Infostealer Malware in 2026: How Criminals Steal Your Passwords and Session Cookies

Infostealer Malware in 2026: How Criminals Steal Your Passwords and Session Cookies

By Fanny Engriana Β· Β· 9 min read Β· 45 views

Disclaimer: This article is for educational purposes only. Information about malware tactics is provided to help you recognize and defend against real threats. If you suspect your device is infected, contact a qualified cybersecurity professional or your organization's IT security team. Sources cited include official advisories from CISA and the FBI.

A client I've worked with for years β€” I'll call him Rudi β€” runs a small logistics company. He's careful. He uses MFA on everything. His passwords are long and unique. In March 2026, his Microsoft 365 account was accessed by someone in Vietnam. They downloaded three months of invoice data before anyone noticed.

The attacker never guessed his password. They never bypassed his MFA code. They stole a session cookie β€” a tiny file his browser stored after his last login β€” using infostealer malware that had been silently running on his laptop for six weeks. He had no idea it was there.

Infostealers stole 1.8 billion credentials in the first six months of 2025 alone, an 800% increase over the previous period according to threat intelligence researchers. In May 2025, the FBI and CISA issued a joint advisory warning specifically about LummaC2 (Lumma Stealer), one of the most active infostealer families currently targeting Windows users globally. By April 2026, infostealers have become the primary fuel powering ransomware supply chains worldwide.

If you believe strong passwords and MFA protect you completely, this article will change that β€” because infostealers are specifically designed to bypass both.

What Is an Infostealer, Exactly?

An infostealer is malware built with one purpose: silently collect credentials, session cookies, saved passwords, credit card numbers, and cryptocurrency wallet data from your device, then transmit everything to an attacker-controlled server before you notice anything is wrong.

Unlike ransomware, which announces itself by encrypting your files and demanding payment, infostealers are engineered for invisibility. They run quietly in the background, harvest data, and exit β€” often without installing any persistent components that your antivirus might flag. Many modern variants are specifically coded to evade Windows Defender and common EDR tools.

The top three infostealer families as of 2026 are:

  • Lumma Stealer (LummaC2) β€” the current market leader, sold as Malware-as-a-Service starting at $250/month. Microsoft identified over 394,000 Windows computers infected with Lumma in just a two-month window during 2025.
  • RedLine Stealer β€” a long-running family specializing in browser data: saved passwords, cookies, autofill, and FTP credentials
  • StealC β€” a newer modular stealer gaining ground rapidly, capable of targeting specific application data on demand

These three families account for over 75% of all infostealer infections globally. They operate openly as subscription businesses β€” threat actors pay a monthly fee and receive a ready-to-deploy payload with a web dashboard for managing stolen data.

How Infostealers Actually Get onto Your Device

This is where most people are surprised. You don't need to click a phishing link or receive a suspicious email. The most common delivery methods in 2026 are quieter than that.

Cracked software and game cheats. Pirated copies of productivity software, Photoshop, games, and "activator" tools are the number-one distribution vector. The malware is bundled inside an installer that looks completely legitimate and may even install the software it promises.

Fake software update popups. Malvertising campaigns serve popup messages on legitimate websites claiming your browser, media player, or PDF reader needs an update. The "update" installs the stealer. These ads appear on real news sites and forums β€” not just shady corners of the internet.

YouTube video descriptions and Discord servers. Threat actors post videos about "free tools", "AI image generators", or "game mods" with download links in the description. The files are often password-protected ZIP archives β€” the password appears in the video, which bypasses automatic antivirus scanning of the download.

GitHub and NPM package poisoning. This vector matters especially for developers. Malicious packages with names close to legitimate ones (a technique called typosquatting) have been found on GitHub and NPM containing stealer payloads embedded in installation scripts.

From my experience managing open-source dependencies across 50+ client projects at Warung Digital Teknologi, this last vector is one I take very seriously. After the supply-chain attacks on the Python ecosystem I documented earlier on this site, we added automated dependency auditing to our GitHub Actions pipelines for every new project β€” because one compromised dev machine with SSH keys saved in the browser is enough to expose a production server.

