Infostealers: the malware that steals all your passwords
Infostealers are the most common malware stealing passwords, cookies and wallets. How they infect, why they bypass MFA and how to protect yourself.
Behind most of the big breaches of recent years — from corporate network takeovers to crypto thefts — stands a quiet, unremarkable culprit: the infostealer. It’s a family of malware whose sole job is to steal, in seconds, everything valuable from an infected computer: saved passwords, session cookies, card data, crypto wallets and tokens. The collected data (“logs”) then flows to criminal marketplaces where other attackers buy it. Understanding how a stealer works is one of the most important defensive skills today — because this attack hits both individuals and companies.
What exactly an infostealer steals
Unlike ransomware, which shouts about a ransom, an infostealer works quietly. Once run, it collects in seconds:
- passwords saved in the browser (Chrome, Edge, Firefox) — those “remember password” entries are easy pickings,
- session cookies — the key to bypassing login: with a valid cookie, an attacker enters an account with no password and no MFA,
- card and autofill form data,
- crypto wallets and keys,
- tokens for messengers, email — and on developers’ machines, API keys and cloud access.
The result is a ready-made “access pack” to your digital life, stolen with a single run of a program.
Why infostealers bypass MFA
This is the most important and most misunderstood point. Many people think MFA protects against everything. But when you log in, the service saves a session cookie in the browser — proof that authentication already happened, so you don’t have to log in on every click. The infostealer steals exactly that cookie. The attacker pastes it on their side and is logged in as you — login and MFA are skipped, because from the service’s point of view your session simply continues. It’s the same mechanic we described in the OAuth token leak: something that works after login isn’t protected by the login itself.
How infections happen
Stealers spread mainly through social engineering and “free” software:
- Pirated programs and cracks, games, “free” tools — the favourite vector; the victim runs the infection themselves, hoping for free software.
- Fake search ads (malvertising) — impersonate popular apps (browsers, tools), with the link leading to an infected installer.
- Fake “updates” and CAPTCHAs — increasingly the victim is instructed to paste a command into the system console (so-called ClickFix), running the stealer themselves.
- Attachments and links in phishing.
The common denominator: an infostealer almost always requires you to run something yourself. That’s good news — because it leaves real room for defence.
How to protect yourself
Don’t install software from untrusted sources. Cracks, “free” versions of paid programs and tools from random sites are the most common stealer vector. Download only from official sources.
Beware of search ads. When looking for a program, don’t click the first ad — go to the vendor’s official domain, typed by hand.
Never paste commands you don’t understand. If a page or “CAPTCHA” tells you to open a console and paste something — it’s an attack. No legitimate service requires this.
Don’t keep passwords in the browser. Use a dedicated password manager with a separate master password — it’s far harder to steal than passwords saved in the browser profile.
Enable proper EDR/antivirus and keep your OS and browser updated. In a company this matters especially — we covered the EDR vs antivirus difference.
After an infection: assume everything was stolen. Change passwords (from a clean device) and sign out all sessions to invalidate the stolen cookies — otherwise the attacker keeps going despite the password change.
The infostealer as a corporate problem
For organisations stealers are especially dangerous, because one infected employee laptop can hand the attacker access to company email, VPN and cloud — and from there it’s a short step to ransomware. Stolen corporate credentials end up on marketplaces where groups seeking network entry buy them. So it’s worth: enforcing phishing-resistant MFA, shortening session lifetimes for sensitive systems, monitoring logins and training the team to recognise malvertising and “ClickFix”.
Frequently asked questions (FAQ)
If I have MFA, why worry about a stealer? Because a stealer steals session cookies, which bypass MFA. MFA protects the login moment — an attacker with a stolen cookie doesn’t need to log in, because they’re “already logged in”. So beyond MFA, what counts is software-installation hygiene, a password manager and fast session invalidation after an incident.
How do I check whether my computer is infected? Stealers run discreetly, so symptoms are often invisible. Run a scan with proper EDR/antivirus tooling, check for unknown processes and browser extensions. If your data shows up in leaks or you see logins you didn’t make — treat it as an infection and change passwords from a clean device.
Do stealers attack phones too? The main target is computers (richer in passwords and cookies), but mobile data-stealing malware exists, especially outside official stores. The rule is the same: install only from official sources, which we cover in our smartphone security article.
My passwords were stolen. Where do I start? From a clean device: change your email password (the key to the rest), enable resistant MFA, sign out all sessions in key services, review mail-forwarding rules and added login methods. Only then deal with the rest of your accounts.
We run a company — how do we reduce stealer risk? Control over installed software, EDR on endpoints, resistant MFA, short sessions and login monitoring are the basics. In a security audit we check these areas and show where one infected laptop could open the whole network. Let’s talk.
Summary
An infostealer is a quiet thief that, with a single run, steals passwords, cookies and wallets — and by stealing sessions, bypasses even MFA. But the defence is largely in your hands: don’t run software from untrusted sources, don’t paste mysterious commands, move passwords to a manager, use EDR and invalidate sessions after any suspicion. It’s cheap hygiene that closes today’s most common route to account takeover.
Sources and further reading: CISA, Have I Been Pwned.