Infostealer
Glossary

Acreed is a newer infostealer that rose in prominence as a replacement for disrupted families, harvesting browser credentials,…

Agent Tesla is a long-established .NET-based infostealer and remote access tool that logs keystrokes, captures screenshots, and…

Arkei is an older infostealer that served as the basis for the Vidar family. It collected browser data, cookies, and cryptocurr…

Atomic macOS Stealer (AMOS) is an infostealer targeting Apple macOS systems. It steals keychain passwords, browser credentials…

Aurora Stealer is a Go-based infostealer that was marketed as a multi-purpose botnet and stealer, harvesting browser credential…

AZORult is a veteran infostealer and downloader that harvests browser credentials, cookies, cryptocurrency wallets, and files.…

A banking trojan is malware designed to steal financial credentials and manipulate online banking sessions, often via web injec…

FormBook is a malware-as-a-service infostealer that grabs credentials from browsers and applications, logs keystrokes, and can…

Kraken is an infostealer marketed on underground channels that harvests browser credentials, cookies, cryptocurrency wallets, a…

Lumar is a lightweight C-based infostealer sold cheaply on underground forums that collects browser credentials, cookies, crypt…

Lumma Stealer (LummaC2) is a malware-as-a-service infostealer that steals browser credentials, cookies, cryptocurrency wallets,…

Mars Stealer is an infostealer derived from the older Oski stealer that targets browser credentials, cookies, cryptocurrency wa…

Meduza Stealer is a Windows infostealer marketed on underground forums that collects browser credentials, cookies, password man…

MetaStealer is an infostealer derived from the RedLine codebase that targets browser credentials, cookies, autofill data, and c…

Nexus is an infostealer offered as a service that targets browser-stored credentials, cookies, autofill, and cryptocurrency ass…

Oski is an older infostealer notable as the predecessor of Mars Stealer. It harvested browser credentials, cookies, and cryptoc…

Phemedrone is an open-source-derived infostealer that targets browsers, cryptocurrency wallets, messaging apps, and password ma…

Poseidon is a macOS-targeting infostealer marketed as an Atomic (AMOS) competitor. It steals keychain data, browser credentials…

Predator the Thief is an infostealer sold on Russian-speaking forums that steals browser data, cookies, cryptocurrency wallets,…

Raccoon Stealer is a malware-as-a-service infostealer that harvests passwords, cookies, autofill data, and cryptocurrency walle…

Raccoon Stealer V2 (also tracked as RecordBreaker) is the rewritten successor to the original Raccoon, built in C/C++ for perfo…

RedLine Stealer is an information-stealing malware (infostealer) sold as malware-as-a-service that harvests saved browser crede…

A remote access trojan (RAT) is malware that gives an attacker remote control of an infected device. Many RATs include infostea…

Rhadamanthys is an advanced, modular infostealer sold as malware-as-a-service that steals credentials, cookies, cryptocurrency…

RisePro is an infostealer that shares similarities with the Vidar family and is distributed through pay-per-install loader serv…

Snake Keylogger is a .NET-based credential stealer and keylogger that records keystrokes, captures screenshots and clipboard da…

StealC is a lightweight malware-as-a-service infostealer, influenced by Vidar and Raccoon, that steals browser data, cookies, c…

Taurus is an infostealer linked to the same actors behind the Predator the Thief family. It harvests browser credentials, cooki…

Vidar is a long-running infostealer, derived from the older Arkei stealer, that collects browser credentials, cookies, cryptocu…

ViperSoftX is a long-running information stealer and loader that specialises in cryptocurrency theft, including clipboard hijac…

Account takeover (ATO) is when an attacker gains unauthorized control of a legitimate user account, typically using stolen cred…

An attack surface is the total set of points where an attacker could attempt to enter or extract data from a system. Compromise…

Business email compromise (BEC) is a fraud in which attackers gain access to or impersonate a corporate email account to trick…

Command and control (C2) is the infrastructure attackers use to communicate with malware on infected devices — issuing instruct…

Compromised credentials are usernames and passwords that have been exposed to unauthorized parties — frequently through infoste…

Credential monitoring is the continuous practice of watching for an organisation's usernames and passwords appearing in breache…

Dark web monitoring is the practice of continuously searching dark-web markets, forums, and channels for an organisation's expo…

A data breach is an incident in which sensitive data is accessed or disclosed without authorisation. Infostealer infections are…

Ethical disclosure is the practice of responsibly notifying an organisation that its data or credentials have been exposed — fo…

Infostealer malware is a category of malicious software designed to silently harvest sensitive data — passwords, session cookie…

An initial access broker (IAB) is a cybercriminal who sells access to compromised networks and accounts to other attackers, suc…

Loader malware (a loader or dropper) is software whose job is to install other malware on a compromised device. Loaders frequen…

A log cloud is a subscription service — usually run through Telegram channels or dark-web panels — that gives criminal buyers c…

Malware-as-a-service (MaaS) is a criminal business model in which malware authors rent or sell their software, infrastructure,…

MFA bypass is any technique that defeats multi-factor authentication so an attacker can access an account despite the extra fac…

OPSEC (operational security) is the discipline of protecting information and activity from adversaries by controlling what is e…

OSINT (open-source intelligence) is intelligence gathered from publicly available sources. In cybercrime investigations, OSINT…

Pay-per-install (PPI) is a criminal service model where operators are paid to install other actors' malware on compromised mach…

Ransomware is malware that encrypts or steals a victim's data and demands payment for its return. Infostealer-harvested credent…

Telegram has become a central marketplace and distribution channel for cybercrime, especially infostealer logs. Threat actors u…

Third-party (supply chain) risk is the security exposure an organisation inherits from its vendors, partners, and suppliers. In…

Threat intelligence is evidence-based knowledge about threats — actors, tactics, and indicators — used to inform defensive deci…

Zero trust is a security model that assumes no user or device is inherently trusted and verifies every access request continuou…

An anti-detect browser is a tool that lets a user spoof or isolate browser fingerprints to appear as many different devices. Cr…

ClickFix is a social-engineering technique that tricks users into running a malicious command themselves — typically via a fake…

Cookie theft is the stealing of browser cookies — especially authenticated session cookies — so attackers can impersonate a use…

Credential stuffing is an automated attack that takes username/password pairs leaked from one source and tries them en masse ag…

Credential theft is the act of stealing authentication data — usernames, passwords, tokens, and session cookies — so an attacke…

A keylogger is malware or hardware that records a user's keystrokes to capture passwords, messages, and other sensitive input.…

Malvertising is the use of online advertising — including paid search ads — to distribute malware. Attackers buy ads impersonat…

Phishing is a social-engineering attack that deceives victims into revealing credentials or running malware, usually through fr…

Session hijacking is the takeover of an authenticated session by stealing and reusing its session token or cookie. Because the…

Autofill data is the information browsers save to automatically complete forms — names, addresses, phone numbers, emails, and s…

A browser (or device) fingerprint is a set of attributes — user agent, screen, fonts, timezone, and more — that identify a spec…

A combolist is a compiled list of username/email and password combinations, aggregated from breaches and stealer logs, used to…

Crypto wallet theft is the stealing of cryptocurrency wallet files, seed phrases, private keys, and wallet browser extensions b…

An infection timeline is the chronological record of when a device was compromised and when its data was harvested, derived fro…

PII is information that can identify a specific individual — names, addresses, government IDs, financial details, and more. Inf…

A session cookie is a token a website stores in the browser to keep a user logged in after authentication. Stolen session cooki…

A stealer log is the package of data exfiltrated from a single device by infostealer malware. It typically contains saved passw…

ULP data is credential data formatted as URL:Login:Password — the login page, the username, and the password for a captured acc…