Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Password managers have been a cybersecurity best practice for a long time, and for good reason. They provide an encrypted vault to store all your login credentials behind one strong master password, making it easier to use unique, complex passwords for every account. 

This approach significantly reduces risky behaviors like password reuse and simplifies managing dozens of logins. One problem thorough is that password managers only protect passwords at rest. They can’t immunize your credentials against theft once malware compromises your device. 

In particular, modern infostealer malware has evolved to a point where just having a password manager is far from enough to protect your credentials, calling for a more layered and strategic approach to credential security. 

How Password Managers Work and Why We Rely on Them

Password managers come in many forms, from browser-based managers (like Chrome’s or Safari’s built-in vaults) to dedicated apps like LastPass or 1Password. Regardless of type, the core idea is the same: they encrypt your passwords in a vault that only you can unlock (typically with a master password, and often with an extra factor like biometrics or a key file). 

The vault’s contents: usernames, passwords, even credit card numbers or secure notes, remain scrambled and unreadable to anyone without the key. This strong encryption, coupled with the convenience of auto-filling logins, encourages good hygiene. You can have 100+ unique, complex passwords without needing to remember them all.

Organizations often encourage password manager use to prevent the “weak link” of human behavior. A CISO would much rather employees create random 20-character passwords and store them securely, than write down passwords or reuse the same password everywhere. 

Password managers also defeat phishing of individual credentials. If users aren’t reusing passwords, a phished password on one account won’t help an attacker break into another system.

Infostealers: The Silent Credential Thieves

Infostealers are malware designed to quietly harvest authentication data from infected systems. They don’t lock files like ransomware. Instead, they extract passwords, cookies, tokens, and sensitive files within minutes, often without detection.

The rise of Malware-as-a-Service (MaaS) has made these tools cheap and accessible, with some sold for as little as $120/month. Stronger OS defenses against traditional credential dumping have pushed attackers toward easier targets like password manager vaults or browser-stored logins, which can often be accessed with just user-level permissions.

Modern strains, such as Lumma and Rhadamanthys, can steal from browsers, standalone password managers, and even 2FA extensions. Stolen data is packaged into “logs” and sold on the dark web, fueling account takeovers, corporate breaches, and ransomware. 

In 2024, infostealers surpassed ransomware as the most common malware threat, responsible for billions of stolen credentials and nearly a quarter of all cyber incidents. According to Twilight Cyber records, there have been, on average, over 200,000 new infostealer infections per month so far in 2025.

How Infostealers Bypass Password Managers

Given the rise of infostealers, security leaders may ask: “If we use password managers, aren’t we protected?” Unfortunately, the answer is no, at least not by themselves. 

Password managers protect your credentials at rest and help enforce good practices, but once an endpoint is compromised, an infostealer can usually extract those credentials. Here’s how they do it:

Memory Scraping and Process Injection
Most password managers need to decrypt a password (or at least hold it in memory briefly) when you use it. For example, when auto-filling a login form. 

Infostealers exploit the fact that on typical operating systems, one user-level process can read another process’s memory. Malware can simply open the password manager or browser process and read its RAM to find plaintext passwords or authentication tokens. 

No software vulnerability is needed; the infostealer abuses legitimate OS functionality. 

Keylogging and Clipboard Hijacking
Infostealers also employ keyloggers to capture keystrokes. If an infostealer is running on your machine, it can record every character you type, including your master password when you unlock your vault, or any passwords you manually enter (perhaps into applications that don’t auto-fill). 

Similarly, if you copy-paste a password, malware can monitor the clipboard and grab that value.

Vault and Browser Data Extraction
Some stealers target the password stores directly. For example, certain malware knows how to locate and exfiltrate browser password databases (e.g. the SQLite file Chrome uses to store saved logins) or password manager vault files stored on disk.

Even if a vault is taken in encrypted form, the attackers can still attempt to crack it offline (though a strong master password makes that extremely difficult). 

More commonly, stealers focus on data that is not well-protected or is accessible with user-level privileges.

Targeted Password Manager Attacks
Some emerging infostealers are explicitly built to target popular password managers or enterprise credential management tools. 

For instance, the Rhadamanthys stealer (a rapidly rising infostealer-as-a-service) is capable of extracting credentials from various applications, including the KeePass password manager. This implies the malware authors reverse-engineered KeePass’s process or memory patterns to pluck out passwords. 

For more information on Rhadamanthys, please read our full post:

Earlier malware like RedLine or Raccoon also looked for vault files from apps like NordPass or others.

Session Hijacking (Stealing Tokens)
As mentioned, infostealers frequently grab session cookies from browsers. This is a direct bypass of the password manager: if the malware can hijack an authenticated session, the attacker doesn’t need your password at all. 

They simply import the stolen session token into their own browser and appear as an already-logged-in user. This technique was used in some recent breaches and is especially dangerous if the victim hasn’t protected sessions with device verification. 

A stolen session from an SSO portal, for example, could let an attacker into all linked applications without ever cracking the vault. Multi-factor authentication (MFA) won’t stop a session hijack either, because the session was established legitimately, which is why we see infostealers being used as a way to bypass MFA.

Building a Layered Defense Against Credential Theft

None of this is to say password managers are useless; far from it. A good password manager remains a cornerstone of credential security, as it eliminates password reuse and encourages stronger passwords. Every organization should still use them.

However, password managers alone are not enough. To truly protect against infostealer-driven credential theft, organizations should adopt a layered defense strategy.

This starts with enforcing multi-factor authentication (MFA) everywhere. While infostealers can steal session cookies, MFA still stops many direct password-based logins using stolen creds. 

Wherever possible, use phishing-resistant MFA (FIDO2 security keys or platform biometrics) which are much harder for attackers to bypass or steal. Even if an infostealer grabs a password, a strong second factor can hold the line in many cases.

Active monitoring for malicious activity is equally important, and there are two key aspects to it:

• Monitoring at the endpoint level by investing in advanced endpoint detection and response (EDR) that can catch infostealer behavior. Euristic and behavior-based tools can detect suspicious actions like process memory access, injection, or unusual file access patterns. The goal is to stop the malware before it exfiltrates data.
• Monitoring credentials for compromise so you get real-time alerts when usernames and passwords linked to your domain appear in dark web marketplaces, infostealer logs, or other underground sources, giving you time to react promptly.

Proactive Exposure Detection With Twilight Cyber

Twilight Cyber offers services to ensure that if your credentials or sensitive data surface in the criminal underground, you find out immediately, not months later, when an incident has already occurred.

Twilight Cyber’s credential monitoring continuously scans underground forums, marketplaces, paste sites, and infostealer log dumps for indicators of your organization’s data. 

If an infostealer log containing your employees’ corporate logins is posted for sale, Twilight Cyber’s platform detects it in near real time and immediately issues an alert with actionable intelligence. 

These alerts aren’t basic notifications. They include when the breach occurred, which accounts are affected, and which device or endpoint was involved, giving your security team the full context to act fast and decisively.

Contact Twilight Cyber today to see what real-time credential monitoring can do for your security posture.   

To test the capabilities of our platform, you can initiate a FREE scan for your domain:

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox