
Frequently Asked Questions
In-depth short answers.

Frequently Asked Questions
In-depth short answers.

Frequently Asked Questions
In-depth short answers.
Dark Web Monitoring vs Infostealer Monitoring
Traditional dark web monitoring scans for credentials from data breaches, leaked databases shared or sold after a breach event. Infostealer monitoring is different: it monitors criminal marketplaces where data from actively infected devices is traded in real-time. This includes session tokens and cookies that bypass most MFA methods, something traditional breach monitoring does not cover.
Learn more
How Are Stolen Credentials Sold on the Dark Web
Stolen sessions are sold through criminal marketplaces operating across dark web forums, Telegram, and Discord. Infostealer logs containing active session cookies, credentials, and device data are indexed by domain, country, and system type. Prices range from a few dollars for personal accounts to hundreds for active corporate sessions. The process is fast: logs typically appear for sale within hours of infection.
Learn more
How can I detect infostealers stealing and selling access to my organization?
Most infostealer infections happen on unmanaged or personal devices — outside the visibility of antivirus, EDR, or SIEM. Once credentials and session tokens are stolen, they’re quietly uploaded to criminal marketplaces and Telegram channels.
Learn more
How do attackers use infostealer logs to gain access?
Stolen infostealer logs give attackers everything they need to impersonate real users — without logging in, triggering MFA, or raising alerts. These access methods vary in technique, but all exploit existing trust.
Learn more
How Do Infostealers Bypass MFA
Infostealers bypass most forms of MFA by stealing session tokens rather than passwords. This technique is known as session hijacking or pass-the-cookie: the attacker takes a valid session cookie from an infected device and imports it into their own browser, bypassing the login flow entirely. Note: hardware-bound authentication methods such as YubiKey can resist this attack if the session is device-bound, but most enterprise applications do not enforce device binding.
Learn more
How Do Infostealers Spread
Infostealers spread through cracked software downloads, phishing campaigns, and malvertising. Most infections occur on personal or unmanaged devices, outside the reach of corporate security controls. Protecting your company requires both prevention on the device side and monitoring on the intelligence side, because you cannot control every device that has access to your systems.
Learn more
How Do Infostealers Work?
Infostealers follow a short, automated process designed to go unnoticed by both users and security software. The entire attack usually takes less than 30 seconds.
Learn more
How to Check If Your Company Is in Stealer Logs
You can check whether your company appears in stealer logs by running a free scan on the Passguard website. Enter your company domain and Passguard checks criminal marketplaces and Telegram channels for infected devices that contain credentials or session tokens for your systems. Results are available within a minute.
Learn more
How to Prevent Infostealer Infections
Infostealers are designed to evade traditional tools — and they succeed. That’s why prevention must focus on limiting access, visibility, and exposure in the first place.
Learn more
Infostealer Monitoring vs Breach Monitoring
Breach monitoring checks whether your credentials appear in known data breaches, historical events where databases were leaked. Infostealer monitoring detects when data from actively infected devices is being sold on criminal marketplaces in real-time. The key difference: breach monitoring is reactive (the breach already happened), while infostealer monitoring catches ongoing, active threats.
Learn more
Infostealers and DORA Compliance
The Digital Operational Resilience Act (DORA) requires financial institutions in the EU to manage ICT risks, including cyberthreat monitoring and incident response. Infostealers pose a specific threat to financial services: stolen session tokens can provide direct access to banking platforms, trading systems, and customer data, bypassing most MFA controls.
Learn more
Infostealers and NIS2 Compliance
The NIS2 directive requires organizations in essential and important sectors to implement risk-based cybersecurity measures, including threat detection and incident response. Infostealers are one of the primary vectors for initial access, making infostealer monitoring directly relevant to NIS2 compliance.
Learn more
What are examples of infostealer malware in 2025?
Several credential stealer families are actively used in 2025, each with slightly different focus areas, delivery methods, and payloads. Many are sold as malware-as-a-service (MaaS), meaning they can be easily purchased and deployed by attackers without technical skill.
