain discrepancies, both investigations attributed the attack to North Korean advanced persistent threat (APT) nexus groups.

Tracing the Infection

Using Flashpoint’s vast intelligence collections, we performed a full investigation of compromised virtual private servers (VPS), revealing the actor’s potential involvement in several other operations, including remote IT work, several self-made blockchain and cryptocurrency exchange companies, and a potential crypto scam dating back to 2022.

Flashpoint analysts also discovered that the Trevor Greer email address was linked to domains infected with information-stealing malware.

What the Logs Revealed

Analysts extracted information about the associated infected host from Trevor Greer, revealing possible tradecraft and tools used. Analysts further identified specific indicators of compromise (IOCs) used in the campaigns mentioned above, as well as email addresses used by the actor for remote work.

The data painted a vivid picture of how these threat actors operate:

Preparation for “Contagious Interviews”

The browser history revealed the actor logging into Willo, a legitimate video interview platform. This suggests the actor was conducting reconnaissance to clone the site for the “Contagious Interview” campaign, where they lured Web3 developers into fake job interviews to deploy malware.

Reliance on AI Tools

The logs exposed the actor’s reliance on AI to bridge the language gap. The operator frequently accessed ChatGPT and Quillbot, likely using them to write convincing emails, build resumes, and generate code for their malware.

Pivoting: One Node to a Network

By analyzing the “Trevor Greer” logs, we were able to pivot to other personas and campaigns involved in the operation.

Fake Employment: The logs contained credentials for freelance platforms, such as Upwork and Freelancer, associated with other aliases, including “Kenneth Debolt” and “Fabian Klein.” This confirmed the actor was part of a broader scheme to infiltrate Western companies as remote IT workers.
Fake Companies: The data linked the actor to fake corporate entities, such as Block Bounce (blockbounce[.]xyz), a sham crypto trading firm set up to appear legitimate to potential victims.
Developer Personas: The infection data linked the actor to the GitHub account svillalobosdev, which had been active in open source projects to build credibility before the attack.
Legitimate Platforms & Tools: Analysts observed the actor using job boards such as Dice and HRapply[.]com, freelance platforms such as Upwork and Freelancer, and direct applications through company Workday sites. To improve their resume, the actor used resumeworded[.]com or cakeresume[.]com. For conversing, the threat actor likely relies on a mix of both GPT and Quilbot, as found in infected host logins, to ensure they sound human. During interviews, analysts determined that they potentially used Speechify.
Deep & Dark Web Resources: The actor also likely purchased Social Security numbers (SSNs) from SSNDOB24[.]com, a site for acquiring Social Security data.

Disrupt Threat Actors Using Flashpoint

The “Trevor Greer” case study illustrates a critical shift in modern threat intelligence. We are no longer limited to analyzing the malware adversaries deploy; sometimes, we can analyze the adversaries themselves.

Using their own tools against them, Flashpoint transformed a faceless state-sponsored entity into a tangible user with bad habits, sloppy OPSEC, and a trail of digital breadcrumbs. Behind every sophisticated APT campaign is a human operator, and sometimes, they click the wrong link too.

Request a demo today to delve deeper into the tactics, techniques, and procedures of advanced persistent threats and learn how Flashpoint’s intelligence strengthens your defenses.

Request a demo today.

Get a Demo

Contact Sales

The post Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor appeared first on Flashpoint.

A stealer hiding in Blender 3D models | Kaspersky official blog

Kaspersky official blog

By: Alanna Titterington

10 December 2025 at 18:58

News outlets recently reported that a threat actor was spreading an infostealer through free 3D model files for the Blender software. This is troubling enough on its own, but it highlights an even more serious problem: the business threat posed by free open source programs, uncontrolled by corporate infosec teams. And the danger comes not from vulnerabilities in the software, but from its very own standard features.

Why Blender and 3D model marketplaces pose a risk

Blender is a 3D graphics and animation suite used by visualization professionals across various industries. The software is free and open-source, and offers extensive functionality. Among Blender’s capabilities is support for executing Python scripts, which are used to automate tasks and add new features.

