Infostealers: the malware that empties your browser in thirty seconds

The breaches you read about - drained accounts, companies brought to their knees by ransomware, the data of millions for sale - very often do not start with a genius hacker breaking through a firewall. They start with a small program that runs for thirty seconds on someone's laptop and walks off with everything the browser remembered. That small program is an infostealer, and it is probably the most underestimated threat around today.

What an infostealer is

An infostealer is malware with a single goal: to grab everything of value - passwords, sessions, wallets - as fast as possible, and disappear. It does not encrypt your files like ransomware, which is loud by definition; it does not hide for months like spyware. It is a smash-and-grab: in, copy, out. Often the whole operation takes less than a minute, and when it is done nothing visible has changed on your computer. That is exactly what makes it dangerous: you do not notice.

What it steals, exactly

It all starts from where you put your conveniences. The richest place is the browser, because that is where most people keep their digital life: passwords saved "so I don't have to type them again".

But the haul does not stop at passwords. In a single pass an infostealer also collects: session cookies (the most valuable piece, we will get to it); autofill data, including credit cards; cryptocurrency wallets; browsing history; tokens from apps like Discord or Telegram; credentials saved in FTP, VPN and email clients; and often a screenshot of the desktop and the list of installed programs, to figure out who you are and how much you are worth. All of it is packaged into what the criminal world calls a log: a tidy folder, ready to be sold.

How it works, technically

The right question is: how does it read the passwords, if the browser keeps them "encrypted"? Here is the detail that surprises almost everyone. Chrome, Edge and the browsers built on them save passwords in a small database - a SQLite file called Login Data - encrypted with a key. That key, in turn, is protected by DPAPI, the Windows system that ties secrets to the user account. It sounds solid. The problem is that DPAPI unlocks those secrets for any process running with your permissions. And the infostealer runs with your permissions, because it was you - or a command you ran - that launched it.

Browsers have raised the bar - in 2024 Chrome introduced App-Bound Encryption to tie the cookie key to the application and not just the user - but stealers adapted quickly, grabbing the data while the browser is running or sidestepping the constraint in other ways. It is an ongoing arms race, not a door closed once and for all.

Why cookies are worth more than the password

Of the whole haul, session cookies are the gem. A stolen password, after all, can be changed. But a valid session cookie is an already-authenticated session: the attacker loads it into their browser and is inside your account without typing the password and without being asked for MFA, because that check was already passed when you logged in. This is why "but I have two-factor authentication" is no longer a sufficient defense - I explain it step by step in the piece on ClickFix, the social-engineering technique these stealers often arrive through.

The economy behind it

What turns infostealers from a nuisance into an industrial plague is the business model that feeds them. You do not need to be skilled: the stealer is for rent. It exists as a subscription service - families like Lumma or RedLine have risen, grown and in some cases been dismantled by law enforcement (RedLine in Operation Magnus in October 2024, Lumma in an action led by Microsoft and Europol in May 2025, the Genesis marketplace seized in 2023), but the moment one falls another springs up. Whoever rents it infects victims and collects the logs; those logs are sold in bulk on Telegram channels and dedicated marketplaces.

Those logs are often bought by initial access brokers: people who do not want your streaming account, they want the corporate credentials hidden inside the log. They resell them to ransomware groups, and so a password saved carelessly on an employee's laptop becomes the way in to encrypt an entire company. The chain of breaches against Snowflake's customers in 2024 - around 165 organizations hit, according to Mandiant - was traced back to exactly this: credentials harvested by infostealers months earlier and still valid.

How it reaches your computer

An infostealer almost always arrives by deception, not by an exploit. The most common vectors: cracked software and game cheats - the classic free installer that is too good to be true; fake updates and fake verifications like ClickFix; malicious ads and poisoned search results that take you to a fake official site; malicious attachments and software packages. The common thread is always the same: convincing you to run something.

How you notice - and what to do if it happened

The trouble is that a well-made infostealer leaves no obvious signs: no encrypted files, no ransom, no popup. Often you find out after the damage is done - suspicious logins, passwords that no longer work, friends getting strange messages from your accounts. If you suspect an infection, the order of operations matters: first secure the device (disconnect it from the network, scan it or, better, reinstall it); then - from a clean device, not the compromised one - change your passwords and, above all, hit "sign out of all devices" on every important service, to invalidate the stolen sessions. Changing the password without invalidating the sessions is almost useless: the stolen cookie stays valid.

How to defend

On the personal side: use a real password manager instead of browser-saved passwords; never install cracked software, ever; move to passkeys or hardware security keys where you can, since they resist theft because they are not a secret that can be extracted from the browser; build the habit of periodically signing out of all devices on critical services. On the company side: an EDR that recognizes stealer behavior, blocking of known C2 servers, conditional access that binds sessions to the device, shorter session lifetimes, phishing-resistant MFA, and targeted training on the vectors above. None of these is a magic wand; together they shift the balance to the right side.

The lesson

The password era is ending, and infostealers are the tool that sealed it: in a world where the session is worth more than the password, stealing what the browser holds has become the most efficient way to get in anywhere. The right defense is not a longer password - it is authentication that cannot be stolen, and the discipline of not running code you do not trust with your own permissions.