Infostealers are driving today’s ransomware wave and stealer logs can be bought for as little as $10 on the dark web.
At ISACA Europe 2025, Tony Gee, a principal cybersecurity consultant at 3B Data Security, urged security teams to deploy tactical defenses to protect against infostealers.
Evolution of Infostealers
Since the early 2000s infostealers have become a common weapon in the arsenal of cybercriminals to gain initial access to targeted systems, with the emergence of keyloggers such as Zeus and SpyEye.
Around the early 2010s, new infostealer families like Vidar, Trickbot and Emotet, began integrating the capability to extract cryptocurrency.
Now, a wide variety of new infostealers frequently appear with different features and capabilities, expanding a market that has largely been dominated by LummaC2 and Redline.
Today, stealer logs (the output that infostealers produce) can be found for sale for as little as $10 on some Russian-language dark web marketplaces, according to Gee’s research.
The security consultant argued that the best way to defend against infostealer infection is through specific technical security controls.
“There are basic controls that you can implement, of course, such as adopting a zero trust architecture, ensuring a good password policy and robust network segmentation that includes separating privileges and provide security awareness training,” he said.
However, these alone are not sufficient to prevent infostealers. Gee provided six additional technical controls organizations should implement.
Top Six Technical Measures to Mitigate the Infostealer Threat
Regular Password Changes
Although frequent password changes can be burdensome, they are an efficient measure to mitigate the impact of credential theft and infostealer infections.
“The passwords that gets exposed in the stealer logs will then be changed by the time that someone comes to use it,” Gee explained.
FIDO2-Enabled Multifactor Authentication
Multifactor authentication (MFA) with a FIDO2-enabled technology is also “strongly recommended” against infostealers, especially for users with administrator privileges.
Gee argued that such a security measure will make it harder for a threat actor to sign in to systems and services, even with comprehensive logs on the user which have been stolen through infostealer malware.
Forced Authentication
The “force authentication” process refers to a policy where security teams require staff members to re-authenticate every time they try to gain access to somewhere sensitive within company systems or on the internet.
“It means that, instead of just using cookies to just rinse your entire domain, you have to step through multiple authentication steps,” Gee explained.
Session Token Expiration
Security teams ought to shorten the lifespan of authentication tokens, Gee also recommended.
“This method should be especially implemented for bring-your-own-device (BYOD) situations. One of the companies I work with has all cookies expire every day. It makes it really annoying to log in every day, but it’s very secure.”
Cookie Replay Detection
Another of Gee’s recommendations is for security teams to implement cookie replay detection processes on the browsers used by their workforce.
This security mechanism identifies and blocks fraudulent attempts to reuse stolen or intercepted session cookies (e.g. in replay attacks) by tracking cookie usage patterns, timestamps or unique identifiers.
It helps prevent unauthorized access by ensuring cookies are used only once or within valid contexts.
Suspicious and Impossible Travel Monitoring
Finally, Gee recommend security teams to deploy an automated security system that monitors connection locations and provide alerts for “suspicious or impossible travel.”
“This is when people are logging in twice from two different geographically located places in a short period of time, for instance. That’s an indicator of suspicious activity,” he concluded.
