Skip to content
Contact us
  • There are no suggestions because the search field is empty.

Infostealer Malware Detected Risk

Indicates that credentials linked to a monitored domain were found in known infostealer malware data leaks.

The Infostealer Malware Detected risk identifies when UpGuard has observed one or more email addresses to a monitored primary domain in known infostealer malware data leaks.

Infostealer malware is malicious software installed on a computer - often through phishing, malicious downloads, or fake software updates - that steals data and credentials stored on the machine. This can include saved usernames and passwords for any type of service, such as public SaaS platforms (like Gmail, Microsoft 365, or Slack) as well as internal company systems (VPNs, intranets, file shares, or admin portals).

For example, if the primary domain is configured as example.com and our systems detect credentials for john@example.com in a known infostealer dataset, this risk will be raised.

UpGuard also surfaces the IP address of the infected machine - which will be the public IP of the infected machine, depending on how the infostealer malware reported its data back to its command-and-control (C2) server.

Why This Matters

Infostealer malware is designed to extract valuable data from infected systems - typically user endpoints or servers. Once installed, it searches for and collects information from common credential stores and system configurations, including:

  • Saved usernames and passwords from browsers (Chrome, Firefox, Edge) and password managers
  • Cookies from browsers
  • Websites or services where credentials are used
  • IP address and network information
  • Device locale, keyboard language, and display resolution
  • Hardware specifications (CPU, GPU, RAM, disk)
  • Installed applications and OS metadata

This data is then sent back to a command-and-control (C2) server controlled by the attacker. In many modern campaigns, these C2 servers are hosted on platforms such as Telegram, Discord, or private hosting providers that can be easily abused.

The lifecycle of these infections often follows a consistent pattern:

  1. Infection: Malware is delivered through phishing attachments, fake software downloads, or malicious ads.
  2. Harvesting: Credentials and device data are extracted and uploaded to the C2.
  3. Monetization: The infostealer logs (data dumps) are sold or shared on underground markets or Telegram channels.
  4. Exploitation: Threat actors or Initial Access Brokers (IABs) purchase these logs to gain a foothold inside organizations - using the stolen credentials to access systems, escalate privileges, and prepare for data theft or ransomware deployment.

Because the stolen data is circulated and resold repeatedly, one infection can lead to multiple waves of compromise - sometimes weeks or months after the initial breach. This is a common entry point for ransomware groups and credential-based intrusions.

How UpGuard Detects It

UpGuard continuously crawls underground forums, C2 repositories, and infostealer log dumps for newly leaked credentials and associated metadata.

When our systems identify infostealer log entries tied to your primary domain, we raise a Critical severity risk titled Infostealer Malware Detected that impacts score for 3 months. This choice was made because of danger infostealer malware represents to organisations and how it is often the entrypoint for large data breaches, ransomware operations, and unauthorized network access.

In the Actual field of the risk we include the IP address reported by the malware, which could be an internal or external IP address of the infected machine. We dont include any additional PII that is part of the log such as email, password and other metadata. This information can be obtained by contacting our support team either in platform or via support@upguard.com.


Recommended Remediation Steps

  1. Identify and isolate the infected endpoint.
  2. UpGuard does not display personally identifiable information (such as emails or passwords) in the platform. However, our support team can securely provide this data to verified contacts.
  3. Contact UpGuard Support at support@upguard.com or open a support conversation directly from within the UpGuard platform.
  4. Reset credentials associated with affected accounts — both locally and for any reused passwords.
  5. Invalidate sessions on the impacted account, this is to ensure any stolen cookies or session tokens, or newly established sessions are locked out.
  6. Run comprehensive malware scans on any suspected machines using your antivirus or EDR tool.
  7. If the infection originated from a personal device, educate the user about the risks of storing corporate credentials in browsers, using personal systems for work access, and downloading unverified software
  8. Enable multi-factor authentication (MFA) and enforce strong password policies to mitigate future credential theft.
  9. Review access logs across key systems (email, VPN, cloud, AD) for any signs of unauthorized access or lateral movement.