One Out of Four Infostealer Victims Have Corporate Infrastructure Access

By Andréanne Bergeron, Security Researcher

One in four infostealer victims has active access to corporate infrastructure: VPN credentials, SaaS sessions, cloud platforms. Whether they were infected downloading a game mod or a productivity tool doesn’t matter. By the time the log hits a dark web forum, the blast radius is the same.

That reality cuts against a persistent assumption in enterprise security: that infostealer malware is a consumer problem, concentrated among gamers chasing free software and cracked games. The data tells a different story. While gaming-related lures do account for 43% of infections, even within that group, one in six victims holds active credentials for corporate systems. The “gamer” and the “employee” are often the same person, on the same device, in the same session.

As the line between personal device use and corporate exposure has effectively disappeared, it’s important for security teams to consider infostealer malware’s targets more comprehensively. We cover three reasons why.

Key Findings About Enterprise Infostealer Infections

• While gaming-related lures account for 43% of infections, the majority of victims are compromised through infected productivity software and malicious file-sharing services. 
• Technical skill does not protect against infection; it may increase risk. 82% of victims demonstrated high-level technical skills, and the median victim had 83 software packages installed. Developer workflows that normalize running unverified packages, bypassing OS protections, and operating with administrative privileges create the exact conditions infostealers exploit.
• One in six gaming-related infections involves a user with corporate infrastructure access. 16% of victims infected through gaming lures also held active credentials for VPNs, SaaS platforms, or cloud environments, creating a direct pipeline from personal device use to enterprise compromise.
• Nearly half of victims infected through business software have company infrastructure access. Among users who downloaded infected productivity tools, 50% had credentials that could unlock corporate systems, making routine software acquisition one of the highest-risk infection vectors for enterprises.

Infection Vectors Extend Far Beyond Gaming

To understand the true scope of the threat, we analyzed a random sample of approximately 30 stealer logs per day collected throughout the year 2025, resulting in a robust dataset of 10,198 compromised users. By deep-diving into exfiltrated artifacts (including browser history, saved credentials, and system specifications) we performed infection vector attribution on each log.

Among the logs where a source could be definitively identified, the breakdown is revealing.

While gaming-related infections represented 43% of the victims (consistent with previous research), a staggering 57% of individuals were infected through entirely different channels. These victims compromised their systems by downloading infected productivity software or through malicious file-sharing. It is statistically unreasonable to ignore the majority of the infection landscape. 

Furthermore, the risk is compounded by the role of the victims in organizations: nearly 50% of those infected via business software downloads possessed direct access to company infrastructure.

Your Most Technical Employees are Among the Most Vulnerable

A common assumption in cybersecurity is that only non-techical users fall for malware traps. Our research definitively debunks this: 70% of the victims in our sample had specialized technical tooling installed, and 82% demonstrated technical skills based on their browsing and credential patterns. Far from being a shield, high technical ability often fosters a false sense of security that leads to riskier digital behavior.

This overconfidence is compounded by the practical requirements of modern software development. In a fast-paced DevOps culture, the pressure to adopt new tools to remain competitive creates an enormous attack surface. In our study, the median number of software installations per victim was 83. This high volume of software is a direct result of developers needing niche utilities to do their work, yet each installation represents a potential unlocked door into the corporate network.

The danger is not just the volume of tools, but how they are acquired and executed:

• Administrative privileges are common: According to the SANS Institute, developers frequently operate with local admin rights. This allows them to manually bypass OS-level protections (such as Windows SmartScreen) that would typically block a non-technical user from running an unverified script.
• Command-line package installation normalizes risk: Technical employees are comfortable with command-line interfaces, frequently using npm install or pip install to pull packages directly into their environment. This comfort level makes them significantly more likely to ignore “unsigned software” warnings in favor of speed (ReversingLabs, 2023). This behavior is precisely what threat actors are counting on: Sonatype recently reported a staggering 156% year-over-year increase in malicious packages discovered in open-source repositories. By targeting the very “unverified sources” that engineers rely on, cybercriminals have turned the developer’s toolkit into a primary delivery mechanism for infostealers.

The Dangerous Link Between Gaming and Corporate Access

Returning to the 43% of our sample infected via gaming lures number, the data reveals a surprising and dangerous crossover: 16% of these “gamer” victims also held active company infrastructure access. We have identified two primary hypotheses to explain this:

The Shadow Use of Corporate Assets

Employees often treat their work laptops as personal devices after hours. An “innocuous” act, like downloading a classic card game or a mod for a more contemporary game, can exfiltrate VPN certificates or SaaS session cookies, toppling an entire organization’s security posture through a single personal choice. IT departments must not only frown upon personal use but actively restrict it.

The Shared Household Device

Remote work has led to environmental changes where a corporate laptop is shared with family members. When a parent finishes their shift and lets a child play a game, that child may download an infected game or search for a “free skin” or a “game crack.” Because work laptops often have higher processing power, they are the “perfect” machine for gaming, making them a magnet for the exact files threat actors use as bait.

When one in six gaming-related infections involves a user with corporate access, organizations can no longer afford to overlook the catastrophic risk posed by personal software habits on professional devices.

The Cost of a “Personal” Infection

The data from our 10,198-user study proves that infostealer malware is not just a consumer nuisance, but it is a direct pipeline into the heart of corporate networks. An employee’s desire for a “cracked” game or a developer’s need for a quick utility tool can become the initial access point for a massive ransomware deployment or data breach.

The era of treating work devices as general-purpose computers must end. Organizations can no longer afford to ignore the “personal” side of their employees’ digital lives. To protect the infrastructure, IT and security teams can implement strict application whitelisting, enforce clear boundaries between corporate hardware and personal use, and actively monitor for credential exposure in stealer logs. The cost of a legitimate software license or a second “personal” laptop is negligible compared to the millions of dollars lost to a single exfiltrated credential reaching the wrong hands.