Identity Threat Intelligence Report: How Infostealer Malware Is Reshaping Cyber Risk?

The network edge used to be the thing worth defending. Organizations built their security around it. Then came cloud, SaaS, and remote work, and the idea of a defined boundary quietly stopped being true.

What replaced it was Identity. Every corporate resource, from email to infrastructure to financial systems, sits behind an authentication layer. Control identity, and you control access. Lose identity, and you lose everything, without a single exploit being written.

Attackers understood this shift before most defenders did.

The Mechanics of Modern Identity Theft

Infostealer malware is the engine behind most identity compromises today. It does not encrypt files or announce itself. It runs silently, collects everything stored in the browser, and leaves. Saved passwords, active session cookies, autofill data, crypto wallet keys, and application tokens. A single infection on a single machine produces a structured log ready to be sold.

These logs move fast. Within hours, they are on Dark Web markets, priced by the value of the access they contain. Initial access brokers buy them, validate the credentials, and resell the footholds to ransomware operators. The whole pipeline runs like a supply chain.

SOCRadar’s Identity Threat Landscape Report 2026 maps this ecosystem in full. Key findings:

• Stealer log datasets analyzed contain over 4.6 billion records, with 809 million unique users
• Q3 2025 alone produced 1.19 billion records, the highest single quarter on record
• Windows 10 accounts for the majority of infected systems, showing attackers are targeting current, actively maintained endpoints, not legacy machines
• India, Brazil, and the United States lead in infection volume. Developed markets remain disproportionately targeted because the credentials are worth more

The five dominant infostealer families behind much of this activity, LummaC2, RedLine, Raccoon, Vidar, and Stealc, are all operated as Malware-as-a-Service. Buyers receive the binary, a dashboard, and log management tools. No technical depth required.

Why This Is Structurally Hard to Defend Against

When an attacker uses valid credentials, their actions look identical to a legitimate user. They do not trigger exploit detection. They do not produce anomalous network signatures. They use the same tools, the same portals, the same workflows.

This is the core problem. Traditional security was built to detect intrusion. Identity-based attacks bypass the intrusion entirely.

Credential reuse compounds this. Any password that has appeared in a breach should be treated as permanently compromised. The data does not disappear. It circulates, gets aggregated, and gets resold. The 2024 credential in a stealer log is still usable in 2026 if the password has not changed.

Session cookies make it worse. An attacker with a valid session cookie does not need the password at all. They do not need to pass MFA. They simply resume an authenticated session. Infostealer logs routinely include these, and they are often still active when the log is sold.

Introducing SOCRadar Identity & Access Intelligence

Security teams have had access to stealer log data for years. The gap was always context: what exactly was compromised, what systems does it unlock, what happened on that machine, and what should happen next.

SOCRadar’s reimagined Identity & Access Intelligence module closes that gap. Now generally available, it turns raw breach and infostealer data into a complete picture of an identity compromise.

1. Attack Flow Visualization reconstructs the infection from the first entry through endpoint compromise, mapped to MITRE ATT&CK. Analysts can see which malware family was involved, which controls were bypassed, and how legitimate Windows processes were abused, all without accessing the live machine.

1. File Insight gives a forensic view of the compromised endpoint. Directory navigation, credential storage paths, active processes, and installed applications. The level of endpoint visibility this provides for infostealer investigations has no equivalent in the market.
2. Company Insight shifts the view from individual accounts to the whole organization. Which identity providers, SaaS platforms, and financial tools had credentials exposed? Where are the legacy OS versions and AV gaps across affected devices? What is the blast radius if a specific credential set is used for lateral movement?
3. Cookie and URL Insights surface browser session cookies with entropy scoring and flag indicators, and cluster visited URLs by type to map stolen credentials to the most valuable corporate targets quickly.
4. SOCRadar Copilot delivers plain-language summaries of exposure, prioritized by risk, with step-by-step remediation guidance built in.

See Further

Identity Threat Landscape Report 2026 covers the complete picture: infostealer family profiles, Dark Web market intelligence, stealer log trend data, the full case study analysis, and a defensive controls framework. If your organization handles credentials, runs cloud infrastructure, or uses SaaS tools, this report is for you.

[Download the Identity Threat Landscape Report 2026]

Identity & Access Intelligence is available now. See what the module surfaces across your organization’s exposure.

[Explore Identity & Access Intelligence]