Threat Actors Using $10 Infostealer Malware To Breach Critical US Security

   February 19, 2025  Posted in CyberSecurityNews


A new class of cyber threats leveraging $10 infostealer malware kits has compromised critical U.S. military, defense contractor, and federal agency systems, exposing vulnerabilities in national security infrastructure.

A computer containing credentials for army.mil being sold for $10 on a cybercrime marketplace (Source – InfoStealers)

According to Hudson Rock’s cybercrime intelligence data, over 30,000 infected devices across defense sectors—including Lockheed Martin, Boeing, and the U.S. Navy—have leaked credentials enabling unauthorized access to classified networks, procurement systems, and military AI development platforms.

Infostealers operate by exploiting human error rather than sophisticated technical exploits.

Security analysts at InfoStealers noted that the employees inadvertently download malware through game mods, pirated software, or phishing attachments, enabling threat actors to harvest:-

  • VPN and Citrix credentials for defense contractor networks
  • Active Directory Federation Services (ADFS) single sign-on tokens
  • Session cookies bypassing multi-factor authentication (MFA)
  • Internal development tools like Jira and GitHub repositories

Systemic Compromise of Defense Contractor Infrastructure

A September 2024 infection at Honeywell Aerospace illustrates the operational risks.

Infected employees at Honeywell, containing 56 corporate credentials (Source – InfoStealers)

Malware installed on an engineer’s work device exfiltrated 56 corporate credentials, including:-

  1. http://intranet.honeywell.com (internal communications portal)
  2. https://adfs1.honeywell.com/adfs/ls (Microsoft ADFS SSO gateway)
  3. http://globalapps.honeywell.com (global application access hub)

The credentials provided pathways to Honeywell’s R&D databases, supplier networks, and DoD contract management systems.

Hudson Rock’s analysis revealed the engineer’s device also contained unencrypted FTP credentials for missile guidance system documentation and session cookies for Pentagon-approved cloud platforms.

AI analysis developed by Hudson Rock examines all the data retrieved from infected machines (Source – InfoStealers)

Infostealers like LummaC2 and Redline exploit Windows credential managers and browser vulnerabilities to extract plaintext passwords. For example, the malware uses registry queries like:

powershell Get-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
to harvest auto-login credentials. Stolen MFA session cookies—often valid for 30–90 days—are weaponized through tools like Cookie-Editor to maintain persistent access.

Live cookies for FBI.gov’s website, which were found on an infected computer belonging to an employee of the FBI (Source – InfoStealers)

The U.S. Navy reported 30 compromised personnel with leaked credentials to classified naval logistics systems (OWA), training platforms (USALearning.gov), and McAfee ePolicy Orchestrator consoles.

With threat actors selling military credentials for less than $20 on dark web marketplaces, the operational cost of breaching national security infrastructure has collapsed to alarmingly low thresholds.

Defense contractors now face cascading third-party risks, as 72% of breaches originate from compromised vendors.

While tools like Hudson Rock’s CavalierGPT monitor credential exposures, experts emphasize enforcing endpoint detection, application allowlisting, and mandatory MFA revocation protocols to mitigate the $10 malware epidemic.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting – Register Here



Source link