Re-Infected: The Persistent Threat of Infostealers

Having your data stolen once is bad enough, but for some people, it happens repeatedly.

Infostealer infections are not a new phenomenon in the cybersecurity world, in fact, Hudson Rock has been collecting threat intelligence data from computers infected by Infostealers going back to 2018.

With almost 30,000,000 computers infected in total by July 2024, it comes at no surprise that many of the victims were infected more than once, but why does it matter?

  1. Diverse Data Collection Capabilities: Different Infostealer families possess varied capabilities in terms of the types of data they collect. While some Infostealers focus on harvesting login credentials and financial information, others may collect browser histories, cookies, autofill data, and even screenshots. This diversity means that multiple infections can result in a comprehensive profile of the victim’s online activities and personal information, making it easier for cybercriminals to exploit this data for various malicious purposes, such as targeted phishing attacks, identity theft, and unauthorized account access.
  2. Evolving Threat Landscape: Infostealers are constantly evolving, with new variants and techniques being developed to bypass security measures. Multiple infections indicate that these threats are persistent and sophisticated enough to evade detection repeatedly. This evolution highlights the need for continuous improvement in cybersecurity defenses and awareness among users.
  3. Cycle of Repeated Infections: Without proper training or awareness, individuals and organizations who have been infected by Infostealers are likely to fall victim again. This cycle of repeated infections not only compromises their data security repeatedly but also indicates a systemic issue in cybersecurity practices. Addressing this through education and awareness programs is crucial to breaking this cycle and improving overall cybersecurity resilience.

Real Victim Example

Let’s examine a specific victim who was infected by Redline Infostealer in 2022 and by Lumma Infostealer in 2024:

Comparison between two Infostealer inections of the same victim

Some key details we can work out between the two infections is that the 2024 infection resulted in more credentials being stolen, including corporate credentials to Tesla, which implies the victim became an employee of the company at some point after their first infection.

Although the victim did change some of their passwords into stronger ones after the 2022 infection, we can also see the majority of the passwords remained the same, making it clear that even two years after an infection, victims often don’t bother changing their credentials.

A password that was changed into a more complex one between the 2022 infection and the 2024 infection

Additionally, there are differences between Infostealer families like Redline and Lumma. For instance, Redline captures a screenshot from the victim’s computer at the time of infection and steals Telegram files, whereas Lumma can steal a Google account restore token, aiding hackers in infiltrating various Google services.

Structural differences between Lumma Infostealer (left) and Redline Infostealer (right) from Hudson Rock’s platform, Cavalier

The Re-Re-Re-Infected — In some instances we discovered victims who were infected 5 individual times, each with varying amount of credentials, and by different Infostealer families.

A victim who was infected on 5 different occasions.

Conclusion

Re-infections by infostealers highlight critical cybersecurity concerns. Different infostealer families collect various types of data, making multiple infections particularly dangerous by providing a comprehensive profile of victims’ online activities, leading to risks like identity theft and unauthorized account access. The evolving nature of infostealers, as seen in the case of Redline in 2022 and Lumma in 2024, shows the persistent and sophisticated tactics used by attackers. This underscores the need for continuous improvement in cybersecurity defenses and proactive threat intelligence.

In conclusion, the persistence and sophistication of infostealers underscore the need for continuous vigilance and proactive measures, making a dedicated infostealer threat intelligence monitoring service essential.

As Infostealers continue to evolve and become more sophisticated, organizations must remain vigilant and adopt robust cybersecurity measures. Infostealers represents a new era in cyber threats, one that requires adaptive strategies and proactive defense mechanisms to protect sensitive information and maintain cybersecurity.

To learn more about how Hudson Rock protects companies from imminent intrusions caused by info-stealer infections of employees, partners, and users, as well as how we enrich existing cybersecurity solutions with our cybercrime intelligence API, please schedule a call with us, here: https://www.hudsonrock.com/schedule-demo

We also provide access to various free cybercrime intelligence tools that you can find here: www.hudsonrock.com/free-tools

Thanks for reading, Rock Hudson Rock!

Follow us on LinkedIn: https://www.linkedin.com/company/hudson-rock

Follow us on Twitter: https://www.twitter.com/RockHudsonRock

Don’t Stop Here

More To Explore

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise