Short answer

Infostealers spread through cracked software downloads, phishing campaigns, and malvertising. Most infections occur on personal or unmanaged devices, outside the reach of corporate security controls. Protecting your company requires both prevention on the device side and monitoring on the intelligence side, because you cannot control every device that has access to your systems.

Cracked software and game modifications

The most common infection vector. Users download what appears to be a free version of paid software, a game cheat, or a key generator. The download includes a bundled infostealer that executes silently during installation. This is particularly dangerous for organizations because it typically happens on personal devices that also have access to corporate systems, through saved browser sessions, VPN clients, or cloud applications.

Phishing

Infostealers are distributed through targeted and mass phishing campaigns. Common formats include email attachments disguised as invoices, shipping notifications, or HR documents. Some campaigns use SEO poisoning to rank fake download pages in search results. Once the victim opens the file or follows the link, the stealer executes and begins harvesting data.

Malvertising

Attackers purchase advertising space on legitimate platforms and redirect users to pages that deliver infostealer payloads. These ads often appear in search results for popular software downloads. The landing pages closely mimic official product websites, making them difficult to distinguish from legitimate sources.

Social engineering on platforms

Increasingly, infostealers are distributed through social engineering on platforms like YouTube, Discord, and Telegram. Attackers post tutorials, game guides, or tool recommendations with download links that contain stealer payloads. These channels are particularly effective at reaching younger users and employees on personal devices.

Why this matters for organizations

Over 95% of infostealer infections start on unmanaged devices. These are devices your EDR cannot see and your security policies do not cover. Yet these same devices often have active sessions for corporate applications. Prevention alone is not enough. You need visibility into what happens after an infection: which sessions were stolen, and whether they are already being traded. Passguard monitors the criminal marketplaces where stolen sessions from infostealer infections are sold, and alerts your team before attackers can use them.