The package allows users to import external files from specialized marketplaces like CGTrader or Sketchfab. These platforms host both paid and free 3D models by artists and studios. Any of these model files potentially contain Python scripts.

This creates a concerning scenario: marketplaces where files can be uploaded by any user and may not be scanned for malicious content, combined with software that has an Auto Run Python Scripts feature. It allows files to automatically execute embedded Python scripts immediately upon opening — essentially running arbitrary code on the user’s computer in unattended mode.

How the StealC V2 infostealer spread via Blender files

The attackers posted free 3D models with the .blend file name extension on the popular CGTrader platform. These files contained a malicious Python script. If the user had the Auto Run Python Scripts feature enabled, downloading and opening the file in Blender triggered the script. It then established a connection to a remote server and downloaded a malware loader from the Cloudflare Workers domain.

The loader executed a PowerShell script, which in turn downloaded additional malicious payloads from the attackers’ servers. Ultimately, the victim’s computer was infected with the StealC infostealer, enabling the attackers to:

Extract data from over 23 browsers.
Harvest information from more than 100 browser extensions and 15 crypto wallet applications.
Steal data from Telegram, Discord, Tox, Pidgin, ProtonVPN, OpenVPN, and email clients like Thunderbird.
Use a User Account Control (UAC) bypass.

The danger of unmonitored work tools

The problem isn’t Blender itself — threat actors will inevitably try to exploit automation features in any popular software. Most end-users don’t consider the risks of enabling common automation features, nor do they typically dive deep into how these features work or how they could be exploited.

The core issue is that security teams aren’t always familiar with the capabilities of specialized tools used by various departments. They simply don’t account for this vector in their threat models.

How to avoid becoming a victim

If your company uses Blender, the first step is to disable the automatic execution of Python scripts (Auto Run Python Scripts feature). Here’s how to do it according to official documentation.

How to disable Auto Run Python Scripts in Blender

How to disable the automatic execution of Python scripts in Blender. Source

Furthermore, to prevent the sudden spread of threats via work tools, we recommend that corporate security teams:

Prohibit the use of tools and extensions that haven’t been approved by the security team.
Thoroughly vet permitted software, and assess risks before implementing any new services or platforms.
Regularly train employees to recognize the risks associated with installing unknown software and using dangerous features. You can automate security awareness training with the Kaspersky Automated Security Awareness Platform.
Enforce the use of secure configurations for all work tools.
Protect all company-issued devices with modern security solutions.

The AMOS infostealer is piggybacking ChatGPT’s chat-sharing feature | Kaspersky official blog

Kaspersky official blog

By: Vladimir Gursky

9 December 2025 at 10:32

Infostealers — malware that steals passwords, cookies, documents, and/or other valuable data from computers — have become 2025’s fastest-growing cyberthreat. This is a critical problem for all operating systems and all regions. To spread their infection, criminals use every possible trick to use as bait. Unsurprisingly, AI tools have become one of their favorite luring mechanisms this year. In a new campaign discovered by Kaspersky experts, the attackers steer their victims to a website that supposedly contains user guides for installing OpenAI’s new Atlas browser for macOS. What makes the attack so convincing is that the bait link leads to… the official ChatGPT website! But how?

The bait-link in search results

To attract victims, the malicious actors place paid search ads on Google. If you try to search for “chatgpt atlas”, the very first sponsored link could be a site whose full address isn’t visible in the ad, but is clearly located on the chatgpt.com domain.

The page title in the ad listing is also what you’d expect: “ChatGPT™ Atlas for macOS – Download ChatGPT Atlas for Mac”. And a user wanting to download the new browser could very well click that link.

A sponsored link to a malware installation guide in Google search results

A sponsored link in Google search results leads to a malware installation guide disguised as ChatGPT Atlas for macOS and hosted on the official ChatGPT site. How can that be?

The Trap

Clicking the ad does indeed open chatgpt.com, and the victim sees a brief installation guide for the “Atlas browser”. The careful user will immediately realize this is simply some anonymous visitor’s conversation with ChatGPT, which the author made public using the Share feature. Links to shared chats begin with chatgpt.com/share/. In fact, it’s clearly stated right above the chat: “This is a copy of a conversation between ChatGPT & anonymous”.

