One company alone counted nearly 4 million unique devices infected with a specific type of malware. It is a low-noise, short-lived piece of malicious software, yet it can cause significant damage to its victims.
Over 3.9 million unique machines – that's how many devices were infected with infostealer malware that cybersecurity company KELA discovered last year. Infostealers are a type of malware designed to remain hidden and quietly snatch everything they can from infected machines, including browser cookies, login credentials, and local files, among other things.
In fact, the biggest collection of breached credentials that we at Cybernews saw came from infostealers. Our researchers discovered a humongous database of 16 billion exposed login credentials that apparently originated from various infostealers.
KELA’s report looking into the state of cybercrime in 2026 also highlights the infostealer threat. According to the firm’s data lake, there were nearly 4 million unique exposed machines last year, collectively yielding nearly 350 million compromised credentials.
“Infostealer infections are intentionally designed to be low-noise and short-lived, meaning that in many cases, there are no clear, visible symptoms on the device itself. Unlike ransomware, for example, these tools are optimized for stealth and fast data extraction rather than disruption,” David Carmiel, CEO of KELA, told Cybernews via email.
Large-scale credential harvesting is driven by a few highly prevalent malware families, the company noted. And they are as follows:
If you’re a Windows user, there’s a higher chance that your device might be infected with infostealer malware. However, Apple devices aren’t immune. According to KELA, macOS endpoints are increasingly targeted by cybercriminals who steal Apple users’ browser credentials, cloud service tokens, cryptocurrency wallets, and other sensitive data, which is highly profitable on the dark web.
“As Apple adoption grows across high-value consumers and corporate environments, the incentive for attackers continues to expand, with compromised devices providing access to SaaS credentials, VPNs, developer tools, and other corporate assets,” the report reads.
How to spot an infostealer
Carmiel noted that infostealers are designed to stay as silent as possible. However, several indicators may suggest potential compromise.
The first common sign is unusual account activity, such as fake password resets, logins from unfamiliar locations, and new active sessions that you don’t recognize.
Also, look for browser anomalies such as sudden logouts from websites, missing passwords, and unexpected changes in browser settings.
Naturally, pay attention to security alerts from online services.
Check if your data has been leaked
Unfortunately, infostealers can steal your browser cookies and use them to sign in to your accounts without a password or multi-factor authentication (MFA).
“This may appear as active sessions from unknown devices while the user is still logged in elsewhere, account takeover despite no password change, or no MFA challenge during suspicious login events (because the session token is already valid),” Carmiel explained.
Besides data stored by browsers, password managers, and local files, KELA assesses that infostealers are increasingly targeting agentic AI environments.
“A plausible emerging expansion vector is the harvesting of local AI agent working directories and memory artifacts, such as MEMORY.md or similar persistent context files used by local agents, cached prompts, task histories, and workflow state files, configuration files containing API keys, tool permissions, or external integrations, and in some cases, contextual data that reflects entire agent reasoning chains or operational memory,” Carmiel concluded.
Unlock exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked