TL;DR
Flare’s 2026 State of Enterprise Infostealer Exposure report analyzed 18.7 million infostealer logs and found that 16% of infections now expose enterprise SSO credentials, up from 6% in early 2024. The timeline from personal device infection to enterprise breach averages just 7 days. An employee’s home computer gets infected with Lumma, StealC, or RedLine stealer malware.
The infostealer exfiltrates browser-saved passwords including corporate VPN and cloud application credentials. Within 24 hours, those credentials appear in underground Telegram channels where Initial Access Brokers purchase logs in bulk for $10 to $50. IABs test the credentials, verify access, and list corporate network entry for sale. Ransomware operators buy access and deploy attacks, often before organizations discover the initial infection even occurred.
The acceleration: One in five infostealer infections will expose enterprise credentials by Q3 2026. Microsoft Entra ID appears in 79% of enterprise identity logs. 1.17 million logs contained both credentials and session cookies, enabling MFA bypass. This represents structural shift in attack economics where fewer infections deliver far greater impact when enterprise access is compromised.
The detection gap: Traditional security tools cannot see infostealer infections on personal devices. Organizations discover credential theft only when those credentials appear in dark web databases or when attacks succeed. External threat intelligence monitoring infostealer logs and credential marketplaces provides the only early warning system that detects exposure before enterprise compromise.
A marketing manager clicked a malicious advertisement while browsing from their personal laptop on a Saturday afternoon. The ad exploited a browser vulnerability and silently installed Lumma Stealer malware. The laptop showed no performance degradation. No antivirus alerts triggered because the personal device ran outdated consumer protection software.
Lumma executed immediately and systematically harvested every browser-saved password and authentication cookie. The manager’s Chrome browser contained credentials for 73 different services. Among them were corporate VPN login, Microsoft 365 account, Salesforce access, AWS console credentials, and internal collaboration tools. Lumma collected everything and transmitted the data to attacker-controlled infrastructure.
The infection happened outside the corporate security perimeter. The personal laptop had never connected to company networks. IT security had no visibility into the device. No endpoint detection monitored the malware execution. The organization had no awareness that corporate credentials had just been compromised.
This scenario represents the beginning of what researchers have identified as a 7-day journey from infostealer infection to enterprise breach. Understanding this compressed timeline and why traditional defenses fail to interrupt it has become critical for enterprise security.
Analysis of thousands of infostealer-enabled breaches reveals a predictable progression from infection to enterprise compromise.
Day 1: Credential Exfiltration and Log Packaging
Within hours of infection, the infostealer completes data collection and packages everything into a standardized log file. These logs follow a specific format containing machine information, installed applications, browser data, cryptocurrency wallets, and extracted credentials.
The malware operator receives the log through their command-and-control infrastructure. They conduct initial triage, categorizing logs by apparent value. Logs containing banking credentials, cryptocurrency wallets, or corporate access receive immediate attention. The marketing manager’s log stood out because of multiple enterprise SSO credentials.
By the end of day one, the log was listed for sale on specialized Telegram channels where Initial Access Brokers and credential resellers operate. Price: $45 due to the presence of verified corporate VPN and cloud platform credentials.
Day 2: Initial Access Broker Purchase and Verification
An IAB purchased the log within 24 hours of listing. They extracted the corporate credentials and began verification testing. The VPN credentials worked perfectly, providing access to the company’s internal network. The Microsoft 365 credentials authenticated successfully despite MFA because the log contained valid session cookies that bypassed authentication requirements.
The IAB spent several hours documenting the access. They identified the company’s revenue tier, mapped accessible systems, and noted the privilege level of the compromised account. This intelligence would inform pricing when they listed the access for resale to ransomware operators.
Day 3: Network Access Listed on Dark Web Forums
The IAB created a listing on the Exploit forum describing verified access to a mid-market US company in the marketing technology sector. Annual revenue $85 million. VPN and SSO credentials confirmed working. Asking price: $3,200.
The listing provided enough detail for ransomware affiliates to assess target value while maintaining operational security by not identifying the company by name. Buyers could verify the target matched their operational criteria before purchase.
Day 4: Ransomware Affiliate Purchases Access
A ransomware operator associated with a major ransomware-as-a-service operation purchased the access. They paid through cryptocurrency escrow and received the credentials along with technical documentation the IAB had compiled.
The operator authenticated successfully and began reconnaissance. They mapped the network topology, identified domain controllers, located backup systems, and assessed the value of accessible data. This intelligence would inform both the attack approach and subsequent ransom demand.
Days 5-6: Attack Staging and Preparation
The ransomware operator spent two days preparing the attack. They escalated privileges to domain administrator through exploitation of internal vulnerabilities. They disabled security monitoring and logging to avoid detection. They staged ransomware payloads on multiple systems.
All activity appeared legitimate to security monitoring because it originated from valid credentials on authorized accounts. The operator took care to mimic normal administrator behavior patterns. No alerts triggered.
Day 7: Ransomware Deployment
On day seven, exactly one week after the marketing manager’s personal laptop was infected, ransomware deployed across the company’s network. Production systems encrypted. Backup repositories were corrupted. A ransom note appeared demanding $2.8 million in cryptocurrency.
The company’s first indication of compromise was the ransom note. They had no awareness of the infostealer infection, the credential sale, the Initial Access Broker listing, or the week of reconnaissance that preceded the attack. The 7-day journey from personal device infection to enterprise breach was complete.
Flare’s analysis of 18.7 million infostealer logs reveals a fundamental shift in the threat landscape. Enterprise credential exposure is accelerating while overall infection volumes decline.
The Structural Shift in Attack Economics
Key statistics from the 2026 report:
This pattern represents fewer infections delivering far greater impact. Attackers shifted from mass consumer targeting to focused enterprise credential theft. The economics changed: one enterprise credential worth hundreds of consumer accounts.
Remote and hybrid work models created the conditions for infostealer success. Employees access corporate systems from personal devices that IT security never monitors. They save corporate credentials in consumer browsers on home computers. Password managers synchronize enterprise credentials across personal devices.
Verizon’s 2025 Data Breach Investigations Report found that 30% of infostealer-compromised systems were either enterprise devices or personal machines used for work. This boundary erosion between personal and corporate computing environments created the attack surface infostealers exploit.
Three infostealer families account for over 75% of infections and enterprise credential exposure.
Lumma Stealer: The fastest-growing infostealer in 2025 and 2026. Operates as malware-as-a-service with subscriptions starting at $250 monthly. Specifically targets SSO providers including Microsoft, Google, Okta, and AWS. Includes sophisticated anti-analysis techniques that evade detection.
StealC: Focuses on comprehensive browser data extraction. Harvests passwords, cookies, autofill data, and browsing history. Particularly effective at extracting session tokens that bypass multi-factor authentication. Distributed through malicious advertisements and software cracks.
RedLine: One of the longest-operating infostealers, active since 2020. Despite law enforcement actions, continues operating under new infrastructure. Known for aggressive distribution through fake software updates and pirated applications. Comprehensive data theft including FTP credentials, VPN configurations, and cryptocurrency wallets.
Q1: Can organizations prevent infostealer infections on employee personal devices?
Organizations have limited ability to prevent infections on devices they do not control. Employee training helps reduce risk but cannot eliminate it. The critical defense is detecting when corporate credentials appear in infostealer logs before attackers weaponize them. External threat intelligence monitoring infostealer marketplaces provides early warning that enables credential rotation before breach occurs.
Q2: How do attackers bypass MFA using infostealer data?
Infostealers capture active session cookies along with passwords. Session cookies represent already-authenticated browser sessions that bypass MFA challenges. Attackers import stolen cookies into their browsers and access corporate systems as authenticated users without needing passwords or MFA tokens. This technique, called cookie theft or session hijacking, makes MFA alone insufficient protection against infostealer threats.
Q3: Why has enterprise credential exposure increased while total infections declined?
Attackers shifted strategy from volume to value. Rather than mass-infecting consumer devices with low-value credentials, operations now focus on targets more likely to have enterprise access. Distribution methods target professionals through LinkedIn phishing, business software cracks, and work-related lures. This focused approach yields fewer total infections but dramatically higher rates of enterprise credential exposure.
Q4: What is the typical price for infostealer logs containing enterprise credentials?
Individual logs sell for $10 to $100 depending on credential value. Logs with verified enterprise SSO access command premium prices of $50 to $150. Initial Access Brokers purchase these logs, verify the credentials work, and resell corporate access for $500 to $50,000. The markup reflects the additional work verifying access and packaging it for ransomware operators.
Q5: Can changing passwords after infection prevent credential theft?
If the infected device is cleaned before password changes, yes. However, if malware remains active, newly typed passwords will also be captured. Organizations should assume credentials are compromised when employees report infections and rotate all accessible credentials immediately. External monitoring that detects when credentials appear in infostealer databases provides the trigger for targeted password resets.
You may also find the following insight very helpful: From $500 to $50K: How Dark Web Brokers Sell Enterprise