However, a less careful or just less AI-savvy visitor might take the guide at face value — especially since it’s neatly formatted and published on a trustworthy-looking site.

Variants of this technique have been seen before — attackers have abused other services that allow sharing content on their own domains: malicious documents in Dropbox, phishing in Google Docs, malware in unpublished comments on GitHub and GitLab, crypto traps in Google Forms, and more. And now you can also share a chat with an AI assistant, and the link to it will lead to the chatbot’s official website.

Notably, the malicious actors used prompt engineering to get ChatGPT to produce the exact guide they needed, and were then able to clean up their preceding dialog to avoid raising suspicion.

Malware installation instructions disguised as Atlas for macOS

The installation guide for the supposed Atlas for macOS is merely a shared chat between an anonymous user and ChatGPT in which the attackers, through crafted prompts, forced the chatbot to produce the desired result and then sanitized the dialog

The infection

To install the “Atlas browser”, users are instructed to copy a single line of code from the chat, open Terminal on their Macs, paste and execute the command, and then grant all required permissions.

The specified command essentially downloads a malicious script from a suspicious server, atlas-extension{.}com, and immediately runs it on the computer. We’re dealing with a variation of the ClickFix attack. Typically, scammers suggest “recipes” like these for passing CAPTCHA, but here we have steps to install a browser. The core trick, however, is the same: the user is prompted to manually run a shell command that downloads and executes code from an external source. Many already know not to run files downloaded from shady sources, but this doesn’t look like launching a file.

When run, the script asks the user for their system password and checks if the combination of “current username + password” is valid for running system commands. If the entered data is incorrect, the prompt repeats indefinitely. If the user enters the correct password, the script downloads the malware and uses the provided credentials to install and launch it.

The infostealer and the backdoor

If the user falls for the ruse, a common infostealer known as AMOS (Atomic macOS Stealer) will launch on their computer. AMOS is capable of collecting a wide range of potentially valuable data: passwords, cookies, and other information from Chrome, Firefox, and other browser profiles; data from crypto wallets like Electrum, Coinomi, and Exodus; and information from applications like Telegram Desktop and OpenVPN Connect. Additionally, AMOS steals files with extensions TXT, PDF, and DOCX from the Desktop, Documents, and Downloads folders, as well as files from the Notes application’s media storage folder. The infostealer packages all this data and sends it to the attackers’ server.

The cherry on top is that the stealer installs a backdoor, and configures it to launch automatically upon system reboot. The backdoor essentially replicates AMOS’s functionality, while providing the attackers with the capability of remotely controlling the victim’s computer.

How to protect yourself from AMOS and other malware in AI chats

This wave of new AI tools allows attackers to repackage old tricks and target users who are curious about the new technology but don’t yet have extensive experience interacting with large language models.

We’ve already written about a fake chatbot sidebar for browsers and fake DeepSeek and Grok clients. Now the focus has shifted to exploiting the interest in OpenAI Atlas, and this certainly won’t be the last attack of its kind.

What should you do to protect your data, your computer, and your money?

Use reliable anti-malware protection on all your smartphones, tablets, and computers, including those running macOS.
If any website, instant message, document, or chat asks you to run any commands — like pressing Win+R or Command+Space and then launching PowerShell or Terminal — don’t. You’re very likely facing a ClickFix attack. Attackers typically try to draw users in by urging them to fix a “problem” on their computer, neutralize a “virus”, “prove they are not a robot”, or “update their browser or OS now”. However, a more neutral-sounding option like “install this new, trending tool” is also possible.

Never follow any guides you didn’t ask for and don’t fully understand.

The easiest thing to do is immediately close the website or delete the message with these instructions. But if the task seems important, and you can’t figure out the instructions you’ve just received, consult someone knowledgeable. A second option is to simply paste the suggested commands into a chat with an AI bot, and ask it to explain what the code does and whether it’s dangerous. ChatGPT typically handles this task fairly well.

ChatGPT warns that following the malicious instructions is risky

If you ask ChatGPT whether you should follow the instructions you received, it will answer that it’s not safe

How else do malicious actors use AI for deception?

