Infostealers Doesn’t Discriminate: 10,000 Logs Show Who’s Getting Hit

By Olivier Bilodeau and Andréanne Bergeron

What does a director at a 1,000+ employee US telecom company, a hotel reception desk computer, and a threat actor all have in common? They were all victimized by information stealer malware, and their computers’ most critical data is now being sold on the dark web.

Infostealer malware is one of the most pervasive and underappreciated threats in cybersecurity today. At RSAC 2026, we presented  “Beyond Credentials: Victim Profiling in the Stealer Malware Economy,” our research into who these victims really are, how they get infected, and why awareness, not just technology, is the key to prevention. 

Key Takeaways from Infostealer Malware Victim Profiling 

• Technically skilled users are the most common victims: 82% of victims in our dataset demonstrated technical skills, and the most frequent profile was developers, engineers, and IT professionals. Technical ability often leads to riskier software installation habits, not safer ones.
• 72% of infostealer infections pose organizational risk, even when the compromise appears personal: A teenager downloading a game cheat on a family computer can expose a parent’s corporate credentials. An employee using pirated software at home can hand attackers VPN and SSO access to their employer’s infrastructure.
• A single stealer log can be devastating: Individual logs we saw contained up to 1,381 pieces of personally identifiable information, with the median victim having 83 installed software packages. One infection captures credentials across every browser profile on the machine, often spanning personal, financial, and corporate accounts simultaneously.
• Gaming cheats and pirated software are the dominant infection vectors, accounting for 55% of observed infections: Games and entertainment (28%) and pirated software (27%) together represent more than half of all infections. These vectors are not sophisticated exploits; they rely on users voluntarily downloading and running malicious files.
• Prevention is fundamentally an awareness problem, not just a technology problem: The victims we profiled are not careless. They are professionals, parents, students, and business owners trying to accomplish everyday tasks. Tailored awareness training that reflects real victim profiles and infection scenarios is the most effective way to reduce infostealer exposure at scale.

What is Infostealer Malware?

In case you’re not familiar, we will first introduce you introduce you to information stealer malware and stealer logs. 

An information stealer (or “infostealer”) is a specialized type of malware that acts as a silent identity thief. It targets your entire digital profile: credentials saved in browsers, session cookies, crypto wallets, important files, browsing history, and detailed system information. It requires no administrative privileges and doesn’t need to persist on your machine; a single execution is enough to vacuum up everything valuable and will not leave an obvious trace.

The malware is sold as a commercial service (Malware-as-a-Service) for as little as $300 per month, making it accessible to a wide range of cybercriminals. Once a victim’s machine is compromised, the stolen data from that single infection is individually packaged into what’s called a stealer log (or “stealerlog”) and distributed through Telegram channels or cybercrime forums.

What’s Inside a Stealer Log?

Each stealer log is a ZIP archive containing a remarkably detailed snapshot of the victim’s digital life. A typical log includes a All Passwords.txt file with credentials harvested across every browser brand and profile on the machine, per-browser profile artefacts (cookie files, autofill data, browsing history), a system information file, a list of installed software, clipboard contents, and, critically, a screenshot of the victim’s desktop captured at the exact moment of compromise.

That screenshot acts as a digital crime scene photo. It reveals browser activity, open applications, installer windows, and malicious URLs, giving researchers a window into how the infection happened and what the victim was doing when they were hit.

The passwords file alone is devastating. It captures credentials across browser profiles, meaning a single log can expose everything from Google accounts and corporate ADFS portals to Azure Active Directory, government services, and e-commerce sites, all harvested from the different browser profiles simultaneously (e.g., from Chrome and Edge). 

Our Approach and Dataset

We’re in a unique position to study this threat. Flare has collected over 175 million stealer logs over the years, giving us a massive corpus to draw from. For this research, we analyzed a random sample of 10,198 logs, drawn from approximately 30 logs per day throughout 2025. 

We built a victim profiling pipeline that extracts artifacts from each log: 

• History
• Cookies
• Credentials
• Software
• Device info
• System data
• Screenshots
• Clipboard
• Autofill data

Then we ran analysis tasks on each artifact. Some tasks are purely algorithmic (domain categorization, geographic location extraction), while others leverage LLMs for synthesis (infection hypothesis generation, victim profile assessment). All outputs are aggregated into structured JSON reports.

A word of caution on using LLMs for this kind of work: while they’re easy to use, producing useful, well-structured, relevant, and reproducible information is much harder. We found that leveraging structured output with Pydantic models and encoding analyst intuition directly into prompts were essential strategies for getting reliable results at scale.