Learn more
What Are Infostealer Marketplaces
Infostealer marketplaces are online platforms where stolen sessions and logs from infected devices are bought and sold. Criminal marketplaces operate across dark web forums (Tor), Telegram, and Discord. Sellers are typically infostealer operators or distributors. Buyers range from individual attackers to organized crime groups and initial access brokers.
Learn more
What Are Signs of Infostealer Activity?
Infostealer infections rarely trigger alarms. Early detection depends not on spotting the malware itself, but on recognizing subtle signs of its aftermath. They happen fast, leave few traces, and often occur on devices outside of your visibility. But they do leave behind signals — if you know what to look for.
Learn more
What do infostealers steal?
Infostealers are designed to extract any data that provides access to systems, services, or user identities. What they steal depends on the variant, but most target:
Learn more
What Is an Infostealer Log
An infostealer log is a structured package of data stolen from a single infected device. It contains everything the malware could extract: active session cookies, saved passwords, browser history, autofill data, and sometimes local files. Unlike leaked password databases, these logs contain live stolen sessions, not just static credentials. Logs are sold on criminal marketplaces, often within hours of the infection.
Learn more
What Is Lumma Stealer
Lumma is the most dominant infostealer in 2025. Known for rapid development, modular payloads, and advanced evasion features, Lumma has overtaken RedLine as the most widely deployed credential stealer. It operates as Malware-as-a-Service (MaaS) and is actively sold on Telegram.
Learn more
What Is Malware-as-a-Service (MaaS)
Malware-as-a-Service (MaaS) is a business model in which infostealer developers rent their tools to other criminals through subscription plans. Most active infostealers in 2025, including Lumma, RedLine, and Raccoon, operate on this model. MaaS has made infostealer deployment accessible to anyone: no technical skills required, just a subscription and a distribution method.
Learn more
What Is Raccoon Stealer
Raccoon Stealer (v2) has re-emerged after a law enforcement takedown of its original version. Known for its low cost and simplicity, Raccoon is popular among less technically skilled attackers. It operates as MaaS and is widely available on dark web forums.
Learn more
What Is RedLine Stealer
RedLine was the most widely used infostealer until 2024, when it was partially disrupted by Operation Magnus, a coordinated law enforcement effort. Despite the takedown, RedLine remains in active circulation and continues to generate logs on criminal marketplaces.
Learn more
What Is Session Token Theft
Session token theft, also called session hijacking or a pass-the-cookie attack, is the extraction of active authentication cookies from a user's browser by infostealer malware. These cookies represent authenticated sessions: whoever holds the cookie can access the account without entering credentials or completing MFA. Stolen session tokens are sold on criminal marketplaces and Discord servers, often within hours of the infection.
Learn more
What Is Vidar Stealer
Vidar is an infostealer known for its file grabber capabilities and its association with ransomware operations. It extends beyond typical credential theft by targeting local files and documents, making it a tool of choice for threat actors seeking deeper access to organizational data.
Learn more
What should I do when an infostealer is active in my organization?
If you suspect an infostealer is active in your environment, immediate response is critical. These infections often go undetected by traditional tools — while silently leaking credentials, session tokens, and business data. Attackers can act within minutes.
Learn more
What to Look for in an Infostealer Monitoring Tool
When evaluating an infostealer monitoring tool, focus on: marketplace coverage, detection of session tokens alongside credentials, actionable context per infection, API access for integration, and data residency. Tools that only check breach databases miss the most dangerous part of the infostealer threat.
Learn more
Who Is at Risk of Infostealer Infections?
Infostealers infect indiscriminately — but some organizations are far more likely to be affected than others. This has less to do with industry and more with how access is managed and where weak points exist.
Learn more
Why Antivirus and EDR Don’t Detect Infostealers
Infostealers are purpose-built to remain undetected for as long as possible. The longer a victim is unaware of the infection, the longer the stolen credentials remain valuable. Once a breach is discovered, passwords are reset, tokens are revoked, and access is lost.
Learn more
Why Are Infostealers Dangerous?
Infostealers are dangerous because they often go unnoticed — triggering no alerts, no crashes, and few visible symptoms — while exposing full access to attackers.
