Stealers
Driven in part by malware-as-a-service stealers like LummaC2 and Rhadamanthys, stealer activity surged in 2025, targeting both Windows and Mac systems and using paste-and-run lures.
Stealers are a type of malware that are, as the name suggests, designed to steal data from victim systems. They are popular with adversaries because they offer a number of highly useful capabilities in a single payload. Also known as information stealers or infostealers, this type of malware is not new; stealers have been in use for many years.
The most frequently cited example of the first popular modern infostealer is Zeus (aka ZeuS, Zbot Trojan), first reported in 2007. Initially designed to access banking information and user credentials, Zeus and its variants evolved, introducing capabilities that today’s stealers still include. Subsequent popular stealer families include Vidar, Raccoon, StealC, Redline, and many others.
Adversaries will jump on any opportunity to log in rather than hack in.
Modern stealers can extract information from web browsers, applications, cryptocurrency wallets, and more. Credentials are the primary commodity that stealers capture, and adversaries can sell them in online marketplaces, share them with other adversaries, or use them in the service of a more complex scheme like ransomware or extortion. They frequently have built-in capabilities to not only query and access sensitive information, but also package and send the data to adversary-controlled resources like command-and-control (C2) infrastructure, sites like Pastebin, and so forth.
Some stealers, particularly those with modular and customizable features, can also create persistence, use evasion tactics, and even leverage victim systems as a botnet to facilitate ongoing operations. The customizable features can drastically affect the detectable footprint for malware as well, with differing configurations leading to different behaviors and inconsistent detections in both endpoint and network realms.
Stealers in 2025
In 2025, Red Canary saw stealer use continue to increase across both macOS and Windows systems.
Two Windows stealers made our top 10 list for the year: LummaC2 in 5th and Rhadamanthys in 10th. Both LummaC2 and Rhadamanthys are offered as malware-as-a-service (MaaS, making them purchasable and easily accessible by adversaries with a low level of skill or sophistication. Stealers have been a popular MaaS offering for many years, which enables their widespread use.
It is worth noting that LummaC2 and Rhadamanthys infrastructure was targeted in multiple phases of Operation Endgame this year, which at the end of 2025 appeared to have been successful in greatly reducing operations for these stealers.
Over the course of 2025, five additional stealers made it onto our monthly top 10 list in our Intelligence Insights:
- ArechClient2
- Atomic Stealer
- Poseidon
- Odyssey
- MacSync
Atomic Stealer, Poseidon, Odyssey, and MacSync are all designed to target macOS. You can read more about these stealers in the Mac malware trends section, as well as on the Red Canary blog.
Stealer delivery and distribution
Adversaries hoping to deliver stealers to unsuspecting victims can use a variety of methods for distribution, including:
- phishing campaigns
- compromised websites
- cracked software
- malvertising
One extremely popular vehicle for stealers in 2025 was paste and run, aka ClickFix/FakeCAPTCHA. The vast majority of attempted LummaC2 delivery that we saw leveraged malicious copy and paste techniques, as did campaigns delivering macOS-targeted stealers. Paste-and-run lures commonly deliver a loader or crypter that then goes on to drop a stealer. Several other threats we saw in high volume this year were involved in this stealer delivery ecosystem, including:
Because stealers are opportunistic and widely distributed in many ways, general preventative measures that apply to multiple malware families also help fight against stealers:
- Provide safe software installation sources for users.
- Configure ad blocking tools where possible.
- Deploy endpoint security controls for detection and protection.
Nearly every organization is likely to encounter a stealer at some point, so it’s important to build a response plan before you need it. An excellent playbook would include determining what account details are stored in the software on an affected system, including:
- browsers
- file transfer software like FileZilla and WinSCP
- Telegram messaging
- Steam gaming
- cryptocurrency wallets
- VPN profiles
- cloud credentials in CLI tool configuration
- sensitive files stored in the user’s Desktop and Documents folders
Once you determine the scope of data theft, take steps to reset any credentials stored on the system. This may also involve manually revoking sessions to prevent cookie reuse. Finally, if financial details such as payment cards or cryptocurrency wallets are stored on the affected system, users may need to monitor the relevant accounts for unauthorized transactions.
There’s no one-size-fits-all detection opportunity to help security teams catch stealers generally. However, the following Threat Detection Report sections include detection ideas that security teams can use to detect specific information stealing malware:
Start testing your defenses against stealers using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
As a category of threats, information stealers leverage far too wide a range of behaviors for us to offer meaningful testing guidance. However, security teams may be able to refine detection coverage for these and other stealers by running atomics for T1055: Process Injection and T1555.003: Credential from Web Browsers.
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.