The Numbers That Matter

Our analysis surfaced some striking findings:

59% of victims have financial data exposed in their logs: bank accounts, credit cards, and payment services laid bare. Individual victims had up to 1,381 pieces of personally identifiable information in a single log. 26% of victims have company infrastructure access, meaning their compromise directly threatens their employer’s security posture. And 72% pose some form of organizational risk, even when the infection appears to be personal.

On the technical side, 70% of victims have technical tooling on their computers, and 82% demonstrate technical skills based on their browsing and credential patterns. This counterintuitive finding, that technically skilled users are heavily overrepresented among victims, is one of the most important takeaways from our research.

India, Brazil, and the United States topped the list of countries by victim count, but the threat is truly global, spanning every continent and virtually every country.

The Victim Profiles

Through our analysis, we identified several distinct victim profiles, each with their own risk factors, infection patterns, and implications for defenders. For certain user profiles, we propose tailored awareness posters designed to support organizations in effectively delivering targeted cybersecurity awareness initiatives.

The Technical Employee

This is the most common profile in our dataset. These are developers, engineers, and IT professionals whose technical abilities paradoxically lead to risky behavior: they regularly download and install software from various sources, including unsigned open-source tools.

In one example, we found a US-based developer working for a law firm. Their log revealed technical sophistication with logins for GitHub, KeePass, FileZilla, alongside deep corporate and personal exposure through VPN credentials, email, Slack, and Entra ID access. A single infection on this person’s machine handed attackers the keys to the entire firm’s infrastructure.

The median infostealer victim has 83 installed software packages. Each one is a potential attack surface, and the more software you install, the more doors you open.

Awareness takeaway for the technical employee: “Your tech savviness is your Achilles heel.” 

Computer Sharers

21% of victims in our sample had more than one user per device. Shared computers in kiosks, internet cafés, library terminals, school labs, and workplace shared workstations are prime targets for stealer malware because a single infection compromises every user who has ever logged in through that machine’s browsers.

We found a workstation in a retail store in Malaysia with access to shop management and point-of-sale software, over 70 credentials, more than 3,000 cookies, and the names and emails of multiple employees. One infection on a shared machine creates a blast radius far beyond the person who triggered it.

Amongst that 21% of multi-users devices, there is a subset that we wanted to highlight: family computers. They are identifiable by multiple browser accounts or profiles, with autofill data revealing names that share a last name. The infection vector is almost always gaming-related, such as a child downloading a cheat tool or game mod, but the fallout hits the parents whose professional credentials and financial accounts are saved in other browser profiles on the same machine.

One log revealed a family in Peru with over 22,000 history entries, 17,000+ cookies, and 1,068 leaked credentials. The infection came through a Valorant Skin Changer downloaded by a younger family member. The credentials that were exposed included a mix of entertainment, gaming, and professional accounts.

Awareness takeaway for computer sharers: “Roblox cheats are a trap. Protect your kids, protect your home.”

The Unlucky Executive

This profile describes a professional user, typically in a leadership role, who gets infected via pirated software, combined with low digital literacy. These are accidental compromises with outsized consequences.

We found a Managing Director of an outsourcing company with over 1,200 unique credentials exposed, including bank accounts, credit cards, HR systems, and hosting providers. The infection vector? A Proxy VPN installer. Around 50% of victims infected through business software have company infrastructure access, which means these accidental infections routinely become enterprise-level security incidents.

Awareness takeaway for the unlucky executive: “Looks like business software. Acts like spyware.”

Captain Get-It-Done

These victims aren’t tech-savvy, they just want to solve a problem and get back to work. That means downloading and running whatever utility promises to fix their printer, clean their registry, or update their drivers.

We found a small business owner compromised through an ad redirection chain while searching for an Epson printer adjustment utility. The log exposed governmental services, business email, and accounting credentials. Notably, 54% of people infected by PC repair tools have low-value computers, suggesting these victims are often the least equipped to recover from a compromise.

The Gamer

Characteristically young, with risk-taking behavior but without criminal intent, these victims are typically infected through game cheats and mods. We found a victim born in 2006 in the US whose full name, address, and date of birth were exposed, who was infected via JJSploit, a Roblox cheating tool.

Here is another game-related statistic we extracted from the data: over 16% of victims infected through a game-related vector have company infrastructure access. This happens because employees use their work computer for personal gaming (15.5% of cases) or because the corporate machine is shared with family members (5% of cases). 