Learn more
Dark Web Monitoring vs Infostealer Monitoring
Traditional dark web monitoring scans for credentials from data breaches, leaked databases shared or sold after a breach event. Infostealer monitoring is different: it monitors criminal marketplaces where data from actively infected devices is traded in real-time. This includes session tokens and cookies that bypass most MFA methods, something traditional breach monitoring does not cover.
Learn more
How Are Stolen Credentials Sold on the Dark Web
Stolen sessions are sold through criminal marketplaces operating across dark web forums, Telegram, and Discord. Infostealer logs containing active session cookies, credentials, and device data are indexed by domain, country, and system type. Prices range from a few dollars for personal accounts to hundreds for active corporate sessions. The process is fast: logs typically appear for sale within hours of infection.
Learn more
How can I detect infostealers stealing and selling access to my organization?
Most infostealer infections happen on unmanaged or personal devices — outside the visibility of antivirus, EDR, or SIEM. Once credentials and session tokens are stolen, they’re quietly uploaded to criminal marketplaces and Telegram channels.
Learn more
How do attackers use infostealer logs to gain access?
Stolen infostealer logs give attackers everything they need to impersonate real users — without logging in, triggering MFA, or raising alerts. These access methods vary in technique, but all exploit existing trust.
Learn more
How Do Infostealers Bypass MFA
Infostealers bypass most forms of MFA by stealing session tokens rather than passwords. This technique is known as session hijacking or pass-the-cookie: the attacker takes a valid session cookie from an infected device and imports it into their own browser, bypassing the login flow entirely. Note: hardware-bound authentication methods such as YubiKey can resist this attack if the session is device-bound, but most enterprise applications do not enforce device binding.
Learn more
How Do Infostealers Spread
Infostealers spread through cracked software downloads, phishing campaigns, and malvertising. Most infections occur on personal or unmanaged devices, outside the reach of corporate security controls. Protecting your company requires both prevention on the device side and monitoring on the intelligence side, because you cannot control every device that has access to your systems.
Learn more
How Do Infostealers Work?
Infostealers follow a short, automated process designed to go unnoticed by both users and security software. The entire attack usually takes less than 30 seconds.
Learn more
How to Check If Your Company Is in Stealer Logs
You can check whether your company appears in stealer logs by running a free scan on the Passguard website. Enter your company domain and Passguard checks criminal marketplaces and Telegram channels for infected devices that contain credentials or session tokens for your systems. Results are available within a minute.
Learn more
How to Prevent Infostealer Infections
Infostealers are designed to evade traditional tools — and they succeed. That’s why prevention must focus on limiting access, visibility, and exposure in the first place.
Learn more
Infostealer Monitoring vs Breach Monitoring
Breach monitoring checks whether your credentials appear in known data breaches, historical events where databases were leaked. Infostealer monitoring detects when data from actively infected devices is being sold on criminal marketplaces in real-time. The key difference: breach monitoring is reactive (the breach already happened), while infostealer monitoring catches ongoing, active threats.
Learn more
Infostealers and DORA Compliance
The Digital Operational Resilience Act (DORA) requires financial institutions in the EU to manage ICT risks, including cyberthreat monitoring and incident response. Infostealers pose a specific threat to financial services: stolen session tokens can provide direct access to banking platforms, trading systems, and customer data, bypassing most MFA controls.
Learn more
Infostealers and NIS2 Compliance
The NIS2 directive requires organizations in essential and important sectors to implement risk-based cybersecurity measures, including threat detection and incident response. Infostealers are one of the primary vectors for initial access, making infostealer monitoring directly relevant to NIS2 compliance.
Learn more
What are examples of infostealer malware in 2025?
Several credential stealer families are actively used in 2025, each with slightly different focus areas, delivery methods, and payloads. Many are sold as malware-as-a-service (MaaS), meaning they can be easily purchased and deployed by attackers without technical skill.
Learn more
What Are Infostealer Marketplaces
Infostealer marketplaces are online platforms where stolen sessions and logs from infected devices are bought and sold. Criminal marketplaces operate across dark web forums (Tor), Telegram, and Discord. Sellers are typically infostealer operators or distributors. Buyers range from individual attackers to organized crime groups and initial access brokers.
