Infostealer malware copies every password and login session off a computer in seconds, then sells them — often within 48 hours. Here's how it works and the five defenses that actually counter it.
Ransomware gets the headlines. But ask how attackers got in, and increasingly the answer is something quieter: an infostealer — malware whose only job is to silently copy everything useful off a computer, in seconds.
What an infostealer takes
Once it runs — usually after someone downloads a fake installer, a cracked app, a malicious attachment, or a bogus "update" — an infostealer grabs:
- Every password saved in the browser (Chrome, Edge, etc.)
- Session cookies — the small files that keep you logged in to sites. With a stolen cookie, an attacker can often walk into an account without the password and without triggering MFA (multi-factor authentication), because the session already passed those checks.
- Autofill data, saved card details, and lists of what software and accounts the machine uses.
Then it disappears. There's often no ransom note, no obvious sign anything happened.
From your laptop to a criminal marketplace in 48 hours
The stolen data gets bundled into "logs" and sold on underground markets — research suggests often within about 48 hours of infection (Security Boulevard). Buyers include ransomware crews, who use the valid logins to walk in the front door weeks later. One analysis found that more than half of ransomware victims had company credentials circulating in these stealer-log markets before the attack hit (Security Boulevard, CYFIRMA).
The scale is hard to overstate: in January 2026 alone, roughly 149 million stolen credentials — largely from infostealer infections — surfaced in one tracked dataset (IT Security Guru). And the malware itself rents for around $200 a month, so the bar to entry is low.
Five defenses that actually map to this threat
- Get passwords out of the browser. A browser's saved-password list is the first thing an infostealer copies. A dedicated password manager (with its own master password) is a meaningfully harder target — and it fixes password reuse at the same time.
- Be suspicious of downloads, not just links. Fake installers, "free" versions of paid software, and pop-up "updates" are the most common delivery routes. If software didn't come from the official source, don't run it.
- Keep built-in protection on and updated. Windows' built-in Microsoft Defender catches a large share of known stealers — but only on machines that are patched and where it hasn't been switched off.
- Turn on MFA everywhere — and know its limit. MFA still blocks plain password reuse, which is most of the damage. Stolen session cookies can bypass it, which is why steps 1–3 matter too.
- After any suspected infection, sign out everywhere. Changing the password isn't enough if the attacker has a live session. In Microsoft 365, an admin can revoke all of a user's active sessions in one step — do that first.
The takeaway
Infostealers turned stolen logins into a bulk commodity. You don't have to be targeted to end up in the pile — one bad download is enough. The defenses above are mostly free and mostly one-time setup.
If you're not sure whether MFA is actually on for everyone, or whether old sessions and stale accounts are still live in your Microsoft 365 tenant, that's precisely what Tenant Strike's read-only posture scan shows you — no agents, no changes, just answers.
AI-researched from public sources, human-reviewed on July 8, 2026. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.