AI sidebar spoofing: a new attack on AI browsers

Attacks using Syncro & AI-generated websites

How phishers and scammers use AI

Trojans masquerading as DeepSeek and Grok clients

How fraudsters bypass customer identity verification using deepfakes

From Endpoint Compromise to Enterprise Breach: Mapping the Infostealer Attack Chain

Threat Intelligence Blog | Flashpoint

By: Flashpoint

8 December 2025 at 18:54

Blogs

Blog

From Endpoint Compromise to Enterprise Breach: Mapping the Infostealer Attack Chain

In Flashpoint’s latest webinar, we map the global infostealer attack chain step-by-step, from initial infection to enterprise-level account takeover. We analyze how the commodification of stolen identities works and demonstrate how Flashpoint intelligence provides the critical visibility necessary to disrupt this cycle.

Stage 1: Initial Infection and Data Harvest (The Compromise)

A full scale compromise often begins with a single event, typically a phishing lure, a malicious download, or a compromised cracked software installer. Once executed, the infostealer goes to work, quickly and stealthily, to build a “log” that grants post-MFA (multi-factor authentication) access.

Scouring now-compromised endpoints, the stealer searches for and compiles data such as:

Credentials: Saved logins, credit card details, and passwords for applications and websites.
Session Cookies/Tokens: These are the keys that allow an attacker to bypass login prompts entirely, appearing as an already-authenticated user.
Browser Fingerprints and System Metadata: Geolocation, IP address, and system language used to evade security tools by accurately mimicking the victim’s legitimate environment.

Stage 2: Commodification and the ATO Supply Chain (The Market)

Once a log is harvested, it enters the Infostealer-as-a-Service ecosystem, a critical industrialized stage of the attack chain. Here, threat actors can rent or purchase access to millions of fresh logs, effectively outsourcing the initial compromise phase and enabling mass identity exploitation for a minimal investment.

Check out the on-demand webinar for a full technical breakdown of this dark web economy and how the commodification of stealer logs drastically reduces the barrier to entry for follow-on attacks.

Stage 3: Post-MFA Account Takeover (The Breach)

This is the ultimate pivot point, where a simple endpoint infection escalates into an enterprise breach. Unlike the brute-forcing and phishing attacks of the past, attackers leverage the stolen session tokens and browser fingerprints.

Stolen log buyers leverage obfuscation tools such as anti-detect browsers. These tools ensure the attacker can seamlessly utilize the stolen cookies and digital fingerprints to appear identical to the original victim.

They inject valid, unexpired session tokens into their browser, which allows attackers to hijack the victim’s active session. This allows them to avoid fraud and anomaly detection systems, providing them access into corporate VPNs, cloud environments, and internal applications without ever needing to see a login prompt. From here, attackers can move laterally, exfiltrate sensitive data, or deploy ransomware.

Disrupting the Attack Chain Using Flashpoint’s Actionable Intelligence

Defense against this threat requires not only an understanding of the attack chain, but also comprehensive Cyber Threat Intelligence (CTI) to identify and mitigate risks at every stage:

Disruption Point in the Attack Chain	How Flashpoint Empowers Proactive Defense
Stage 1: Initial Infection/Log Creation	Gain immediate alerting on the sale of your organization’s compromised assets on the Dark Web before attackers can leverage stolen data.
Stage 2: Commodification/ATO Setup	Expose the illicit platforms and forums where threat actors discuss, buy, and sell stolen logs, allowing you to track the tooling and TTPs.
Stage 3: Post-MFA ATO/Breach	Identify and remediate the vulnerabilities within browsers or enterprise software that are most actively being targeted by infostealers.

The speed of infostealer-powered attacks demands an intelligence-driven response. Our recent webinar demonstrated how Flashpoint intelligence can empower your security teams to quickly identify and validate stolen logs, protecting your organization from compromise to breach. Watch the on-demand webinar to learn more, or request a demo today.

The Proactive Defender’s Guide to Infostealers

Request a demo today.

Get a Demo

Contact Sales

The post From Endpoint Compromise to Enterprise Breach: Mapping the Infostealer Attack Chain appeared first on Flashpoint.