Learn more
What Are Signs of Infostealer Activity?
Infostealer infections rarely trigger alarms. Early detection depends not on spotting the malware itself, but on recognizing subtle signs of its aftermath. They happen fast, leave few traces, and often occur on devices outside of your visibility. But they do leave behind signals — if you know what to look for.
Learn more
What do infostealers steal?
Infostealers are designed to extract any data that provides access to systems, services, or user identities. What they steal depends on the variant, but most target:
Learn more
What Is an Infostealer Log
An infostealer log is a structured package of data stolen from a single infected device. It contains everything the malware could extract: active session cookies, saved passwords, browser history, autofill data, and sometimes local files. Unlike leaked password databases, these logs contain live stolen sessions, not just static credentials. Logs are sold on criminal marketplaces, often within hours of the infection.
Learn more
What Is Lumma Stealer
Lumma is the most dominant infostealer in 2025. Known for rapid development, modular payloads, and advanced evasion features, Lumma has overtaken RedLine as the most widely deployed credential stealer. It operates as Malware-as-a-Service (MaaS) and is actively sold on Telegram.
Learn more
What Is Malware-as-a-Service (MaaS)
Malware-as-a-Service (MaaS) is a business model in which infostealer developers rent their tools to other criminals through subscription plans. Most active infostealers in 2025, including Lumma, RedLine, and Raccoon, operate on this model. MaaS has made infostealer deployment accessible to anyone: no technical skills required, just a subscription and a distribution method.
Learn more
What Is Raccoon Stealer
Raccoon Stealer (v2) has re-emerged after a law enforcement takedown of its original version. Known for its low cost and simplicity, Raccoon is popular among less technically skilled attackers. It operates as MaaS and is widely available on dark web forums.
Learn more
What Is RedLine Stealer
RedLine was the most widely used infostealer until 2024, when it was partially disrupted by Operation Magnus, a coordinated law enforcement effort. Despite the takedown, RedLine remains in active circulation and continues to generate logs on criminal marketplaces.
Learn more
What Is Session Token Theft
Session token theft, also called session hijacking or a pass-the-cookie attack, is the extraction of active authentication cookies from a user's browser by infostealer malware. These cookies represent authenticated sessions: whoever holds the cookie can access the account without entering credentials or completing MFA. Stolen session tokens are sold on criminal marketplaces and Discord servers, often within hours of the infection.
Learn more
What Is Vidar Stealer
Vidar is an infostealer known for its file grabber capabilities and its association with ransomware operations. It extends beyond typical credential theft by targeting local files and documents, making it a tool of choice for threat actors seeking deeper access to organizational data.
Learn more
What should I do when an infostealer is active in my organization?
If you suspect an infostealer is active in your environment, immediate response is critical. These infections often go undetected by traditional tools — while silently leaking credentials, session tokens, and business data. Attackers can act within minutes.
Learn more
What to Look for in an Infostealer Monitoring Tool
When evaluating an infostealer monitoring tool, focus on: marketplace coverage, detection of session tokens alongside credentials, actionable context per infection, API access for integration, and data residency. Tools that only check breach databases miss the most dangerous part of the infostealer threat.
Learn more
Who Is at Risk of Infostealer Infections?
Infostealers infect indiscriminately — but some organizations are far more likely to be affected than others. This has less to do with industry and more with how access is managed and where weak points exist.
Learn more
Why Antivirus and EDR Don’t Detect Infostealers
Infostealers are purpose-built to remain undetected for as long as possible. The longer a victim is unaware of the infection, the longer the stolen credentials remain valuable. Once a breach is discovered, passwords are reset, tokens are revoked, and access is lost.
Learn more
Why Are Infostealers Dangerous?
Infostealers are dangerous because they often go unnoticed — triggering no alerts, no crashes, and few visible symptoms — while exposing full access to attackers.
