Infostealers in 2025: A Year in Review

From law enforcement takedowns to death threats made out to threat intelligence researchers, it has been a very hectic year for the cybersecurity industry with no signs of slowing down. Despite all the defensive security advancements and wins achieved in 2025, Threat Actors remain resilient, motivated and appear to be capable more than ever. Whiteintel Threat Intelligence researchers have made this blog post to discuss some of the most notable incidents and developments in the cyberspace.

Honorary Mentions - Notable Victims

A few years back, Infostealers were the “up-and-coming” threat vector in terms of popularity and it has mainly targeted regular users for crypto draining and account hijacking for financial purposes. We are now 2025 and Infostealer have arrived fast and hard, taking down critical infrastructure and costing businesses a fortune at an alarming rate 

Here are the most notable Infostealer incidents of 2025 

Royal Mail – Samsung

Royal Mail Group dealt with the fallout of a major data breach after a threat actor released roughly 144 GB of internal information online. An attacker with the alias “GHNA,” claimed to have had unrestricted access to hundreds of internal folders belonging to Spectos GmbH, a third-party analytics provider working with Royal Mail. Investigators later traced the intrusion back to an old infostealer infection on a Spectos employee’s device from 2021. The stolen credentials and session tokens eventually gave the intruder a foothold into systems containing customer delivery records, internal Zoom videos, SQL databases, mailing lists, and logistics datasets. While Royal Mail stated that operations had not been disrupted, the company initiated internal reviews and credential resets in response.

The incident became even more noteworthy when investigation showed that the same attacker had recently leaked data connected to Samsung, and both breaches appeared to originate from the same compromised Spectos employee endpoint. This incident underscored how a single infected workstation inside a supplier could silently expose multiple major organizations over time.

Jaguar

Jaguar Land Rover faced a particularly messy infostealer-driven breach. Attackers stole developer credentials from compromised endpoints and logged into internal Jira, Confluence, and code-related systems with active sessions.

Proof came in the form of captured screenshots showing internal project pages, debug logs, and documentation outlining development pipelines. The stolen material also included interface captures from internal tooling - enough to confirm attackers had interactive access, not just static files.

Salesforce Incidents

Several major companies were impacted when OAuth tokens and session cookies tied to Salesforce integrations were stolen from infected employee machines. With those tokens in hand, attackers replayed active sessions and accessed CRM dashboards without tripping MFA or login alerts.

Attackers posted screenshots of Salesforce dashboards, customer records, support cases, and in some cases exported CSV files from the CRM environment. Teams were forced to rotate OAuth secrets, revoke active sessions, and tighten access policies around their SaaS integrations.

Publicly named affected organizations included:

• Zscaler
• Palo Alto Networks
• Cloudflare
• Proofpoint
• Cyberark
• Elastic

Threat Actors Are Combining Attack Vectors

One of the biggest shifts this year was how infostealers were paired with other attack vectors. Observing the techniques from the Salesforce incident, Infostealers have become a pivoting point to larger attack vectors. A single infected endpoint often translated into full access to cloud dashboards, internal documentation portals, or even financial systems. Attackers fed stolen cookies and tokens directly into session replay tools, while infostealer infected credentials became the entry point for deeper lateral movement.

This fusion of techniques made infostealers one of the most reliable tools for threat actors in 2025.

The hand of the law: Lumma Stealer Takedown

A major highlight of the year was the coordinated takedown of the Lumma Stealer infrastructure. Law enforcement seized servers, dismantled distribution channels, and disrupted the operator’s entire backend.

The impact was immediate - Lumma activity dipped, operators went quiet, and affiliates scrambled to migrate to forks and alternative platforms. The takedown showed that even entrenched malware services aren’t untouchable when agencies coordinate intelligence and enforcement.

Another strike from Law: Rhadamanthys Stealer Takedown

Following the recent Lumma Stealer takedowns, law enforcement delivered another major blow to the cybercrime ecosystem. In a large cross-border operation carried out between 10–14 November 2025, Europol and its international partners dismantled more than 1,025 servers tied to high-impact malware networks including Rhadamanthys, VenomRAT, and Elysium. The action resulted in 20 domain seizures, multiple arrests, and the disruption of infrastructure responsible for compromising hundreds of thousands of systems worldwide. While cybercriminals will inevitably try to rebuild, this marks one of the most significant coordinated strikes against ransomware- and malware-as-a-service operations to date.

Whiteintel 2025 Infostealer Report

To wrap up the year, Whiteintel compiled a detailed statistics and trend report covering the most impactful infostealer incidents of 2025. 

The clear takeaway: infostealers are no longer just a consumer threat - they’re a fully established enterprise risk.

Get access to Whiteintel’s in-depth analysis of more than 20 million stealer infections, 5.5 million unique compromised devices, and nearly 1 billion exposed credentials collected across 2025 :

Advance Dark web Monitoring and Threat Intelligence Platform

Whiteintel – Dark Web Monitoring & Threat Intelligence Platform