NAM-CSIRT 

In today’s digital landscape, cyberspace is continually challenged by evolving cybersecurity threats that operate covertly, collecting vast amounts of sensitive data. 

Among these threats, stealer logs have emerged as a significant innovation in modern cybercrime, posing direct risks to individual security and serving as a crucial tool for enabling more complex attacks such as ransomware. 

Stealer logs are comprehensive data packages generated by specialised malware known as infostealer malware. 

Once this malicious software infiltrates a device, it discreetly gathers sensitive information, including stored browser passwords, authentication cookies, banking details, cryptocurrency wallet information, social media account data and system information. 

This data collection occurs silently and without the user’s knowledge, often while they are engaged in regular computing activities. 

The malware operates covertly in the background, secretly extracting valuable information that is compiled into organised logs. 

These logs are then traded on clandestine marketplaces, where cybercriminals purchase access to credentials and personal data for malicious purposes. 

Modern stealer logs encompass far more than just stolen passwords. 

They often contain authentication tokens that enable criminals to bypass login procedures entirely, as well as saved payment information, browser autofill data and comprehensive details about a user’s digital activity and system configuration. 

Current impact

Stealer log activities are now more widespread than ever. Security researchers have noted a staggering 6 000% increase in infostealer infections since 2018, highlighting the rapid evolution of this threat. 

Recent analyses reveal that over 4.3 million devices were compromised by stealer malware in 2024 alone, resulting in approximately 330 million credentials stolen. 

Additionally, the threat extends beyond individual victims to compromise the security of the entire organisation. 

Frequently, corporate credentials appear in stealer logs when employees’ personal devices become infected, potentially enabling attacks on business networks. 

Cybercriminals utilise automated tools to scan databases for company email addresses, internal system references and privileged account information. 

This evolution reflects a shift in the threat landscape: the security of individual devices now directly impacts the overall cybersecurity posture of the organisation. 

Ransomware operations 

A study conducted by Verizon in their 2025 Data Breach Investigations Report highlights a direct link between stolen login credentials and ransomware attacks. 

The research indicates that most ransomware victims had their organisational domains already recorded in stealer log databases prior to the attack. 

This demonstrates a shift in the initial access strategies of ransomware groups: rather than relying solely on vulnerability exploitation or phishing campaigns, many now purchase stolen credentials from stealer log marketplaces to infiltrate targeted networks. 

The approach used by ransomware operators is typically foreseeable. 

They often acquire necessary credentials through illicit underground markets, investing only a modest amount of money to access valuable accounts. 

Once inside, they establish a foothold within the target networks, conduct reconnaissance, and then proceed to deploy ransomware or exfiltrate sensitive information. 

An example of this method is the 2025 attack on the Spanish telecommunications firm Telefonic. 

The HellCat ransomware group exploited stolen credentials from over 500 employees, obtained through infostealer infections, to breach the company’s internal systems. 

These compromised credentials enabled the attackers to infiltrate the corporate infrastructure and exfiltrate confidential company documents. 

Protection strategies 

To effectively safeguard against stealer log threats, implement a comprehensive security strategy that combines both preventative and detective measures. 

Acquire software exclusively from official vendors and trusted sources to ensure integrity and authenticity.

Enforce robust authentication protocols, including multi-factor authentication, phishing-resistant login methods and transition towards a zero-trust access framework. 

Develop and execute patch management plans, automating updates for operating systems, browsers and applications to close vulnerabilities exploited by stealers. 

Maintain clear separation between personal and business environments to reduce risk exposure. 

Utilise dark web monitoring solutions and continuously surveil stealer-log marketplaces for leaked credentials, enabling proactive response at the earliest signs of compromise. 

Provide ongoing user awareness training to help identify fake CAPTCHAs, malicious advertisements and social engineering tactics used to deliver stealers. 

Deploy Behaviour-Based Endpoint Detection and Response solutions that detect credential harvesting activities and prevent data exfiltration in real time.