Learn more
Dark Web Monitoring vs Infostealer Monitoring
Traditional dark web monitoring scans for credentials from data breaches, leaked databases shared or sold after a breach event. Infostealer monitoring is different: it monitors criminal marketplaces where data from actively infected devices is traded in real-time. This includes session tokens and cookies that bypass most MFA methods, something traditional breach monitoring does not cover.
Learn more
How Are Stolen Credentials Sold on the Dark Web
Stolen sessions are sold through criminal marketplaces operating across dark web forums, Telegram, and Discord. Infostealer logs containing active session cookies, credentials, and device data are indexed by domain, country, and system type. Prices range from a few dollars for personal accounts to hundreds for active corporate sessions. The process is fast: logs typically appear for sale within hours of infection.
Learn more
How can I detect infostealers stealing and selling access to my organization?
Most infostealer infections happen on unmanaged or personal devices — outside the visibility of antivirus, EDR, or SIEM. Once credentials and session tokens are stolen, they’re quietly uploaded to criminal marketplaces and Telegram channels.
Learn more
How do attackers use infostealer logs to gain access?
Stolen infostealer logs give attackers everything they need to impersonate real users — without logging in, triggering MFA, or raising alerts. These access methods vary in technique, but all exploit existing trust.
Learn more
How Do Infostealers Bypass MFA
Infostealers bypass most forms of MFA by stealing session tokens rather than passwords. This technique is known as session hijacking or pass-the-cookie: the attacker takes a valid session cookie from an infected device and imports it into their own browser, bypassing the login flow entirely. Note: hardware-bound authentication methods such as YubiKey can resist this attack if the session is device-bound, but most enterprise applications do not enforce device binding.
Learn more
How Do Infostealers Spread
Infostealers spread through cracked software downloads, phishing campaigns, and malvertising. Most infections occur on personal or unmanaged devices, outside the reach of corporate security controls. Protecting your company requires both prevention on the device side and monitoring on the intelligence side, because you cannot control every device that has access to your systems.
Learn more
How Do Infostealers Work?
Infostealers follow a short, automated process designed to go unnoticed by both users and security software. The entire attack usually takes less than 30 seconds.
Learn more
How to Check If Your Company Is in Stealer Logs
You can check whether your company appears in stealer logs by running a free scan on the Passguard website. Enter your company domain and Passguard checks criminal marketplaces and Telegram channels for infected devices that contain credentials or session tokens for your systems. Results are available within a minute.
Learn more
How to Prevent Infostealer Infections
Infostealers are designed to evade traditional tools — and they succeed. That’s why prevention must focus on limiting access, visibility, and exposure in the first place.
Learn more
Infostealer Monitoring vs Breach Monitoring
Breach monitoring checks whether your credentials appear in known data breaches, historical events where databases were leaked. Infostealer monitoring detects when data from actively infected devices is being sold on criminal marketplaces in real-time. The key difference: breach monitoring is reactive (the breach already happened), while infostealer monitoring catches ongoing, active threats.
Learn more
Infostealers and DORA Compliance
The Digital Operational Resilience Act (DORA) requires financial institutions in the EU to manage ICT risks, including cyberthreat monitoring and incident response. Infostealers pose a specific threat to financial services: stolen session tokens can provide direct access to banking platforms, trading systems, and customer data, bypassing most MFA controls.
Learn more
Infostealers and NIS2 Compliance
The NIS2 directive requires organizations in essential and important sectors to implement risk-based cybersecurity measures, including threat detection and incident response. Infostealers are one of the primary vectors for initial access, making infostealer monitoring directly relevant to NIS2 compliance.
Learn more
What are examples of infostealer malware in 2025?
Several credential stealer families are actively used in 2025, each with slightly different focus areas, delivery methods, and payloads. Many are sold as malware-as-a-service (MaaS), meaning they can be easily purchased and deployed by attackers without technical skill.
Learn more
What Are Infostealer Marketplaces
Infostealer marketplaces are online platforms where stolen sessions and logs from infected devices are bought and sold. Criminal marketplaces operate across dark web forums (Tor), Telegram, and Discord. Sellers are typically infostealer operators or distributors. Buyers range from individual attackers to organized crime groups and initial access brokers.