Awareness takeaway for the gamer: “Personal use on your work computer can topple the company.”

The Backdoored Threat Actor

In a twist of poetic justice, threat actors frequently fall victim to their own ecosystem. We found a substantial number of cybercriminals getting infected through backdoored tools, which are the very weapons they use to attack others.

One compromised Italian threat actor had been infected via a FUD (cybercrime slang for Fully UnDetectable) Crypter. Their log contained stealer logs within the stealer log, a kind of cybercrime nesting doll, along with 287 credentials and a browsing history filled with hacking tools like IP Killer 2 and Phoenix Botnet. We also identified North Korean IT workers among the infected.

Supply Chain Risk

Third-party access into your environments equals exposure. If a provider’s security awareness is insufficient, their infection can expose privileged access to your systems. We found a Nigeria-based digital agency with third-party cloud and SaaS access to client environments,  cPanel, Zoho, HubSpot, along with thousands of credentials and hundreds of emails and phone numbers. The Verizon DBIR 2025 reported that 30% of all breaches in 2025 were linked to a third party, and infostealer infections at vendors and service providers are a significant contributor to that number.

The Infection Vectors

Our analysis categorized infection vectors into three broad families: pirated software, services, and games/entertainment.

Pirated Software (27% of infections)

This is the classic vector. Victims download cracked versions of business software (Adobe, Microsoft Office), essential software (Windows activators, VPNs), creative software (Photoshop, Canva), and specialized tools (AutoCAD, SolidWorks, 3ds Max). Threat actors prey on users’ willingness to bypass legitimate licensing fees at the cost of their own security.

Awareness takeaway: “Pirated software might cost you your identity.”

Services (11% of infections)

This category includes generic file-sharing services, fake AI tools, and PC repair utilities. These lures target people who are trying to accomplish a task such as fix a printer, download a file, try a new AI assistant, and end up downloading malware instead.

Games and Entertainment (28% of infections)

Gaming cheats and mods are a dominant infection vector, spanning mainstream classics (Solitaire), contemporary titles (Roblox, GTA V, Fortnite, Minecraft, Valorant), and dedicated cheat engines. The infection path typically runs through YouTube tutorials that link to Telegram channels or shady download portals.

A map of dominant infection vectors by country reveals that gaming is the primary vector across much of the world including the US, Brazil, Russia, and most of Europe while essential software piracy dominates in parts of South Asia and the Middle East.

Next Steps for Security Teams

You’ve read about the different types of common infostealer malware victims. So what should you do next?

Immediately

• Distribute stealer log awareness materials digitally and on premises. Tailor them to the profiles that match your workforce.
• Identify where critical credentials are stored on endpoints. What falls outside your SSO? Are browser-based password managers disabled?

In the Next Three Months

• Integrate educational material about stealer logs into your company’s cybersecurity awareness training.
• Promote dedicated password manager adoption as this is proven effective at reducing credential exposure.

Within Six Months

• Repeat and adapt your cybersecurity education. Cover emerging threat vectors like ClickFix-style attacks. Adjust messaging for your audience, if your employees are parents, emphasize gaming risks.
• Design in-house awareness posters based on real internal incident response cases. Nothing resonates like a story from your own organization.
• Proactively monitor for exposed credentials, session cookies, and non-human identities (NHI). Automate remediation where possible.
• Move all critical assets behind Single Sign-On (SSO).

Why This Is an Awareness Problem

Our next blog will focus on why we believe cybersecurity awareness training can address the information stealer problem and why and where this type of education is an already proven approach. We will discuss mechanisms that our analysis revealed and dive deeper in the victimology aspect. 

Infostealer Malware Attack Prevention is Tied to Tailored Awareness

Information stealer malware is a significant and opportunistic threat that affects organizations primarily through collateral damage: an employee’s personal download, a teenager’s game cheat, a shared workstation in a retail store. Prevention cannot be only technological. It is fundamentally an awareness issue.

The victims we profiled are not careless or ignorant. They are developers, executives, parents, teenagers, and small business owners, people trying to get their work done, play a game, or save money on software. Understanding who they are and how they get infected is the first step toward protecting them and, by extension, protecting the organizations they belong to.

---

This blog post accompanies our RSAC 2026 presentation, “Beyond Credentials: Victim Profiling in the Stealer Malware Economy,” by Andréanne Bergeron and Olivier Bilodeau from Flare.