Skip to content
Contact us
  • There are no suggestions because the search field is empty.

Infostealer Malware Detected Risk

Indicates that credentials linked to a monitored domain were found in known infostealer malware data leaks.

The Infostealer Malware Detected risk identifies when UpGuard has observed one or more email addresses to a monitored primary domain in known infostealer malware data leaks.

Infostealer malware is malicious software installed on a computer - often through phishing, malicious downloads, or fake software updates - that steals data and credentials stored on the machine. This can include saved usernames and passwords for any type of service, such as public SaaS platforms (like Gmail, Microsoft 365, or Slack) as well as internal company systems (VPNs, intranets, file shares, or admin portals).

For example, if the primary domain is configured as example.com and our systems detect credentials for john@example.com in a known infostealer dataset, this risk will be raised.

UpGuard also surfaces the IP address of the infected machine - which will be the public IP of the infected machine, depending on how the infostealer malware reported its data back to its command-and-control (C2) server.

Why This Matters

Infostealer malware is designed to extract valuable data from infected systems - typically user endpoints or servers. Once installed, it searches for and collects information from common credential stores and system configurations, including:

  • Saved usernames and passwords from browsers (Chrome, Firefox, Edge) and password managers
  • Cookies from browsers
  • Websites or services where credentials are used
  • IP address and network information
  • Device locale, keyboard language, and display resolution
  • Hardware specifications (CPU, GPU, RAM, disk)
  • Installed applications and OS metadata

This data is then sent back to a command-and-control (C2) server controlled by the attacker. In many modern campaigns, these C2 servers are hosted on platforms such as Telegram, Discord, or private hosting providers that can be easily abused.

The lifecycle of these infections often follows a consistent pattern:

  1. Infection: Malware is delivered through phishing attachments, fake software downloads, or malicious ads.
  2. Harvesting: Credentials and device data are extracted and uploaded to the C2.
  3. Monetization: The infostealer logs (data dumps) are sold or shared on underground markets or Telegram channels.
  4. Exploitation: Threat actors or Initial Access Brokers (IABs) purchase these logs to gain a foothold inside organizations - using the stolen credentials to access systems, escalate privileges, and prepare for data theft or ransomware deployment.

Because the stolen data is circulated and resold repeatedly, one infection can lead to multiple waves of compromise - sometimes weeks or months after the initial breach. This is a common entry point for ransomware groups and credential-based intrusions.

How UpGuard Detects It

UpGuard continuously crawls underground forums, C2 repositories, and infostealer log dumps for newly leaked credentials and associated metadata.

When our systems identify infostealer log entries tied to your primary domain, we raise a Critical severity risk titled Infostealer Malware Detected that impacts score for 3 months. This choice was made because of danger infostealer malware represents to organisations and how it is often the entrypoint for large data breaches, ransomware operations, and unauthorized network access.

In the Actual field of the risk we include the following information:

  • Redacted email of the infected user - the "username" portion of the leaked credential.
  • Redacted web address of credentials - where the leaked credentials would be used.
  • Machine ip address (external) of the machine with an infostealer malware infection
  • Date of infection as reported by the malware

For example: jo*****th@example.com had their credentials leaked by Infostealer Malware for the website ba****hr.com with the machine address 203.0.113.0 on date 02 Jan 06 15:04 MST

If there are multiple records exposed, then the Actual value with have multiple values separated by commas. Multiple risks are not raised.

Recommended Remediation Steps

  1. Use the value in the Actual field to determine the user, the IP address of the machine and where the credential was used.
  2. Reset credentials associated with affected accounts — both locally and for any reused passwords.
  3. Invalidate sessions on the impacted account, this is to ensure any stolen cookies or session tokens, or newly established sessions are locked out.
  4. Run comprehensive malware scans on any suspected machines using your antivirus or EDR tool.
  5. If the infection originated from a personal device, educate the user about the risks of storing corporate credentials in browsers, using personal systems for work access, and downloading unverified software. Personal devices and work from home scenarios often have poor visibility from an attack surface point of view and having detected infostealer malware in these scenarios represents a large risk because sensitive information has still been stolen.
  6. Enable multi-factor authentication (MFA) and enforce strong password policies to mitigate future credential theft.
  7. Review access logs across key systems (email, VPN, cloud, AD) for any signs of unauthorized access or lateral movement.
  8. If you are a Breach Risk customer, Create a Risk Waiver to explain the remediation steps taken. If you are responding to a remediation request in Vendor Risk then respond with the investigation and remediation steps taken.
  9. The Risk Resolves field in the risk communicates the date when this risk will clear - this date assumes no new Infostealer Malware infections are found within this period. If new infections are found then the date will extend out by an additional 3 months.