Learn more
What Are Signs of Infostealer Activity?
Infostealer infections rarely trigger alarms. Early detection depends not on spotting the malware itself, but on recognizing subtle signs of its aftermath. They happen fast, leave few traces, and often occur on devices outside of your visibility. But they do leave behind signals — if you know what to look for.
Learn more
What do infostealers steal?
Infostealers are designed to extract any data that provides access to systems, services, or user identities. What they steal depends on the variant, but most target:
Learn more
What Is an Infostealer Log
An infostealer log is a structured package of data stolen from a single infected device. It contains everything the malware could extract: active session cookies, saved passwords, browser history, autofill data, and sometimes local files. Unlike leaked password databases, these logs contain live stolen sessions, not just static credentials. Logs are sold on criminal marketplaces, often within hours of the infection.
Learn more
What Is Lumma Stealer
Lumma is the most dominant infostealer in 2025. Known for rapid development, modular payloads, and advanced evasion features, Lumma has overtaken RedLine as the most widely deployed credential stealer. It operates as Malware-as-a-Service (MaaS) and is actively sold on Telegram.
Learn more
What Is Malware-as-a-Service (MaaS)
Malware-as-a-Service (MaaS) is a business model in which infostealer developers rent their tools to other criminals through subscription plans. Most active infostealers in 2025, including Lumma, RedLine, and Raccoon, operate on this model. MaaS has made infostealer deployment accessible to anyone: no technical skills required, just a subscription and a distribution method.
Learn more
What Is Raccoon Stealer
Raccoon Stealer (v2) has re-emerged after a law enforcement takedown of its original version. Known for its low cost and simplicity, Raccoon is popular among less technically skilled attackers. It operates as MaaS and is widely available on dark web forums.
Learn more
What Is RedLine Stealer
RedLine was the most widely used infostealer until 2024, when it was partially disrupted by Operation Magnus, a coordinated law enforcement effort. Despite the takedown, RedLine remains in active circulation and continues to generate logs on criminal marketplaces.
Learn more
What Is Session Token Theft
Session token theft, also called session hijacking or a pass-the-cookie attack, is the extraction of active authentication cookies from a user's browser by infostealer malware. These cookies represent authenticated sessions: whoever holds the cookie can access the account without entering credentials or completing MFA. Stolen session tokens are sold on criminal marketplaces and Discord servers, often within hours of the infection.
Learn more
What Is Vidar Stealer
Vidar is an infostealer known for its file grabber capabilities and its association with ransomware operations. It extends beyond typical credential theft by targeting local files and documents, making it a tool of choice for threat actors seeking deeper access to organizational data.
Learn more
What should I do when an infostealer is active in my organization?
If you suspect an infostealer is active in your environment, immediate response is critical. These infections often go undetected by traditional tools — while silently leaking credentials, session tokens, and business data. Attackers can act within minutes.
Learn more
What to Look for in an Infostealer Monitoring Tool
When evaluating an infostealer monitoring tool, focus on: marketplace coverage, detection of session tokens alongside credentials, actionable context per infection, API access for integration, and data residency. Tools that only check breach databases miss the most dangerous part of the infostealer threat.
Learn more
Who Is at Risk of Infostealer Infections?
Infostealers infect indiscriminately — but some organizations are far more likely to be affected than others. This has less to do with industry and more with how access is managed and where weak points exist.
Learn more
Why Antivirus and EDR Don’t Detect Infostealers
Infostealers are purpose-built to remain undetected for as long as possible. The longer a victim is unaware of the infection, the longer the stolen credentials remain valuable. Once a breach is discovered, passwords are reset, tokens are revoked, and access is lost.
Learn more
Why Are Infostealers Dangerous?
Infostealers are dangerous because they often go unnoticed — triggering no alerts, no crashes, and few visible symptoms — while exposing full access to attackers.
Learn more

Don’t wait until infostealers strike
See what they’ve already stolen and stop them before real damage is done.

Don’t wait until infostealers strike
See what they’ve already stolen and stop them before real damage is done.

Don’t wait until infostealers strike
See what they’ve already stolen and stop them before real damage is done.