A significant number of data breaches occur when cybercriminals walk through the “front door” using stolen credentials. According to a study from Hudson Rock, the login information is acquired using infostealer malware. Cybercriminals package the stolen information and sell it as a service to other criminal elements. The problem is widespread, but the greatest damage is to those who maintain a high level of security. Specifically, U.S. military and defense contractors who spend considerable resources securing their environments against cyber threats are falling victim to infostealers.
Infostealers
Infostealers are a type of malware that resides in an infected computer and gathers data in order to send it to the attacker. They infect machines using malicious attachments, websites infected by exploit kits, pirated software, and malvertising. People are the key cog in this activity.
These programs are not looking for large amounts of data but focus on login credentials (VPN, email, web portals) and digital footprint records (browsing history, auto fill passwords, credit cards, and session cookies). This information is packaged into records known as ‘logs’ that are sold.
This method of attack has been around for over a decade, but it has been growing in importance as a primary tool in the cybercriminal toolbox. Cybersecurity company Huntress, in their “2025 Cyber Threat Report,” said they are involved in nearly a quarter (24%) of all cyber incidents in 2024. The “2024 Verizon Data Breach Investigations Report” stated that the top vector for systems intrusions is the exploitation of credentials and secrets. According to the study, 31% of breaches over the past 10 years involved stolen credentials.
Hudson Rock’s Co-Founder and CTO, Alon Gal, in a blog post summed up infostealers as being “the gateway drug of cybercrime, quietly collecting login credentials, financial data, and sensitive info before handing it off to ransomware gangs, extortionists, or initial access brokers.”
Black Market for Stolen Credentials
Infostealers are generally associated with botnets. The attackers who collect the ‘logs’ sell the information on underground marketplaces for as low as $10 or as high at $1000 per log. Cybercriminals can selectively purchase stolen data from employees working in classified defense and military sectors. The cybercrime marketplaces have millions of computer records. Hudson Rock has identified over 30 million computers infected by infostealers. The black markets make it easy for buyers by having features such as search that allow for the discovery of specific credentials, such as those with a navy.mil address.
Impact on U.S. Defense Community
The primary purpose of the information presented from Hudson Rock’s Infostealers website is to highlight that all organizations are susceptible to Infostealer attacks, including those who deploy the strongest security. Hudson Rock’s infostealer database reveals an unsettling reality. Employees of high-profile government organizations and defense contractors have active infections. Lockheed Martin, Boeing, and Honeywell have dozens of compromised machines. Having access to even one record is an opportunity to enter additional networks. For example, a case highlighted in the report points out that one compromised employee has 56 internal corporate credentials along with 45 third-party credentials.
On the government side, the database includes entries for 71 U.S. Army, 30 U.S. Navy, and 24 FBI employees infected. Using stolen credentials can allow threat actors -- most troubling nation-state adversaries -- the ability to potentially enter high-profile and even secure networks to steal classified information or to burrow deeper into these networks. Having access to VPN credentials can provide attackers with the opportunity to collect classified information on military operations and defense systems.
The problem is summed up by Jason Soroko, Senior Fellow at Sectigo. “Infostealer infections in the US military and top defense contractors expose a systemic cybersecurity lapse. Lax endpoint defenses, outdated patching protocols, and human error are enabling cheap breaches—even in high-stakes environments. If organizations with deep pockets and top talent are vulnerable, rank-and-file companies, often under-resourced and less rigorous, face even graver risks.”
Towards a More Secure Future
“The lesson is clear: if you’re online, you’re a target. Every business—whether they serve the DOD or not—has employees who hold sensitive credentials that adversaries can exploit.”, said Kent Wilson, Vice President at Bugcrowd. “There’s no reason to make it easy for attackers. Organizations need to stop treating cybersecurity as a one-time project and adopt continuous, proactive security programs. Traditional defenders are in a knife fight every day, and staying ahead of attackers is difficult.”
There are a number of steps organizations can take to thwart infostealers. The defenses require a layered approach. No single solution will be enough. Among the solutions organizations require are strong anti-malware at the endpoint and network level, browser-level security, vulnerability management, and anomaly detection. On the identity side, organizations should implement multi-factor authentication and periodic password changes. All sensitive and classified information should be encrypted while at rest. A zero trust framework can offer additional protection and the ability to limit damage to a network segment. Lastly, given that infostealer infections require some type of human intervention, user cybersecurity awareness training is imperative.
Conclusion
The effectiveness of infostealers is troubling. Thomas Richards, Principal Consultant at Black Duck points out that this report from Hudson Rock “incredibly concerning given the nature of the data and the individuals targeted. The data stolen could allow an adversary into critical networks and take steps to compromise additional people and systems. This is a risk to US national security.”
The problem is real, so organizations, especially those who feel they are secure behind layers of expensive security, must look at this problem with urgency. Soroko emphasizes that “companies must act now” because refined cybersecurity is not an option “in an era where a $10 exploit can topple even the most advanced networks.”
There are solutions to lower the threat and the impact infostealers present but people must acknowledge the problem and work to address it.