What Infostealers Actually Take

Once running on your device, a modern infostealer targets everything stored in or accessible from your browser and operating system:

  • Browser-saved passwords β€” every account saved in Chrome, Firefox, Edge, or Brave, extracted directly from the encrypted credential store
  • Session cookies β€” authentication tokens that tell websites you're already logged in
  • Browser autofill data β€” your name, address, phone number, email, and date of birth
  • Credit and debit card data stored in browser profiles
  • Cryptocurrency wallet files and seed phrases
  • FTP credentials and SSH private keys
  • Email client credentials (Outlook, Thunderbird)
  • VPN configuration files
  • Screenshots taken at the moment of infection
  • Clipboard contents β€” including anything you recently copied

In 2024, researchers found that the average infostealer infection yielded 1,861 cookies per device. That is 1,861 potential account takeover opportunities from a single compromised machine.

The MFA Bypass Problem: Why Two-Factor Authentication Is Not Enough Here

Most cybersecurity advice says "enable MFA and you're safe." Infostealers are the specific reason that advice is incomplete.

Here's what actually happens when you log into a website: you enter your password, complete your MFA challenge, and the server issues you a session cookie β€” a small token stored in your browser that says "this user has authenticated, let them through." Every subsequent page request includes this cookie so you don't have to log in again.

When an infostealer steals that cookie, attackers don't need your password or your MFA code. They import the cookie into their own browser using freely available developer tools, and the website treats them as you β€” fully authenticated, session already established. This attack is called pass-the-cookie or session hijacking.

This is exactly what the FBI's advisory on LummaC2 described: the malware "allows attackers to bypass multi-factor authentication (MFA) to hijack accounts." Google's own security team added new cookie protections to Chrome in 2024 β€” and within 24 hours, Lumma, Vidar, and Meduza had all pushed updates to work around them.

When I built session management for our Digital Pawnshop system β€” which processes real loan transactions against physical assets β€” I implemented short session expiration times and forced re-authentication for high-value actions specifically because of this attack vector. For any system handling money or sensitive records, treating MFA as a complete solution is a mistake.

The Ransomware Connection

Why do threat actors bother with infostealers when they could deploy ransomware directly?

Because stolen credentials are a commodity business. Logs from infostealer infections are packaged and sold on underground markets β€” Telegram channels and dark web forums β€” as "stealer logs." Ransomware groups purchase these logs to find credentials for corporate VPNs, RDP endpoints, and cloud management consoles, then use them to gain initial access without any brute-force attempt or exploited vulnerability.

This is why IBM X-Force found that phishing campaigns now deliver infostealers 84% more often than the prior year: they have become the preferred first stage in larger attacks. You don't get ransomed the day your device is infected. You get ransomed weeks or months later when someone buys your credentials and decides your company is worth targeting.

How to Tell If Your Device Is Already Infected

Infostealers are built to be silent, but there are signals worth checking.

Check for unexpected account access. Go to your Google account, navigate to Security, and review "Your devices" and "Recent security activity." Check your Microsoft account under Sign-in activity. Look for sessions from locations you don't recognize.

Review your financial accounts. If your bank or card issuer shows logins from unfamiliar devices or locations, that's a red flag. Check this directly with your institution rather than through any link in an email.

Look for unusual processes. Open Task Manager on Windows and look for processes making outbound network connections β€” particularly any with randomized names or locations in your AppData folder. Infostealers commonly stage themselves in %AppData%LocalTemp or %LocalAppData%.

Audit your browser extensions. In Chrome, open chrome://extensions and examine every installed extension. Malicious extensions are an increasingly common persistence mechanism after an initial infostealer infection. Remove anything you didn't explicitly install.

Run an offline scan. Windows Defender's offline scan (Settings β†’ Windows Security β†’ Virus and threat protection β†’ Scan options β†’ Windows Defender Offline scan) runs before Windows fully loads, catching threats that hide from active scans. Malwarebytes Free is also effective against most current infostealer families.

Check HaveIBeenPwned. Visit haveibeenpwned.com and check your email addresses. Stealer log data often ends up in breach databases within weeks of an infection.

Eight Protection Steps That Actually Matter in 2026

1. Never install cracked software. This is the most effective single step you can take. Pirated software and unofficial activators are the dominant delivery mechanism for infostealers. The cost of one infection β€” in time, money, and compromised accounts β€” will always exceed any savings on a license.

2. Use a dedicated password manager instead of your browser. Browsers store saved passwords in locations that infostealers specifically target (Chrome uses a SQLite database at a predictable path, encrypted with a key that DPAPI can unlock on the same machine). Password managers like Bitwarden (open source, free) store credentials in properly encrypted vaults that are much harder to extract without the master password.

3. Use hardware security keys for critical accounts. FIDO2 hardware keys such as YubiKey implement passkeys in a way that is resistant to both phishing and many session hijacking scenarios. CISA's advisory on LummaC2 explicitly recommends hardware security keys for high-value accounts. They cost around $25–$50 and eliminate an entire category of credential theft.

4. Configure session expiration for sensitive accounts. Where possible, set sessions to expire after a shorter period. Many enterprise platforms (Google Workspace, Microsoft 365) allow administrators to configure session length. A cookie that expires in 4 hours is dramatically less useful to an attacker than one valid for 90 days.

5. Isolate high-stakes browser sessions. For banking, financial accounts, and work credentials, use a dedicated browser profile β€” or a completely separate browser β€” that you never use for casual browsing, social media, or downloading anything. Across our 7 aggregator sites and client project management, I keep production credentials in a completely isolated Chrome profile that has no extensions installed and is never used to click links from emails or messages.

6. Enable Enhanced Safe Browsing in Chrome. Go to Settings β†’ Privacy and Security β†’ Security β†’ Enhanced protection. This setting checks downloads against known malware lists in real time and warns you about dangerous sites before you visit them.

7. Keep all software updated. Infostealers are often delivered through exploit kits that target known vulnerabilities in browsers, PDF readers, and media players. Keeping software updated closes these entry points. Enable automatic updates for your OS and browser.

8. Audit open-source dependencies if you're a developer. Tools like npm audit, pip-audit, and GitHub's Dependabot can catch packages with known malicious versions. Make this part of your CI/CD pipeline rather than a manual step β€” human review doesn't catch typosquatted package names reliably.

If You're Already Infected: Immediate Response Steps

The FBI's official guidance (CISA Advisory AA25-141B regarding LummaC2) recommends treating a confirmed infostealer infection as a complete credential compromise. Assume every saved password and session cookie on that device is in attacker hands.

  1. Disconnect from the internet immediately β€” this stops active data exfiltration if the malware is still running
  2. Boot from external media and run an offline scan β€” a bootable USB with a security tool can detect threats that hide from active scans
  3. Change ALL passwords from a clean, separate device β€” not from the potentially infected machine, as keyloggers may capture your new passwords
  4. Revoke all active sessions on every critical account β€” most platforms have a "sign out of all devices" option in security settings
  5. Invalidate your TOTP seed if it was accessible β€” if your authenticator app was on the infected device, generate new MFA codes
  6. Notify your bank and card issuers if any financial credentials were stored in the browser
  7. Check for new OAuth app authorizations in your Google and Microsoft accounts β€” attackers sometimes authorize malicious apps for persistent access that survives password resets

Authoritative Resources

The Bottom Line

Infostealer malware represents a shift in how credential theft works: attackers no longer need to hack you. They need you to run their software once β€” even accidentally β€” and everything your browser knows about you is theirs within minutes.

From 11+ years of managing production systems that handle real financial data β€” point-of-sale transactions, hotel bookings, pawnshop loan records β€” I've seen what credential compromise looks like in practice. The protection steps above aren't theoretical: they're the actual controls I apply across our own development and client infrastructure.

The minimum baseline for 2026: move your passwords out of your browser and into a proper password manager, get a hardware security key for your most critical accounts, and treat any software from an unverified source as a direct threat. These three changes alone would have prevented the vast majority of infostealer infections I've seen cause real damage.

About the author: Fanny Engriana is a software developer and IT consultant with 11+ years of experience building and securing web, mobile, and enterprise systems at Warung Digital Teknologi (wardigi.com), serving 30+ clients across industries including hospitality, retail, and financial services.

Found this helpful?

Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.

Related Articles