Joint Report with LastPass and Guidepoint Security Researchers: “Fighting Back Against Infostealers and How to Build Resilience in a Digital Identity Crisis”

This blog post is the product of joint research conducted with our friends at Guidepoint Security and their GRIT Threat Intelligence team. We deeply appreciate their partnership and are proud to present this shared analysis for the benefit of the larger community. You can view the full report on the Guidepoint Security website. 

The LastPass Threat Intelligence, Mitigation, and Escalations (TIME) team recently joined forces with Guidepoint Security’s GRIT Threat Intelligence team to highlight the threats posed by infostealers. This report provides a deep dive into explaining how infostealers work, from their functionality to their sales on the underground market. Infostealers have been a major contributing factor driving cybercrime activity since credentials are the primary keys to accessing digital systems and data. The recent exposure of 16 billion login credentials isn’t just a staggering number—it’s a wakeup call. At the heart of this breach is the underlying real threat: infostealers.

What infostealers are after is straightforward: collecting credentials and other sensitive information. Stealers now go beyond stealing usernames and passwords. They also compromise browser cookies, session cookies, and more. This can enable follow-on attacks, like targeted social engineering, bypassing multi-factor authentication (MFA), and account takeover. Once threat actors steal this information, they package it up into logs and sell them on the dark web. Stealers have evolved and become more sophisticated. Many stealers are now capable of getting around devices with anti-virus software and/or endpoint detection and response solutions. Server-side stealers are another advancement, shifting from previous client-side methods (where the malware is downloaded and executed entirely on a victim’s machine) to a lighter, quieter execution where a few lines of code can set up a TOR server to exfiltrate data from an infected machine.

The report also explores how stealers operate under the Malware-as-a-Service (model) where malware developers run the operations to support customers who buy the license to use the malware. It’s basically a professionalized service that facilitates widespread attacks by lowering the barrier to entry for less sophisticated actors. “Essentially, today’s MaaS infostealer model and its supporting websites have transformed many threat actors into small business owners, settling into a cycle of licensing, compromising victims, and selling harvested information to generate a return on their investment.” As our report points out, “the nature of the Malware-as-a-Service (MaaS) model means there are no restrictions on how an actor may choose to infect their victims. Threat actors are constantly evolving their tactics and innovating new ways to trick their victims into clicking links, engaging in adversary social engineering foolery, or blindly following instructions.” These techniques will continue to evolve to compromise machines.

Despite its severity, the infostealer threat isn’t all doom and gloom. Our report outlines several steps you can take to protect you and your organization from being the victim of an infostealer infection. For example, defenders can integrate threat feed-provided indicators to identify or prevent connection attempts to known Command-and-Control (C2) infrastructure. Monitoring the dark web for exposed credentials is another good preventative measure. Password managers can also avoid password reuse, which enables brute-force attacks, or storing unencrypted credentials on browsers, which are a major target after stealers infect a system because threat actors know this is a common poor cybersecurity practice.

Between the proliferation of stealers and their growing sophistication, this threat will remain one of the key challenges to securing identity for the foreseeable future. That’s why we highlighted stealers as one of the top cyber threat predictions for 2025. We talk about recent cyberattacks that are enabled by infostealers and emphasize the severity of this threat, like the Change Healthcare breach in 2024 and Hellcat targeting Schneider Electric, Telefónica, Orange Group, and more. The TIME team recently shared insights into infostealer trends and several other key trends shaping the cyber threat environment as a mid-year check in if you want to learn more.