FoxHat logoFoxHat
All articles
Research

Infostealer malware: the $10 cookie that bypasses your MFA

Infostealer infections are surging. Malware like RedLine, Raccoon, and Lumma steal session cookies, credentials, and crypto wallets — then sell the logs on dark-web markets for as little as $10.

FoxHat ResearchAugust 15, 2024 6 min read

Multi-factor authentication was supposed to be the end of password-only breaches. Then infostealer malware changed the game. Instead of cracking passwords, attackers now steal session cookies directly from a victim's browser. With a valid session cookie, an attacker can log in as the user — MFA, device trust, and IP reputation checks included — because the application thinks the user already completed the second factor.

500,000,000+stolen credentials analyzed from stealer logs by Hakai SecuritySource: Hakai Security, November 2024
$10average price for a corporate session on dark-web marketsSource: Industry estimates / Telegram market monitoring
~70%of stealer infections target browsers and session dataSource: Kaspersky infostealer report 2025

How infostealers work

Infostealers are lightweight malware families — RedLine, Raccoon Stealer, Vidar, Lumma, and Stealc are the most common — distributed via trojanized software cracks, fake CAPTCHA pages, and malvertising campaigns. Once executed, they scrape browser cookies, saved passwords, autofill data, cryptocurrency wallets, and even Discord or Telegram session tokens. The output is a 'log file' uploaded to a Telegram channel or dark-web marketplace where buyers browse by victim domain.

From cookie to corporate breach

The attack chain is disturbingly short. An employee's teenager downloads a cracked game on the family computer. The infostealer harvests the parent's corporate SaaS session cookie. A buyer on a Russian-language forum pays $10 for the cookie, imports it into their browser, and is suddenly inside the company's Salesforce, Slack, or AWS console — passing every identity check because the session is already authenticated.

Why traditional defenses fail

  • EDR rarely flags browser cookie extraction as malicious — it looks like normal browser behavior.
  • MFA does not protect against session replay if the session was established before the cookie was stolen.
  • IP reputation tools are bypassed because attackers route through residential proxies in the same city as the victim.
  • User-agent checks fail because the attacker can replicate the victim's exact browser fingerprint.
  • SSO session lifetimes are often days or weeks, giving attackers a long window to exploit a stolen cookie.

Defending against infostealers requires a two-pronged approach: shrinking session lifetimes and continuously hunting for your organization's credentials and session tokens on dark-web markets and paste sites. If your CFO's cookie is for sale, you want to know before the buyer logs in, not after.

An infostealer malware infection is often a precursor to a ransomware attack.
SpyCloud Annual Identity Exposure Report 2024

See your exposure surface in 60 seconds

FoxHat continuously hunts your exposed repositories, assets, credentials, and secrets across the open and dark web.

Start free scan

Keep reading

Research

12.8 million secrets leaked on GitHub in 2023 — what the data tells us

Incident analysis

Five years, one GitHub key: the Toyota T-Connect leak in detail