Infostealers fuel identity attacks and ransomware chains

Infostealers now sit at the front of many modern attack chains, quietly harvesting credentials and browser data that fuel business email compromise, extortion and ransomware operations. Recent Sophos X-Ops research shows that compact infostealer malware executes quickly, exfiltrates usernames, passwords, financial details and cookies, then often self-deletes to evade detection, aligning with T1555 (Credentials from Password Stores) and T1041 (Exfiltration Over C2 Channel). Access to stealer C2 logs is sold as a subscription service starting around $50 per month, lowering the barrier to entry and enabling a criminal supply chain where initial access brokers validate and resell compromised identities to ransomware affiliates and BEC operators. The Snowflake supply chain incident illustrates the long tail of infostealer infections: threat actors extorted hundreds of organizations using login credentials that in some cases had been stolen years earlier, with victims unaware their identities were circulating on underground markets. Stolen credentials packaged as "logs" are traded to initial access brokers who test, curate and resell them for targeted intrusions, bypassing traditional phishing filters and vulnerability scanning. Where multi-factor authentication is weakly enforced, session cookies and tokens can allow direct access to SaaS platforms and VPNs, turning a single stealer infection into widespread compromise mapped to T1078 (Valid Accounts) and T1133 (External Remote Services). Business impact extends far beyond forced password resets: identity-centric attacks facilitated by infostealers can lead to prolonged downtime, data breaches, fraudulent payments and compliance exposure. Sophos’ State of Ransomware reporting notes that compromised credentials are now the second most common root cause of ransomware incidents, reflecting how identity has become the control plane of modern cyber operations. For organizations handling personal or financial data, reused or long-lived credentials stolen by infostealers can trigger GDPR or PCI-DSS breach obligations even if the initial malware infection occurred years earlier on unmanaged endpoints. Sophos highlights identity threat detection and response (ITDR) as a necessary complement to endpoint and network controls, combining continuous monitoring for risky configurations with dark web intelligence to surface compromised accounts before they are weaponized. Organizations should enforce strong MFA everywhere, ruthlessly eliminate credential reuse across services and reduce standing privileges in favor of just-in-time access. Security teams should deploy ITDR or equivalent capabilities to detect suspicious logins and lateral movement using valid accounts, integrate stealer log intelligence with SIEM and prioritize hunting for infostealer artifacts on endpoints that access critical applications.