Complete Guide to The Top Infostealer Families to Look Out for in 2025
While in 2023 it was reported that over 10 million devices have been infected by infostealers, it is estimated that this year the number has at least doubled.
This can be seen, for example, with approximately a third of all ransomware attacks utilize data retrieved from stealer logs. This means that stealer logs are directly responsible for financial loss, information loss, and client and reputation damage.
Infostealers have solidified their role as one of the most persistent and damaging cyber threats, siphoning sensitive information from a computer while remaining undetected. The availability of Infostealers makes it easier for threat actors to get hold of highly valuable, private information, published in a stealer log.
Stolen assets often surface in stealer logs on underground marketplaces, fueling further attacks such as account takeovers and ransomware deployment. Understanding the most prevalent infostealer families of 2025 is not just about threat awareness—it’s about leveraging this knowledge to monitor for exposed client data, preempt attacks, and strengthen cybersecurity posture. This guide explores the leading infostealers of the year, equipping MSSPs with insights to better combat the threat of Infostealers.
What are stealer logs?
Stealer logs are information files containing data extracted by different types of infostealer malware. This data can include browser history, login credentials, cookies, technical information, files, and even wallets.
Infostealers can infect your device through the same vectors as other malware – spam messages, infected links, fake CAPTCHA and phishing emails.
Threat actors recently started using Malware-as-a-Service (MaaS) models to spread Infostealers through automated bots used to collect and distribute the data on Telegram and the underground forums. Malware-as-a-Service (MaaS) provides cybercriminals with ready-to-use malware tools, including Infostealers, through subscription-based or one-time payment models. Similar to Ransomware-as-a-Service (RaaS), it lowers the barrier to entry for sophisticated cyberattacks, enabling even inexperienced threat actors to launch complex campaigns. This made stealer logs an extremely accessible resource, as any actor can pay and use the service for his own agenda.
Why is information from stealer logs important?
Stealer logs contain a wide variety of stolen information that can be leveraged as an entry point for further breaches, ransomware attacks or Remote Access Trojans (RATs). An example can be found in the Snowflake breach earlier this year, which was executed by leveraging stealer logs available on the dark web.
However, this threat can be mitigated. While keeping track of all the logs published on both the dark web and Telegram is an unconventional task, we at Webz.io continuously collect this information and constantly expand our coverage. With us, you could constantly monitor the stealer log threat.
By using Lunar, our dark web monitoring platform, you could get easy access to actionable information on said stealer logs, such as the malware path, allowing your company to act fast in order to remove current threats and avoid future ones.
In this post, we gathered the Top 4 infostealer families used by actors and focused on giving you an inside look to the files and information made available by monitoring the stealer logs they extract.
The top infostealers to look for on the dark web
Name: LummaC2
First emergence: 2022
Overview:
Lumma Stealer, also known as LummaC2, is a Russian related infostealer that emerged as a MaaS (Malware as a Service). Lumma quickly became one of the most popular stealers thanks to its various ways of distribution and the difficulty to detect the malware once it has infected the device.
LummaC2 is very prominent in Russian Dark Web forums such as XSS and Ramp. The actor constantly posts about improving the malware, adding new features and patching bugs.
Logs distribution:
- Dark web forums
- Telegram
Volumes:
Using Lunar, we executed a query looking for Lumma stealer logs published on the popular datastore ‘Russian Market’. As can be seen on the graph below, the number of LummaC2 logs has increased drastically over the past year, with a peak of over 300,000 logs in the month of November.
Logs structure:
Like most infostealers, Lumma extracts user information, cookies, passwords and anti-viruses. Furthermore, Lumma also targets cryptocurrency wallets, browser extensions, and two-factor authentication (2FA).
Each log is saved with the letter code of the country and the IP of the infected device and includes all extracted files relevant to the specific device.
Name: Redline
First emergence: 2020
Overview:
Redline was considered to be the most widespread infostealer for a long time. Targeting various types of personal information, from passwords and credentials, to crypto wallets and app tokens.
Logs distribution:
- Dark web forums
- Telegram
Volumes:
Using Lunar, we executed a query looking for Redline stealer logs published on the popular datastore Russian Market. While the numbers have significantly decreased in the past few months, its dominance throughout the year is undeniable, with a maximum of almost 40k logs per month from this site alone.
Logs structure:
Redline stealer logs contain various information files, and extracts information from browsers, files, applications and more locations across the infected device.
Each log is saved with the letter code of the country and the Hardware ID of the infected device, and contains all the files successfully extracted by the infostealer. Furthermore, information files published inside the log are usually adorned by the Redline logo on the top of the file. Though it can be misleading at times, this addition makes stealer logs retrieved from the Redline infostealer identifiable with ease.
Name: StealC
First emergence: 2023
Overview:
StealC is a Russian related infostealer, sold as MaaS since January of 2023. It is described as a flexible stealer, taking inspiration from other prominent stealers such as Vidar and Redline. StealC was offered through various subscription packages ranging from 200$ for a month up to 800$ for 6 months.
The actor also uses the various forums to update on improvements in the build of the stealer and provide easy ways of contact.
Logs distribution:
- Dark web forums
- Telegram
Volumes:
Using Lunar, we executed a query looking for StealC stealer logs published on the popular datastore ‘Russian Market’. Being a newer infostealer, it had a slower start this year with a lower number of logs being published. However, as the year continued the numbers greatly increased, reaching a peak of over 200K logs in July.
Logs structure:
StealC logs contain everything you could expect from a typical stealer log file – cookies, passwords, applications and system information.
Each log is saved with the letter code of the country, the Hardware ID, and the date of infection, and contains all the files successfully extracted by the infostealer.
Much like Redline, StealC files occasionally contain the distinguishable “StealC” logo on the top of the file.
Name: Vidar
First emergence: 2018
Overview:
Vidar is hands down the most veteran infostealer on the list. It is considered a successor to Arkei malware, and is associated with Scattered Spider, an APT group known for going after large corporations. Vidar is also considered to be the first stealer to retrieve information from two factor authentication (2FA) and Tor browser.
Logs distribution:
- Dark web forums
- Telegram
Volumes:
Using Lunar, we executed a query looking for Vidar stealer logs published on the popular datastore ‘Russian Market’. While we can see that the number of logs published is lower compared to other stealer log types on this list, Vidar’s presence cannot be overlooked, reaching peaks of over 70k logs on ‘Russian Market’ alone, not accounting for the massive amounts spread on Telegram.
Logs structure:
Vidar logs include various types of files, from wallets to passwords and files saved on the device.
Each log is saved with the letter code of the country, the Hardware ID, and the date of infection, and contains all the files successfully extracted by the infostealer.
What can you do about it?
As we recapped in this post, the infostealer threat is greater than ever. Your information could be published and abused in a free stealer log file, in order to execute a ransomware attack or identity theft, all of this right under your nose.
This is mitigated by using a dark web monitoring tool like Lunar, and utilizing the actionable data provided by it to remove the threat. This, along with improving general security measures and awareness for scam messages and phishing, can promise you and your data safety.