The Rise of Infostealers: Malware on Employee Devices

Infostealers are an emerging threat to organizations—one that directly impacts organizational identity. But what exactly are infostealers, why are they dangerous, and what can be done to stop them? We spoke with Tom Leijte, CEO and co-founder of the Dutch startup Passguard, which specializes in detecting active infostealer infections in client environments. 

Tom, a new term: infostealers. What exactly are they? 

Infostealers are malware, commonly referred to as computer viruses. This particular type of malware does exactly what the name suggests: it steals information. And it goes far. Once an infostealer is installed on a device, it will grab anything it can access. This includes not only local files but also data stored in your browser—such as browsing history, login credentials, and most importantly: session tokens stored in cookies. 

Why are those cookies so important?

Great question. We usually associate cookies with annoying pop-ups when visiting websites. Those are tracking cookies, used for showing personalized ads. However, your device also stores session tokens in cookies. 

The real danger of infostealers lies in stolen session tokens—used to authenticate you to a service. These tokens are generated during login, even when multi-factor authentication (MFA) is enabled. With a stolen session token, an attacker can—while the session remains active—log in as if they were you, with full access to whatever you have at that moment. This type of attack is known technically as session hijacking or token replay attacks. 

And you're saying this infostealer threat is growing? 

Massively, on all fronts. On the production side, among malware developers, infostealers have seen more innovation in the past year than any other form of malware. At the same time, activity is skyrocketing. According to an IBM X-Force report, infostealer activity rose by 266% in 2023 compared to 2022. So much so that IBM notes a shift in the threat landscape—from "hacking in" to "logging in"—because it’s more cost-effective for attackers. All this increased activity results in more infections on devices. Kaspersky estimates the number of infections increased twelvefold between 2020 and 2023. 

What’s driving this rapid rise in infostealers? 

In my view, it's twofold. First, there’s a "waterbed effect." As cybersecurity improves, networks are harder to breach, and phishing is less effective. So, attackers look for new methods to profit from cybercrime. Because identity plays a growing role in organizational security, infostealers are the perfect tool for attackers. 

Second, we’re seeing significant professionalization of the infostealer ecosystem. Malware developers are using sophisticated techniques to steal as much data as possible and keep sessions alive longer. Marketplaces are also evolving—many have recently moved to Telegram, making them more accessible to a wider audience. This has created a flywheel effect: one factor accelerates another, driving constant growth. 

How do organizations come into contact with infostealers? 

There’s a major gap in the security posture of most organizations. This gap involves poorly protected unmanaged devices accessing internal systems. Most organizations have their own managed devices, secured with corporate antivirus and EDR tools. Employees also tend to behave more safely on these devices, lowering the risk of infection. 

But almost all these organizations also allow access from personal (unmanaged) devices. Many also have other unmanaged devices on their networks—like those from freelancers or vendors. And that’s where things go wrong. 

There are two key reasons: 

1. Consumer antivirus software is generally no match for modern infostealers. These malware variants evolve so rapidly that they slip past traditional scanners, leaving users with a false sense of security. 
2. People engage in riskier behavior on their personal devices, such as downloading illegal software or games like Photoshop. This opens the door for infostealers. 
   

Do infostealers actually lead to hacks and data breaches? 

Absolutely. This is a true blind spot in the cybersecurity of most organizations. Infostealers are a severely underestimated threat—but they’re behind real attacks. Verizon’s 2023 analysis found that stolen login credentials were the first step in nearly a quarter of all breaches. Given widespread MFA use, many of these stolen credentials likely came from infostealer-stolen session cookies. 

The Australian Cyber Security Centre confirmed this in September. They found evidence of multiple corporate network breaches that started with personal devices infected by infostealers. 

That’s quite concerning. What can organizations do to stop infostealers? 

The most effective strategy is to block access to internal systems from unmanaged devices. This is often seen as a drastic measure, but it's the best way to significantly reduce the risk from infostealers. 

Other mitigation steps include: 

• Implementing conditional access policies for logins. 
• Shortening the validity and refresh periods of sessions and authorizations. 
• Increasing employee awareness around download risks through training programs. 

But here's the key: if you don't take the drastic measure, the risk will always remain. That means you must be prepared to respond when infections inevitably occur. This is exactly why clients turn to us—to monitor infostealer marketplaces. We notify them when new infections are listed for sale, so they can act before a major breach or data leak occurs. 

Want to learn more about infostealers? 

Visit the Passguard website for a detailed explanation of this emerging threat.