Infostealers Are Fueling the New Cybercrime Economy

Published May 19, 2026

One of the clearest trends emerging from Ontinue’s 2H 2025 Threat Intelligence Report was the growing role of infostealers in modern cyberattacks. What was once viewed as relatively “low-level” malware has evolved into a foundational layer of today’s cybercrime economy, enabling identity-driven attacks at scale.

This shift is directly tied to one of the report’s most important findings: attackers are increasingly logging in instead of breaking in.

Rather than relying on noisy exploits or traditional malware deployment, adversaries are gaining access through stolen credentials, session tokens, browser cookies, and trusted identities. Infostealers are one of the primary mechanisms making that possible.

The Rise of Modern Infostealers

Throughout 2025, Ontinue’s Cyber Defense Center (CDC) observed a growing number of campaigns built around Node.js-based infostealers. These attacks commonly package malicious code inside seemingly legitimate applications, often themed around AI tools, productivity software, or free utilities.

The approach is deceptively simple.

A user downloads what appears to be a harmless application. Behind the scenes, however, the installer deploys a local Node.js runtime and silently executes malicious JavaScript designed to:

• Harvest browser credentials and session cookies
• Collect host and system information
• Establish persistence through registry changes or scheduled tasks
• Connect to attacker-controlled infrastructure for data exfiltration

Since these attacks leverage legitimate runtimes and trusted frameworks, they often blend into normal endpoint activity. In many cases, the initial software may only be classified as a Potentially Unwanted Application (PUA), delaying escalation and giving attackers valuable time to operate quietly.

Why Attackers Love This Model

Infostealers are effective because they exploit trust.

Node.js is widely used in enterprise and development environments, making it far less suspicious than a custom malicious binary. The malware executes in a familiar runtime, often without requiring administrative privileges, while cloud-hosted infrastructure and newly registered domains help attacker traffic blend in with legitimate SaaS and web activity.

This creates a stealthy and highly scalable attack model.

Instead of focusing on breaking security controls directly, attackers focus on quietly collecting credentials and access artifacts they can monetize later. Those stolen credentials are then sold, reused, or leveraged for follow-on attacks including ransomware, business email compromise, cloud compromise, and data theft.

The result is a rapidly expanding underground marketplace for access.

In fact, Ontinue’s latest Threat Intelligence Report identified a 72% increase in stolen credential listings tied to infostealer activity, reinforcing how central these tools have become to the broader cybercrime ecosystem.

AI-Themed Lures and Trojanized Software

One notable evolution throughout 2025 has been the rise of AI-themed delivery mechanisms.

Attackers understand that users are actively experimenting with AI tooling and developer frameworks, creating an opportunity to disguise malware as legitimate innovation. Recently, we published analysis on a fake Claude Code installer campaign that leveraged this exact tactic to distribute malware through a trojanized development environment.

These campaigns reflect a broader trend where adversaries increasingly weaponize trusted software ecosystems rather than relying solely on traditional phishing attachments or exploit kits.

Why This Matters for Security Teams

The challenge with modern infostealers is not simply malware detection. It is visibility into identity abuse and trusted execution.

Many organizations still focus heavily on identifying obviously malicious binaries or exploit activity. But modern attackers increasingly operate through:

• Legitimate runtimes
• Trusted cloud services
• Valid credentials
• Normal-looking authentication flows

This blurs the line between legitimate and malicious activity and makes context-driven detection far more important.

Security teams should prioritize:

• Strong MFA and phishing-resistant authentication
• Monitoring for unusual identity and session activity
• Restricting unauthorized software downloads
• Visibility into browser credential theft and token abuse
• Threat hunting for persistence mechanisms such as Run keys and scheduled tasks
• User awareness around AI-themed software and fake installers

The Bigger Picture

Infostealers are no longer just opportunistic malware infections. They are fueling an industrialized access economy that supports some of today’s most disruptive cyber threats.

As attackers continue shifting toward identity-driven intrusion models, stolen access has become more valuable than exploitation itself.

That is why modern defense strategies must focus not only on preventing malware execution, but on protecting identities, monitoring trust relationships, and identifying abuse within seemingly legitimate activity.

Read our recently published research: Behind a Fake Claude Code Installer